2011 Cloud Security Alliance, Inc. All rights reserved.
Slide 3
Thanks to Class Sponsors 2 Courseware created by Dr. Anton
Chuvakin for Cloud Security Alliance
Slide 4
2011 Cloud Security Alliance, Inc. All rights reserved. About
the Cloud Security Alliance Global, not-for-profit organization
Building best practices and a trusted cloud ecosystem Comprehensive
research and tools Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org 3
Slide 5
2011 Cloud Security Alliance, Inc. All rights reserved. About
the Class Learn/refresh knowledge about PCI DSS Learn/refresh
knowledge about cloud computing Understand how to assess PCI
compliance in cloud environments Understand how to implement PCI
DSS controls in cloud environments Gain useful tools for
planning/doing this 4
Slide 6
2011 Cloud Security Alliance, Inc. All rights reserved. 5
5
Slide 7
Show of hands please 1. QSA 2. Merchant a) L1 b) L2-4 3.
Service provider 4. Security tool vendor 5. Security consultant 6.
Other 6 6
Slide 8
2011 Cloud Security Alliance, Inc. All rights reserved.
Prerequisites Know how to spell P-C-I D-S-S Have heard about The
Cloud Possess basic information security knowledge, IT management
7
Slide 9
2011 Cloud Security Alliance, Inc. All rights reserved. Full
Class Outline Introduction What this class is about, prerequisites,
how to benefit PCI DSS reminder Cloud basics Where cloud interacts
with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios
Conclusions and action items 8
Slide 10
2011 Cloud Security Alliance, Inc. All rights reserved. 9
Slide 11
How to benefit? If you are a merchant Learn how to stay
compliant in the cloud, what to ask of CSPs, what to show to QSAs
If you are a QSA Figure how to assess merchants and CSPs If you are
a cloud service provider Learn how to keep you and merchants
compliant If you are a security vendor Learn about the new problems
you can solve If you are a consultant around PCI and cloud Learn
the pain points around PCI DSS and cloud 10
Slide 12
2011 Cloud Security Alliance, Inc. All rights reserved. PCI in
the Cloud... In the Media 11
Slide 13
2011 Cloud Security Alliance, Inc. All rights reserved. 12
Slide 14
2011 Cloud Security Alliance, Inc. All rights reserved. Quick
Reality Check 13
Slide 15
2011 Cloud Security Alliance, Inc. All rights reserved. Cloud?
14
Slide 16
2011 Cloud Security Alliance, Inc. All rights reserved. PCI
DSS? 15
Slide 17
2011 Cloud Security Alliance, Inc. All rights reserved.
Together? 16
Slide 18
2011 Cloud Security Alliance, Inc. All rights reserved.
DISCUSSION! 17
Slide 19
2011 Cloud Security Alliance, Inc. All rights reserved. 18
Slide 20
2011 Cloud Security Alliance, Inc. All rights reserved. Why is
PCI Here? 19 Criminals need money Credit cards = MONEY Where are
the most cards? In computers. Data theft grows and reaches HUGE
volume. Some organizations still dont care especially if the loss
is not theirs PAYMENT CARD BRANDS ENFORCE DSS!
Slide 21
2011 Cloud Security Alliance, Inc. All rights reserved.
Laggards vs. Leaders 20 Issue: many merchants dont even want to
grow up to the floor of security Result: breaches, loss of card
data, lawsuits, unhappy consumers, threat of regulation Action: PCI
DSS mandate!
Slide 22
2011 Cloud Security Alliance, Inc. All rights reserved. What is
PCI DSS or PCI? Payment Card Industry Data Security Standard
Payment Card = Payment Card Industry = Data Security = Data
Security Standard = 21
Slide 23
2011 Cloud Security Alliance, Inc. All rights reserved. 22 PCI
DSS: Basic Security Practices!
