PCI and the Cloud

PCI and the Cloud

Dave Shackleford, CTO, IANS

Andrew Hay, Chief Evangelist, CloudPassage

8/29/2012

Hashtag - #PCIcloud

Copyright © 2012 IANS. All rights reserved. 2

Who We Are

Dave ShacklefordSVP of Research & CTO at IANS

Andrew HayChief Evangelist at CloudPassage, Inc.

Interact with us on Twitter using the #PCIcloud hashtag


Introduction

• There are lots of questions about PCI in cloud environments…but few answers to date

How will compliance be affected with

various cloud configurations?

What should we look for in PCI-

compliant providers?

How can I satisfy the security and control requirements?

Can I even be PCI compliant in the cloud?

What does a ‘PCI Compliant’ cloud even mean?

What am I responsible for in Private/Public/Hybrid clouds?

Will my existing technical controls work in cloud?


It’s Not All Doom and Gloom

• Yes, you can be PCI compliant in the cloud!

• You will likely need some different tools and processes

• Not all providers are created equal!

• There is no “silver bullet” – but the responsibility is still yours


Survey Results: Compliance & Standards

• What standards or regulatory compliance mandates apply to your cloud project(s)?

GLBA

FISMA

COPPA

Cloud Audit

CIPA

CoBIT

ISO

SOX

HIPAA

PCI DSS

0.0% 20.0% 40.0% 60.0% 80.0% 100.0%

5.3%

5.3%

5.3%

5.3%

5.3%

15.8%

31.6%

36.8%

42.1%

84.2%


A Little About Cloud Types

Private Cloud / Hybrid Staging

US Public Cloud Provider

Legacy Datacenter / Colo

DB App Server

Auth Server

DBLoad Balancer

EU Public Cloud Provider

DB App Server

App Server

Load Balancer

DB App Server

App Server

App Server

DB App Server

App Server

App Server

Auth Server

Auth Server


Survey Results - Environments

• Which of the following cloud hosting environments are leveraged by your project(s)?

A private Platform-as-a-Service (PaaS)

A private cloud hosted in your own data center

A public, multi-tenant Platform-as-a-Service (PaaS)

A public, multi-tenant cloud provider

A private cloud hosted and/or operated by an external provider

16.7%

27.8%

33.3%

38.9%

44.4%


Who is responsible for Security?

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

AWS Shared Responsibility Model

“…the customer should assume responsibility and management of, but not limited to, the guest operating system…and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes


General Notes on Cloud Service Providers (CSPs)

• Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS

• CSPs should be on the card brands’ “approved list”

• PCI compliance shouldbe in contract


What Else to Look For: CSPs

• Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16

• Cloud SLAs and contract provisions• Who is responsible for what? This should be

clear!

• You cannot outsource your compliance status!

• But you CAN take steps to secure the requirements under your control


Requirement Areas 1-3

PCI DSS Requirement Cloud Concerns and Comments

1: Install/maintain firewall configs 1. Data flow is important2. Host-based firewalls may make the

most sense3. Hardware and some network may be

up to the CSP2: Vendor defaults 1. Virtualization templates can help

(once they are secured properly)2. CSP audit data may be needed3. Always check for inappropriate

settings3: Protect stored data 1. Options will depend on data storage

type2. Cloud storage platforms may have

their own options

Protect the perimeter, internal, and wireless networks.

Secure payment card applications.

Protect stored cardholder data.




4: Encrypt data in transit 1. VPN connections to/from cloud environment

2. Leverage SSL connections5: Use and update anti-malware 1. Ensure anti-malware is built into

templates for deployment

6: Develop/maintain secure systems and apps

1. Build security into apps and VM templates in the cloud

2. Be wary of provisioning and “cloud bursting”

Secure payment card applications.

Monitor and control access to your systems.

Protect stored cardholder data.




7: Restrict access to Cardholder Data (CHD) by “Need to Know”

1. Leverage any role-based controls (e.g. Amazon IAM and others)

2. Build controls into cloud systems and manage normally (if possible)

8: Use unique IDs for accessing PCI systems

1. Proper configuration management and role/group management are required

9: Restrict physical access 1. This is entirely on the CSP – similar to a hosting environment







10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones?

