PCI and the Cloud
Dave Shackleford, CTO, IANS
Andrew Hay, Chief Evangelist, CloudPassage
8/29/2012
Hashtag - #PCIcloud
Copyright © 2012 IANS. All rights reserved. 2
Who We Are
Dave ShacklefordSVP of Research & CTO at IANS
Andrew HayChief Evangelist at CloudPassage, Inc.
Interact with us on Twitter using the #PCIcloud hashtag
Copyright © 2012 IANS. All rights reserved. 3
Introduction
• There are lots of questions about PCI in cloud environments…but few answers to date
How will compliance be affected with
various cloud configurations?
What should we look for in PCI-
compliant providers?
How can I satisfy the security and control requirements?
Can I even be PCI compliant in the cloud?
What does a ‘PCI Compliant’ cloud even mean?
What am I responsible for in Private/Public/Hybrid clouds?
Will my existing technical controls work in cloud?
Copyright © 2012 IANS. All rights reserved. 4
It’s Not All Doom and Gloom
• Yes, you can be PCI compliant in the cloud!
• You will likely need some different tools and processes
• Not all providers are created equal!
• There is no “silver bullet” – but the responsibility is still yours
Copyright © 2012 IANS. All rights reserved. 5
Survey Results: Compliance & Standards
• What standards or regulatory compliance mandates apply to your cloud project(s)?
GLBA
FISMA
COPPA
Cloud Audit
CIPA
CoBIT
ISO
SOX
HIPAA
PCI DSS
0.0% 20.0% 40.0% 60.0% 80.0% 100.0%
5.3%
5.3%
5.3%
5.3%
5.3%
15.8%
31.6%
36.8%
42.1%
84.2%
Copyright © 2012 IANS. All rights reserved. 6
A Little About Cloud Types
Private Cloud / Hybrid Staging
US Public Cloud Provider
Legacy Datacenter / Colo
DB App Server
Auth Server
DBLoad Balancer
EU Public Cloud Provider
DB App Server
App Server
Load Balancer
DB App Server
App Server
App Server
DB App Server
App Server
App Server
Auth Server
Auth Server
Copyright © 2012 IANS. All rights reserved. 7
Survey Results - Environments
• Which of the following cloud hosting environments are leveraged by your project(s)?
A private Platform-as-a-Service (PaaS)
A private cloud hosted in your own data center
A public, multi-tenant Platform-as-a-Service (PaaS)
A public, multi-tenant cloud provider
A private cloud hosted and/or operated by an external provider
16.7%
27.8%
33.3%
38.9%
44.4%
Copyright © 2012 IANS. All rights reserved. 8
Who is responsible for Security?
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
AWS Shared Responsibility Model
“…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
Copyright © 2012 IANS. All rights reserved. 9
General Notes on Cloud Service Providers (CSPs)
• Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS
• CSPs should be on the card brands’ “approved list”
• PCI compliance shouldbe in contract
Copyright © 2012 IANS. All rights reserved. 10
What Else to Look For: CSPs
• Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16
• Cloud SLAs and contract provisions• Who is responsible for what? This should be
clear!
• You cannot outsource your compliance status!
• But you CAN take steps to secure the requirements under your control
Copyright © 2012 IANS. All rights reserved. 11
Requirement Areas 1-3
PCI DSS Requirement Cloud Concerns and Comments
1: Install/maintain firewall configs 1. Data flow is important2. Host-based firewalls may make the
most sense3. Hardware and some network may be
up to the CSP2: Vendor defaults 1. Virtualization templates can help
(once they are secured properly)2. CSP audit data may be needed3. Always check for inappropriate
settings3: Protect stored data 1. Options will depend on data storage
type2. Cloud storage platforms may have
their own options
Protect the perimeter, internal, and wireless networks.
Secure payment card applications.
Protect stored cardholder data.
Copyright © 2012 IANS. All rights reserved. 12
Requirement Areas 4-6
PCI DSS Requirement Cloud Concerns and Comments
4: Encrypt data in transit 1. VPN connections to/from cloud environment
2. Leverage SSL connections5: Use and update anti-malware 1. Ensure anti-malware is built into
templates for deployment
6: Develop/maintain secure systems and apps
1. Build security into apps and VM templates in the cloud
2. Be wary of provisioning and “cloud bursting”
Secure payment card applications.