Slide 24
2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS
Domain Coverage In no particular order: Security policy and
procedures Network security Malware protection Application security
(and web) Vulnerability scanning and remediation Logging and
monitoring Security awareness 23
Slide 25
2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS
2.0 is Here! Select items changing for PCI 2.0 Scoping
clarification Data storage Virtualization (!!) DMZ clarification
Vulnerability remediation Remote data access 24
Slide 26
2011 Cloud Security Alliance, Inc. All rights reserved. Does it
Apply to Me? PCI DSS compliance includes merchants and service
providers who accept, capture, store, transmit or process credit
and debit card data. 25
Slide 27
2011 Cloud Security Alliance, Inc. All rights reserved. PCI
Game: The Players 26 PCI Security Standards Council
Slide 28
2011 Cloud Security Alliance, Inc. All rights reserved. PCI
Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined
the minimum data security protections measures for payment card
data. Defined Merchant & Service Provider Levels, and
compliance validation requirements. Left the enforcement to card
brands (Council doesnt fine anybody!) Key point: PCI DSS (document)
vs PCI (validation regime) 27
Slide 29
2011 Cloud Security Alliance, Inc. All rights reserved. PCI
Security Standards Council Founded by: American Express Discover
Financial Services JCB MasterCard Worldwide Visa International
Publishes PCI DSS, PA-DSS and PTS Releases additional security
guidance Approves security vendors Approved Scanning Vendors (ASV)
Quarterly Scans Qualified Security Assessor (QSA) On-Site
Assessments 28
Slide 30
2011 Cloud Security Alliance, Inc. All rights reserved. My Data
Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS!
29
Slide 31
2011 Cloud Security Alliance, Inc. All rights reserved. Key
Concept// Scoping 30
Slide 32
2011 Cloud Security Alliance, Inc. All rights reserved.
Sidenote// FLAT NET to FLAT CLOUD REALITY: Without adequate network
segmentation (sometimes called a "flat network") the entire network
is in scope of the PCI DSS assessment. (PCI DSS 2.0) DREAM: Without
adequate network segmentation the entire CLOUD is in scope of the
PCI DSS assessment. 31
Slide 33
2011 Cloud Security Alliance, Inc. All rights reserved. Key
Concept// Compliance vs Validation Q: What to do after your QSA
leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ
is submitted. Use what you built for PCI to reduce risk Own PCI
DSS; make it the basis for your policies 32
Slide 34
2011 Cloud Security Alliance, Inc. All rights reserved. Key
Concept// Stay Compliant Ongoing compliance with PCI DSS tasks: 33
TASKFREQUENCY Risk assessment, security awareness, key changes,
review off-site backups, QSA assessment, etc Annual ASV and
internal scans, wireless scansQuarterly File integrity
checkingWeekly Log and alerts review, other operational procedures
Daily
Slide 35
2011 Cloud Security Alliance, Inc. All rights reserved. Failing
That Classic example from my PCI book, co-author Branden Williams
34
Slide 36
2011 Cloud Security Alliance, Inc. All rights reserved. Two BIG
Approaches to PCI DSS Compliance SECURE the data: Encrypt, access
control, monitor, block attempts, authenticate, authorized, etc 35
These apply to PCI in the cloud as well! DELETE the data: Organize
your business to avoid dealing with the data
Slide 37
2011 Cloud Security Alliance, Inc. All rights reserved. 36
Slide 38
2011 Cloud Security Alliance, Inc. All rights reserved. 37
Slide 39
2011 Cloud Security Alliance, Inc. All rights reserved. NIST
Definition of Cloud Computing Cloud computing is a model for
enabling convenient, on-demand network access to a shared pool of
configurable computing resources that can be rapidly provisioned
and released with minimal management effort or service provider
interaction. 38
Slide 40
2011 Cloud Security Alliance, Inc. All rights reserved. 5
Essential Cloud Characteristics 1. On-demand self-service 2. Broad
network access 3. Resource pooling Location independence 4. Rapid
elasticity 5. Measured service 39
Slide 41
2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud
Service Models 1. Cloud Software as a Service (SaaS) Use providers
applications over a network 2. Cloud Platform as a Service (PaaS)
