What You Need To Know About

The New PCI Cloud Guidelines

#PCICloud

Dave Shackleford CTO, IANS

Chris Brenton Director of Security, CloudPassage, Inc.

•  Can PCI DSS compliance be achieved in public cloud?!

•  Scope and responsibility example!

•  Checklist for PCI DSS compliance!

•  Suggestions for limiting PCI scope!

•  Breakdown of the shared responsibility model!

•  Securing and assessing data in a CSP environment !

•  Incident Response!

•  Questions!

Session Agenda

PCI DSS = 75 Pages of compliance goodness��PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to:�

�•  Public cloud�•  Private cloud�•  Hybrid cloud�•  IaaS�•  PaaS�•  SaaS�•  Nested providers�•  and more!�

Helpful PCI Cloud Guidance?

First, take a deep breath…

•  Can PCI DSS compliance be achieved in public cloud? –  Yes and folks are doing it

•  The easy way –  Work with a PCI DSS certified CSP –  Perform a gap analysis against the CSPs “PCI scope and

responsibility” documentation •  Their scope should include any nested providers

–  Make sure you fill in all the gaps J •  The hard way

–  Work with a CSP that has not achieved PCI compliance –  Your auditor must scope and review their environment –  You essentially must certify the CSP while footing the bill

The Big Question

Study Figure 3

Scope & Responsibility Example - CSP

PCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility�

9.1� Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.�

Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.�

FUBAR Cloud Services maintains the physical security for all in-scope services.�

Scope & Responsibility Example - Client

PCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility�

1.3.1� Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports.�

Verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports.�

FUBAR customers are responsible for implementing perimeter firewalls through the FUBAR GUI interface for their in-scope services. FUBAR customers are responsible for developing appropriate firewall rules for their DMZ and internal network.�

ü Understand the flow of credit card info –  What processes/services handle it? –  What communications exchange it? –  What drives/partitions store it?

ü Understand what SaaS services will have Admin control –  Can be in-scope if controlling servers handling credit card info

ü  Flow diagrams are your friend, leverage them ü Delineate portions that are internal vs. external ü  For internal portions, you need to address all 12 PCI req. ü  For external portions

–  Understand the CSPs scope and responsibility documentation –  Fill in the gaps as required

A Basic Checklist

•  Does not directly address PCI requirements •  Has lots of good info on how/why cloud is an evolving tech •  Caveats for legacy security tools •  Example: Introspection

–  Expands the functionality of the hypervisor –  Provides visibility of VM memory, disk & network via API –  In private virtualization, leveraged for implementing security –  Problematic in public cloud

•  Expands the attack surface of the hypervisor •  Leaves no forensic trail on the VM itself •  Can be a serious issue in public IaaS

–  Provider manages hypervisor –  Client manages their unique VMs

Section 6.5

Limiting PCI Scope�

The new guidance offers the following suggestions for limiting PCI scope:�

–  Don’t store, process or transmit payment card data in the cloud�

–  Implement a dedicated physical infrastructure�–  Minimize reliance on third-party CSPs for

protecting payment card data�–  Ensure that clear-text account data is never

accessible in the cloud �

A Scoping Example�

Who is responsible for Security?�

Physical Facilities!

Hypervisor!

Compute & Storage!

Shared Network!

Virtual Machine!

Data!

App Code!

App Framework!

Operating System!

Custom

er Responsibility�

Provider Responsibility�

AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: �Overview of Security Processes

Data Security�•  Securing and assessing data in a CSP

environment can be very challenging�•  The data may be in:�

–  Multiple physical locations�–  Multiple countries�–  Multiple data formats�

•  Data security processes within a CSP environment needs to be closely evaluated�

Data Acquisition, Storage, Lifecycle�

•  Data flows need to be developed and constructed for all client and CSP networks�•  All data “capture” points need to be identified

and protected�–  Memory and VM snapshots included, as are

hypervisor access methods�

•  Data lifecycle is critical to identify and clarify�–  Data should be protected at all stages in and out

of CSP environment, and disposed of properly�

Data Classification and Encryption�

•  CSPs should meet data classification requirements for clients before migration to the cloud�–  Cardholder data, credentials, and crypto keys are

examples�

•  All sensitive data should use data-level encryption�–  Crypto keys should be stored separately�–  All key custodians should be defined and listed, in both

client and CSP environments�–  Unique keys should be in place for each client�

Data Decommissioning and Disposal�

•  Clearly define data disposal techniques within the CSP �•  Document “Termination of Service”

procedures �•  Ensure that all data is deleted permanently

when agreements have been terminated, even if encrypted�

Incident Response�

•  Clients need to discuss data breach notification with CSPs�–  Clients may also need to notify CSPs about data

breaches in their environments, to mitigate risk to other clients�

•  Definitions of what constitutes a breach should be defined and agreed on before doing business�

Incident Response Continued�

•  Notification processes and timelines should be in SLAs�•  Discuss the potential for client data to be

captured by 3rd parties during a breach investigation �•  The PCI guidance acknowledges that incident

response and detection may be almost impossible if a VM has been decommissioned or removed!�

Questions?

Dave Shackleford"CTO, IANS"

@IANS_Security"

Chris Brenton"Director of Security, CloudPassage"

@CloudPassage"

Thank You

www.cloudpassage.com!@cloudpassage!

!