PCI and the Cloud

Dave Shackleford, CTO, IANS

Andrew Hay, Chief Evangelist, CloudPassage

8/29/2012

Hashtag - #PCIcloud

Who We Are

Dave ShacklefordSVP of Research & CTO at IANS

Andrew HayChief Evangelist at CloudPassage, Inc.

Interact with us on Twitter using the #PCIcloud hashtag

Introduction

• There are lots of questions about PCI in cloud environments…but few answers to date

How will compliance be affected with

various cloud configurations?

What should we look for in PCI-

compliant providers?

How can I satisfy the security and control requirements?

Can I even be PCI compliant in the cloud?

What does a ‘PCI Compliant’ cloud even mean?

What am I responsible for in Private/Public/Hybrid clouds?

Will my existing technical controls work in cloud?

It’s Not All Doom and Gloom

• Yes, you can be PCI compliant in the cloud!

• You will likely need some different tools and processes

• Not all providers are created equal!

• There is no “silver bullet” – but the responsibility is still yours

Survey Results: Compliance & Standards

• What standards or regulatory compliance mandates apply to your cloud project(s)?

Cloud Audit

PCI DSS

0.0% 20.0% 40.0% 60.0% 80.0% 100.0%

A Little About Cloud Types

Private Cloud / Hybrid Staging

US Public Cloud Provider

Legacy Datacenter / Colo

DB App Server

Auth Server

DBLoad Balancer

EU Public Cloud Provider

DB App Server

App Server

Load Balancer

DB App Server

App Server

DB App Server

App Server

Auth Server

Survey Results - Environments

• Which of the following cloud hosting environments are leveraged by your project(s)?

A private Platform-as-a-Service (PaaS)

A private cloud hosted in your own data center

A public, multi-tenant Platform-as-a-Service (PaaS)

A public, multi-tenant cloud provider

A private cloud hosted and/or operated by an external provider

Who is responsible for Security?

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

App Code

App Framework

Operating System

ilityP

AWS Shared Responsibility Model

“…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

General Notes on Cloud Service Providers (CSPs)

• Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS

• CSPs should be on the card brands’ “approved list”

• PCI compliance shouldbe in contract

What Else to Look For: CSPs

• Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16

• Cloud SLAs and contract provisions• Who is responsible for what? This should be

clear!

• You cannot outsource your compliance status!

• But you CAN take steps to secure the requirements under your control

Requirement Areas 1-3

PCI DSS Requirement Cloud Concerns and Comments

1: Install/maintain firewall configs 1. Data flow is important2. Host-based firewalls may make the

most sense3. Hardware and some network may be

up to the CSP2: Vendor defaults 1. Virtualization templates can help

(once they are secured properly)2. CSP audit data may be needed3. Always check for inappropriate

settings3: Protect stored data 1. Options will depend on data storage

type2. Cloud storage platforms may have

their own options

Protect the perimeter, internal, and wireless networks.

Secure payment card applications.

Protect stored cardholder data.

4: Encrypt data in transit 1. VPN connections to/from cloud environment

2. Leverage SSL connections5: Use and update anti-malware 1. Ensure anti-malware is built into

templates for deployment

6: Develop/maintain secure systems and apps

1. Build security into apps and VM templates in the cloud

2. Be wary of provisioning and “cloud bursting”

Secure payment card applications.

Monitor and control access to your systems.

Protect stored cardholder data.

7: Restrict access to Cardholder Data (CHD) by “Need to Know”

1. Leverage any role-based controls (e.g. Amazon IAM and others)

2. Build controls into cloud systems and manage normally (if possible)

8: Use unique IDs for accessing PCI systems

1. Proper configuration management and role/group management are required

9: Restrict physical access 1. This is entirely on the CSP – similar to a hosting environment

10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones?

2. Send your own logs to a central log server in the cloud or elsewhere

11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level with the CSP

2. Ask for CSP test reports if relevant12: Maintain information security policies 1. Update any/all policies that may have

ties to the new cloud-based assets.

Finalize remaining compliance efforts, and ensure all controls are in place.

Survey Results: Audit

• How many times has your cloud project been audited for adherence to the compliance standards above?

NeverOnceMore than three times

Survey Results: Controls

• What cloud security technologies did your auditors expect you to have deployed?

Firewalls & Access control 78.6%

SIEM/LM 71.4%WAF 71.4%Multi-factor authentication 64.3%

Database encryption 57.1%Network encryption 57.1%NIDS 57.1%

Patch management 57.1%

Disk encryption 42.9%

HIDS 35.7%Configuration monitoring 35.7%

FIM 35.7%

Code scanning 35.7%

Survey Results: Who Audited?

• Who performed your cloud compliance audit (big four, small firm, QSA)?

6.7% 6.7%6.7%

A large accounting firm (e.g. one of the “big four”)

A large technology integrator or technical consulting firm

A smaller firm specializing in informa-tion security technology

A smaller firm specializing in general risk management, governance and compliance

Internal/self audit

How Do I Secure Servers in the Cloud?

