implementingpciinthecloud 151120162312-lva1-app6891
TRANSCRIPT
IMPLEMENTING PCI IN THE CLOUD
CLOUD SECURITY VISIONARY
BOTH SIDES NOW
"Rows and flows of angel hairAnd ice cream castles in the airAnd feather canyons everywhereI've looked at clouds that way”
Joni Mitchell
SIDE 1 - CONSUMER
"But now they only block the sunThey rain and snow on everyoneSo many things I would have doneClouds got in my way"
Joni Mitchell
SIDE 2 – SERVICE PROVIDERS
CLOUD ANATOMY
CLOUD BENEFIT$
WHAT’S DIFFERENT
Security ~ THEM
Security ~ YOU
IaaSInfrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Security Ownership
WHAT’S DIFFERENT
Access Control
WHAT’S DIFFERENT
Vulnerability
MOST SIGNIFICANT
“Cloud” Provider Datacenter in London, U.K.
“Cloud” Provider Datacenter in Sao Paolo, Brazil
“Cloud” Provider Datacenter in Geneva, Switzerland
“Cloud” Provider Datacenter in Tokyo, Japan
“Cloud” Provider Datacenter in San Francisco, USA
Your Corporate D
ata?Accountability
CLOUDY ISSUES
Confidentiality AvailabilityIntegrityTrust: Lack of transparencyTrust: Identity management & access controlRisk managementLiabilityGovernanceCompliance
TOP THREATS TO CLOUD
Abuse & Nefarious Use:
Insecure Applications Programming:
Malicious Insiders:
Shared Technology Vulnerabilities:
Data Loss & Leakage:
Account, Service & Traffic Hijacking:
Unknown Risk Profile:
BASIC MISCONCEPTIONS
Cloud Benefits
Security Requirements
• "But its Cloud! How can you attack a Cloud?"• "There's security in anonymity".• "Time sharing" with a new name & technology.
CLOUD THINKING
Same as your existing server environment only virtualised and in someone else's Data Centre running on Windows and Linux with
Windows and Linux vulnerabilities
THE STANDARD
First published January 2005, the PCI DSS is a set of comprehensive requirements for securing payment data. V3 released last year.
A multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software
design and other critical protective measures.
APPLICABLE
• All systems that connect to them
• All systems that process, store or transmit credit or debit cardholder data
6 GOALS, 12 REQUIREMENTS
264 CONTROLS
Implementing the PCI DSS in the Cloud is like...
THE QUESTION THEN
Salesforce - SaaS Q: How do you implement 264 detailed control requirements across a public cloud solution?
A: It depends .
Google AppEngine - PaaS
Amazon EC2 - IaaS
SCOPING IS EVERYTHING
COMPLIANCE KEYS
= Service Level Agreements
= Compensating Controls
SLA
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
Amazon Web Services™ Customer Agreement
REMEMBER
IaaSInfrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Security ~ THEMSecurity Ownership
Build it inContract it
in
SLA
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
Amazon Web Services™ Customer Agreement
Cloud Model
Physical Physical Plant Security, CCTV, Guards
Storage Host-based Firewalls, HIDS/HIPS, Integrity & File/log Management, Encryption, Masking
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,QoS, DNSSEC, OAuth
Management
GRC, IAM, VA/VM, Patch Management,Configuration Management, Monitoring
Information DLP, CMF, Database Activity Monitoring, Encryption
ApplicationsSDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec.
Trust Hardware & Software RoT & API’s
Governance Model
Find the Gaps!
Compliance Model
WHERE CANNOT BE MAPPED
• Conduct risk assessment
• Identify unacceptable risks
• Implement compensating controls! – Designed, accepted for the business– Must produce evidence– Accompanied by process
MODELLING
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud ArchitectureO
pera
ting
in th
e C
loud
Governing the C
loud
QSA WORDS OF WISDOM
QSA CLIENT ADVICE
"Never trust the vendor"
QSA CLIENT ADVICE
• Don't believe what you hear. Get out of your office Go see it. Touch it. Taste it. Smell it. Its about due diligence.
• Interrogate vendors focusing on security, resiliency, recovery, confidentiality, privacy and segmentation. See if they twitch.
• PCI Compliance comes down to implementing the controls, compensating controls or just accepting the risk. Go through each control with your vendor (as applicable) and determine actions.
• If you don't see it in black and white in the vendor SLA, do not assume its there. If you do see it, go check it.
• Your mantra should be "How will you identify a breach?" At the end of the day, if you have a beach it will be your company's name in the paper, your company receiving the fine or your company in court - not the cloud provider.
• Do everything you can possible do. Then get your Acquirer's buy in.
• Get insurance.
QSA VENDOR ADVICE
"Never trust the client"
QSA VENDOR ADVICE
• Embrace it. Be proactive. Get out in front of it. Bring it up before they do.
• Know your subject matter. Clients need mentors.
• Be transparent. If you can't meet a compliance requirement, say it.
• Never twitch.
• Lay out liability in the SLA. Be clear. Be concise. State both what you are liable and what you are not liable for.
• Rephrase the question: "How will we identify a breach?"
• Get insurance
"I've looked at clouds from both sides now,from up and down, and still somehow,it's clouds illusions I recallI really don't know clouds...at all."
Joni Mitchell
A DIFFERENT PERSPECTIVE FROM:
www.riskfactory.com0800 978 8139
www.riskfactory.com0800 978 8139