Deploy customer-created applications to a cloud 3. Cloud
Infrastructure as a Service (IaaS) Rent processing, storage,
network capacity, and other fundamental computing resources To be
considered cloud they must be deployed on top of cloud
infrastructure that has the essential characteristics 40
Slide 42
2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud
Deployment Models Private cloud Enterprise owned or leased
Community cloud Shared infrastructure for specific community Public
cloud
2011 Cloud Security Alliance, Inc. All rights reserved.
Decision Time If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the
only way to PCI is complete 3 rd party payment takeover
->Scenario 4 166 If PaaS CSP IS PCI-OK THEN build the control
matrix -> Scenario 3
Slide 168
2011 Cloud Security Alliance, Inc. All rights reserved. How to
Scope? On-prem: as usual Cloud PaaS environment: PaaS systems are
in scope: systems, applications, network, devices, hypervisor Two
tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that
touch/manage systems with data Think outsourced IT- 167
Slide 169
2011 Cloud Security Alliance, Inc. All rights reserved. How to
Get Compliant? One Approach!! 1. Review which controls the PaaS CSP
will handle for you 2. Check which PCI DSS controls they cannot
ever handle Example: your security policy, awareness training for
your employees (BTW, they should for theirs) 3. Create the matrix
and verify with the CSP Request additional information from them as
needed 4. Deploy additional controls where needed and where prudent
168
Slide 170
2011 Cloud Security Alliance, Inc. All rights reserved. For
Example Project: replace marketing analytics application that uses
PAN with PaaS- deployed application PCI controls: all on the
application, most on management servers, etc Web application
scanning => Merchant All others =>CSP Decision: move the
payment data off CSP and off PCI you go 169
Slide 171
2011 Cloud Security Alliance, Inc. All rights reserved. How to
Stay Compliant? Keep testing the CSP PCI-OK status and check the
matrix for missing controls 170
Slide 172
2011 Cloud Security Alliance, Inc. All rights reserved.
Compliance Evidence What to show to QSA? Evidence of ALL controls
yours and CSPs MUST DO: obtained detailed PCI evidence from CSP for
controls that apply to your environment! 171
Slide 173
2011 Cloud Security Alliance, Inc. All rights reserved.
Responsibility SPLIT// PaaS PCI PROVIDER Application platform
security Physical Network Encryption Key management System security
MERCHANT Application security Scoping Monitoring (unless extra $ to
CSP) 172
Slide 174
2011 Cloud Security Alliance, Inc. All rights reserved. 173
Example Scenario 5// Control Matrix PCI DSS RequirementMerchant:
PaaS userCloud provider: PaaS Secure application development: R6
YesYes (for platform) Update OS: RXXNoYes Log management: R10Yes
application logsYes everything else (or data provided to merchant!)
Render PANs unreadable: R3.4 YesYes where touches their environment
Physical access control: R9 NoYes Vulnerability scanning: R11.2
NoYes Penetration tests: R11.3Yes application levelYes for
physical, network, application, etc Security policy: R12Yes -
applicableYes for the rest Wireless security: R11.1NoYes
Slide 175
2011 Cloud Security Alliance, Inc. All rights reserved. Notable
PCI DSS Requirements to Watch Requirement 1 Firewall architecture
(cloud networks are flat) Requirement 4.1 Use strong cryptography
and security protocols Intra-CSP traffic may be seen as public
Requirement 6.1 patch management is Joint; and need to be done by
both Requirement 12.8 covers service providers and the matrix
174
Slide 176
2011 Cloud Security Alliance, Inc. All rights reserved.
Contract SLA Tips Clear acceptance of responsibility for their
controls Verification of provider controls Incident response
support for data breaches 175
Slide 177
2011 Cloud Security Alliance, Inc. All rights reserved. Common
Pitfalls and Key Risks Failure to test the provider on the ongoing
basis SLA failures: no escalation, evidence sharing, incident
response cooperation 176
Slide 178
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 6// Tiered PCI 177 Merchant ecommerce or stores Use public
cloud PaaS or SaaS provider who uses public IaaS provider Processes
cards and possibly stores them somewhere
Slide 179
2011 Cloud Security Alliance, Inc. All rights reserved.
Description A major ecommerce website Uses CSP for a broad spectrum
of tasks, including payments Their provider uses another cloud
provider Some cloud providers MAY BE PCI-OK PAN data stored/passed
in the cloud PAN data processed in the cloud 178
Slide 180
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 6// Visual 179
Slide 181
2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can
they be PCI DSS compliant? 180 Audience Poll A: Yes C: Cannot tell
B: No Must the provider be PCI-OK? Must their providers provider be
PCI-OK? Can the merchant be PCI-OK if some CSPs are not?