Monitor and control access to your systems.
Protect stored cardholder data.
Copyright © 2012 IANS. All rights reserved. 13
Requirement Areas 7-9
PCI DSS Requirement Cloud Concerns and Comments
7: Restrict access to Cardholder Data (CHD) by “Need to Know”
1. Leverage any role-based controls (e.g. Amazon IAM and others)
2. Build controls into cloud systems and manage normally (if possible)
8: Use unique IDs for accessing PCI systems
1. Proper configuration management and role/group management are required
9: Restrict physical access 1. This is entirely on the CSP – similar to a hosting environment
Monitor and control access to your systems.
Monitor and control access to your systems.
Monitor and control access to your systems.
Copyright © 2012 IANS. All rights reserved. 14
Requirement Areas 10-12
PCI DSS Requirement Cloud Concerns and Comments
10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones?
2. Send your own logs to a central log server in the cloud or elsewhere
11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level with the CSP
2. Ask for CSP test reports if relevant12: Maintain information security policies 1. Update any/all policies that may have
ties to the new cloud-based assets.
Monitor and control access to your systems.
Monitor and control access to your systems.
Finalize remaining compliance efforts, and ensure all controls are in place.
Copyright © 2012 IANS. All rights reserved. 15
Survey Results: Audit
• How many times has your cloud project been audited for adherence to the compliance standards above?
66.7%
9.5%
23.8%
NeverOnceMore than three times
Copyright © 2012 IANS. All rights reserved. 16
Survey Results: Controls
• What cloud security technologies did your auditors expect you to have deployed?
Firewalls & Access control 78.6%
SIEM/LM 71.4%WAF 71.4%Multi-factor authentication 64.3%
Database encryption 57.1%Network encryption 57.1%NIDS 57.1%
Patch management 57.1%
Disk encryption 42.9%
HIDS 35.7%Configuration monitoring 35.7%
FIM 35.7%
Code scanning 35.7%
Copyright © 2012 IANS. All rights reserved. 17
Survey Results: Who Audited?
• Who performed your cloud compliance audit (big four, small firm, QSA)?
6.7% 6.7%6.7%
13.3%
66.7%
A large accounting firm (e.g. one of the “big four”)
A large technology integrator or technical consulting firm
A smaller firm specializing in informa-tion security technology
A smaller firm specializing in general risk management, governance and compliance
Internal/self audit
Copyright © 2012 IANS. All rights reserved. 18
How Do I Secure Servers in the Cloud?
Dynamic firewall & access control
Server account visibility & control
Server compromise & intrusion alerting
Server forensics and security analysis
Configuration and package security
Integration & automation capabilities
Servers in hybrid and public clouds must be self-defending with highly automated controls like…
Copyright © 2012 IANS. All rights reserved. 19
Mapping Compliance to the Cloud
Copyright © 2012 IANS. All rights reserved. 20
Firewalling Without Network Control
Copyright © 2012 IANS. All rights reserved. 21
Traditional Datacenter (DC) Firewalling
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
dmz dmz
corecore
Firewall
Firewall
!
www-4
Copyright © 2012 IANS. All rights reserved. 22
Moving to the Cloud
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
dmz dmz
corecore
Firewall
Firewall
Copyright © 2012 IANS. All rights reserved. 23
Moving to the Cloud
dmz dmz
corecore
Firewall
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
public cloud
Copyright © 2012 IANS. All rights reserved. 24
Moving to the Cloud
DB
Load Balancer
App Server
App Server
Auth Server
DB
Load Balancer
DB
public cloud
Copyright © 2012 IANS. All rights reserved. 25
Moving to the Cloud
public cloud
Load Balancer
App Server
App Server
DB Master
!
!