Dynamic firewall & access control

Server account visibility & control

Server compromise & intrusion alerting

Server forensics and security analysis

Configuration and package security

Integration & automation capabilities

Servers in hybrid and public clouds must be self-defending with highly automated controls like…

Mapping Compliance to the Cloud

Firewalling Without Network Control

Traditional Datacenter (DC) Firewalling

Load Balancer

Auth Server

App Server

Load Balancer

App Server

dmz dmz

corecore

Firewall

Moving to the Cloud

Load Balancer

Auth Server

App Server

Load Balancer

App Server

dmz dmz

corecore

Firewall

Moving to the Cloud

dmz dmz

corecore

Firewall

Load Balancer

Auth Server

App Server

Load Balancer

App Server

public cloud

Moving to the Cloud

Load Balancer

App Server

Auth Server

Load Balancer

public cloud

Moving to the Cloud

public cloud

Load Balancer

App Server

DB Master

Dynamic Cloud Firewalling

public cloud

Load Balancer

App Server

DB Master

public cloud

Load Balancer

App Server

Load Balancer

DB Master

DB Slave

App Server

public cloud

App Server

Load Balancer

App Server

Load Balancer

DB Master

DB Slave

App Server

public cloud

App Server

Load Balancer

App Server

Load Balancer

DB Master

DB Slave

Lessons to Learn

Whatever firewall options you have, use them

Make sure your firewall rules are updated quickly and automatically

Plan for the future, because you will be multi-cloud

Securing Highly Dynamic Servers

Traditional DC Operations Model

private datacenter

Capacity is mostly static

Servers are long-lived

Security risk on servers is mitigated by network defenses

www-3 www-4www-2www-1www-1

!www-2

!www-3

!www-4

Cloud Operations Model

Capacity is highly dynamic

www wwwwww

wwwwwwwwwwwwwww

Gold Master

Servers are short lived

wwwwww-2

!wwwwwwwww

Gold Masterpublic cloud

Gold Master

www wwwwww

Gold Master

Gold Master updates are rolled out incrementally

!www wwwwww

wwwwwwwwwwww

Gold Master

Gold Master updates are rolled out incrementally

wwwwww-1

!www-2

!wwwwwwwww

wwwwwwwwwwwwwww

What does server security mean

in this environment?

Ensuring Cloud Server Integrity

wwwwww-1

!www-2

!wwwwwwwww

Scan for misconfigurations due to deployment or debugging issues

wwwwww-1

!www-2

!wwwwwwwww

Scan for misconfigurations due to deployment or

debugging issues

wwwwww-1

!www-2

!wwwwwwwww

Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly

Scan for misconfigurations due to deployment or

debugging issues

Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly

wwwwww-1

!www-2

!wwwwwwwww

? ?! !

Monitor business code for unintended or malicious changes

www-3www-1

!www-2

!www-4www-2www-1

? ?! !

Scan for misconfigurations due to deployment or debugging issues

Ensure software packages are up-to-date and watch

for remote exploits that must be patched quicklyMonitor business code for unintended or malicious

changes

Automate

management and monitoring of these

critical operational security points

Lessons to Learn

Embrace the flexibility of the cloud; re-think operations

Secure your server integrity by keeping images up-to-date and monitor closely for changes

Know what areas of security you are responsible for and automate them heavily

Best Practices

• Read and understand what your provider does, and what you are responsible for, with regards to PCI

• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public

• Start with public cloud, PCI everywhere else is relatively easy!

• Focus on securing the tenets of PCI that you can control

Thank You & Questions

Dave Shackleford

CTO, IANS

dshackleford@iansresearch.com

Andrew Hay

Chief Evangelist, CloudPassage

andrew@cloudpassage.com

Follow us on Twitter:twitter.com/ians_securitytwitter.com/cloudpassage

www.cloudpassage.com/pci-kit

PCI and the Cloud

Technology

PCI SSC Cloud Computing Guidelines

PCI in the Cloud ?

Information Supplement: PCI DSS Cloud Computing Guidelines

PCI DSS Cloud Computing Guidelines

Pegasus Business Software Cloud Brochure - from PCI Services

David Jenkins (QSA CISA) Jenkins.… · David Jenkins (QSA CISA) Director of PCI and Payment Services PCI and the Cloud, where is my Atlas . Agenda •About Cognosec •PCI DSS 3.0

_cxo - Pci Cloud v0

PCI Compliance and Cloud Reference Architecture

PCI DSS Cloud Computing Guidelines - pcisecuritystandards.org

PCI Compliance and the Cloud

(SEC308) Navigating PCI Compliance in the Cloud | AWS re:Invent 2014

IBM Cloud PCI DSS Guidance

PCI-DSS Compliant Cloud - Design & Architecture Best Practices

PCI-DSS Compliance in the Cloud

PCI -Compliant Cloud Reference Architecture PCI -Compliant Cloud Reference Architecture Cisco, VMware, HyTrust, Trend Micro, Savvis and Coalfire have collaborated to construct a cloud

T2 –IaaSand PCI Compliance · • Principal Compliance Consultant at IOActive, Inc. • PCI QSA, PCI PA -QSA • QSA for Amazon Web Services 2. Creating a PCI Compliant Cloud Environment

Presentation Pci-dss compliance on the cloud

Ensuring PCI DSS Compliance in the Cloud

Cloud Expo pci-hipaa deck 053111

Can PCI DSS compliance be achieved in a cloud environment?