Slide 182
2011 Cloud Security Alliance, Inc. All rights reserved. Tiered
Merchant Example 181 Merchant uses CSP (SaaS) that uses Amazon EC2
(IaaS) A public Amazon case study http://aws.amazon.com/solution
s/case-studies/36boutiques/
Slide 183
2011 Cloud Security Alliance, Inc. All rights reserved. How to
Assess? Key: The Matrix Must Have No Holes, Again but there are
more dimensions now 182
Slide 184
2011 Cloud Security Alliance, Inc. All rights reserved. Your
CSPs CSP is NOT your CSP! and that some controls are NOT
implemented by your CSP and they simply trust their CSP assertions
183
Slide 185
2011 Cloud Security Alliance, Inc. All rights reserved. How to
Scope? Worst case: FORGET IT! We can never figure it out . reality
Best case: payment chain is isolated from ALL the CSPs (zero scope
for you, all scope is with payment provider) 184
Slide 186
2011 Cloud Security Alliance, Inc. All rights reserved. We went
through six PCI-in-the- cloud scenarios! 185 Ahhhhhh
Slide 187
2011 Cloud Security Alliance, Inc. All rights reserved.
Business: ecommerce Setup: uses CSP for web hosting and all
application hosting, accepts payment cards, sells to consumers
Challenge: we are a QSA they hired to get them compliant Next
steps? 186 Exercise// How to Comply/Assess?
Slide 188
2011 Cloud Security Alliance, Inc. All rights reserved. What do
the scenarios teach us about PCI and cloud? 1. Kill the scope works
in the cloud as well 2. It is better to have the payment processor
handle more and merchant/CSP handle less of the PCI burden 3. CSP
may do it, but MERCHANT is responsible and need to validate it 4.
Finally, we CAN have PCI in the cloud! 187
Slide 189
2011 Cloud Security Alliance, Inc. All rights reserved. Final
Recommendations Follow the scenarios as templates for your projects
Learn to scope in the cloud Make a matrix of shared responsibility
(and keep it with you at all times ) Remember: MERCHANT is on the
hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT
a punt 188
Slide 190
2011 Cloud Security Alliance, Inc. All rights reserved.
Additional Tips from Past Class Discussions Use PCI + cloud
security thinking for other sensitive data: SSN, PHI, financials,
etc Involve legal in SLA and other discussions about regulated data
in the cloud (!) Scan for YOUR sensitive data being put in the
cloud by business partners in THEIR clouds Trust but verify
principle MUST be applied to your CSP 189
Slide 191
2011 Cloud Security Alliance, Inc. All rights reserved. Any
Lessons from the Audience? Anything juicy I missed to conclude?
190
Slide 192
2011 Cloud Security Alliance, Inc. All rights reserved. A
one-liner version? 191 If you can get rid of the PANs in the cloud,
DO IT!
Slide 193
2011 Cloud Security Alliance, Inc. All rights reserved.
Questions? 192
Slide 194
2011 Cloud Security Alliance, Inc. All rights reserved. Thanks
for Your Review! Courseware author Dr. Anton Chuvakin would like to
thank the following people for their thoughtful review of class
materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn
@ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix 193
Slide 195
2011 Cloud Security Alliance, Inc. All rights reserved.
Additional Materials In the notes, there are links to various
useful reading, in addition to CSA and other sites mentioned in the
class. Go to www.cloudsecurityalliance.org for the latest
information on our educational
resourceswww.cloudsecurityalliance.org 194
Slide 196
2011 Cloud Security Alliance, Inc. All rights reserved.
195