Copyright © 2012 IANS. All rights reserved. 26
Dynamic Cloud Firewalling
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
DB Master
FW
Copyright © 2012 IANS. All rights reserved. 27
Dynamic Cloud Firewalling
public cloud
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
App Server
FW
Copyright © 2012 IANS. All rights reserved. 28
Dynamic Cloud Firewalling
public cloud
App Server
IP
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
App Server
FW
Copyright © 2012 IANS. All rights reserved. 29
Dynamic Cloud Firewalling
public cloud
App Server
IP
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
Copyright © 2012 IANS. All rights reserved. 30
Lessons to Learn
Whatever firewall options you have, use them
Make sure your firewall rules are updated quickly and automatically
Plan for the future, because you will be multi-cloud
Copyright © 2012 IANS. All rights reserved. 31
Securing Highly Dynamic Servers
Copyright © 2012 IANS. All rights reserved. 32
Traditional DC Operations Model
private datacenter
Capacity is mostly static
Servers are long-lived
Security risk on servers is mitigated by network defenses
www-3 www-4www-2www-1www-1
!www-2
!www-3
!www-4
!
Copyright © 2012 IANS. All rights reserved. 33
Cloud Operations Model
www
Capacity is highly dynamic
www wwwwww
wwwwwwwwwwwwwww
Gold Master
Copyright © 2012 IANS. All rights reserved. 34
Cloud Operations Model
Capacity is highly dynamic
Servers are short lived
wwwwww-2
!wwwwwwwww
www
Gold Masterpublic cloud
Copyright © 2012 IANS. All rights reserved. 35
Cloud Operations Model
www
Gold Master
www wwwwww
!www
!
Capacity is highly dynamic
Servers are short lived
www
!
Copyright © 2012 IANS. All rights reserved. 36
Cloud Operations Model
Gold Master
Capacity is highly dynamic
Servers are short lived
Gold Master updates are rolled out incrementally
www
!www
!www wwwwww
wwwwwwwwwwww
www
www
!www
Copyright © 2012 IANS. All rights reserved. 37
Cloud Operations Model
Gold Master
Capacity is highly dynamic
Servers are short lived
Gold Master updates are rolled out incrementally
wwwwww-1
!www-2
!wwwwwwwww
wwwwwwwwwwwwwww
!www
What does server security mean
in this environment?
Copyright © 2012 IANS. All rights reserved. 38
Ensuring Cloud Server Integrity
wwwwww-1
!www-2
!wwwwwwwww
Copyright © 2012 IANS. All rights reserved. 39
Ensuring Cloud Server Integrity
Scan for misconfigurations due to deployment or debugging issues
wwwwww-1
!www-2
!wwwwwwwww
?
Copyright © 2012 IANS. All rights reserved. 40
Ensuring Cloud Server Integrity
Scan for misconfigurations due to deployment or
debugging issues
wwwwww-1
!www-2
!wwwwwwwww
? ?!
Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly
Copyright © 2012 IANS. All rights reserved. 41
Ensuring Cloud Server Integrity
Scan for misconfigurations due to deployment or
debugging issues
Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly
wwwwww-1
!www-2
!wwwwwwwww
? ?! !
Monitor business code for unintended or malicious changes
Copyright © 2012 IANS. All rights reserved. 42
Ensuring Cloud Server Integrity
www-3www-1
!www-2
!www-4www-2www-1
? ?! !
Scan for misconfigurations due to deployment or debugging issues
Ensure software packages are up-to-date and watch
for remote exploits that must be patched quicklyMonitor business code for unintended or malicious
changes
Automate
management and monitoring of these
critical operational security points
Copyright © 2012 IANS. All rights reserved. 43
Lessons to Learn
Embrace the flexibility of the cloud; re-think operations
Secure your server integrity by keeping images up-to-date and monitor closely for changes
Know what areas of security you are responsible for and automate them heavily
Copyright © 2012 IANS. All rights reserved. 44
Best Practices
• Read and understand what your provider does, and what you are responsible for, with regards to PCI
• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public
• Start with public cloud, PCI everywhere else is relatively easy!
• Focus on securing the tenets of PCI that you can control
Copyright © 2012 IANS. All rights reserved. 45
Thank You & Questions
Dave Shackleford
CTO, IANS
Andrew Hay
Chief Evangelist, CloudPassage
Follow us on Twitter:twitter.com/ians_securitytwitter.com/cloudpassage
www.cloudpassage.com/pci-kit