2. Send your own logs to a central log server in the cloud or elsewhere

11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level with the CSP

2. Ask for CSP test reports if relevant12: Maintain information security policies 1. Update any/all policies that may have

ties to the new cloud-based assets.



Finalize remaining compliance efforts, and ensure all controls are in place.


Survey Results: Audit

• How many times has your cloud project been audited for adherence to the compliance standards above?

66.7%

9.5%

23.8%

NeverOnceMore than three times


Survey Results: Controls

• What cloud security technologies did your auditors expect you to have deployed?

Firewalls & Access control 78.6%

SIEM/LM 71.4%WAF 71.4%Multi-factor authentication 64.3%

Database encryption 57.1%Network encryption 57.1%NIDS 57.1%

Patch management 57.1%

Disk encryption 42.9%

HIDS 35.7%Configuration monitoring 35.7%

FIM 35.7%

Code scanning 35.7%


Survey Results: Who Audited?

• Who performed your cloud compliance audit (big four, small firm, QSA)?

6.7% 6.7%6.7%

13.3%

66.7%

A large accounting firm (e.g. one of the “big four”)

A large technology integrator or technical consulting firm

A smaller firm specializing in informa-tion security technology

A smaller firm specializing in general risk management, governance and compliance

Internal/self audit


How Do I Secure Servers in the Cloud?

Dynamic firewall & access control

Server account visibility & control

Server compromise & intrusion alerting

Server forensics and security analysis

Configuration and package security

Integration & automation capabilities

Servers in hybrid and public clouds must be self-defending with highly automated controls like…


Mapping Compliance to the Cloud


Firewalling Without Network Control


Traditional Datacenter (DC) Firewalling

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

dmz dmz

corecore

Firewall

Firewall

!

www-4


Moving to the Cloud

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

dmz dmz

corecore

Firewall

Firewall


Moving to the Cloud

dmz dmz

corecore

Firewall

Firewall

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

public cloud


Moving to the Cloud

DB

Load Balancer

App Server

App Server

Auth Server

DB

Load Balancer

DB

public cloud


Moving to the Cloud

public cloud

Load Balancer

App Server

App Server

DB Master

!

!


Dynamic Cloud Firewalling

public cloud

Load Balancer

FW

App Server

FW

App Server

FW

DB Master

FW



public cloud

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW

App Server

FW



public cloud

App Server

IP

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW

App Server

FW



public cloud

App Server

IP

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW


Lessons to Learn

Whatever firewall options you have, use them

Make sure your firewall rules are updated quickly and automatically

Plan for the future, because you will be multi-cloud


Securing Highly Dynamic Servers


Traditional DC Operations Model

private datacenter

Capacity is mostly static

Servers are long-lived

Security risk on servers is mitigated by network defenses

www-3 www-4www-2www-1www-1

!www-2

!www-3

!www-4

!


Cloud Operations Model

www

Capacity is highly dynamic

www wwwwww

wwwwwwwwwwwwwww

Gold Master




Servers are short lived

wwwwww-2

!wwwwwwwww

www

Gold Masterpublic cloud



www

Gold Master

www wwwwww

!www

!



www

!



Gold Master



Gold Master updates are rolled out incrementally

www

!www

!www wwwwww

wwwwwwwwwwww

www

www

!www



Gold Master



Gold Master updates are rolled out incrementally

wwwwww-1

!www-2

!wwwwwwwww

wwwwwwwwwwwwwww

!www

What does server security mean

in this environment?


Ensuring Cloud Server Integrity

wwwwww-1

!www-2

!wwwwwwwww



Scan for misconfigurations due to deployment or debugging issues

wwwwww-1

!www-2

!wwwwwwwww

?



Scan for misconfigurations due to deployment or

debugging issues

wwwwww-1

!www-2

!wwwwwwwww

? ?!

Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly



Scan for misconfigurations due to deployment or

debugging issues

Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly

wwwwww-1

!www-2

!wwwwwwwww

? ?! !

Monitor business code for unintended or malicious changes



www-3www-1

!www-2

!www-4www-2www-1

? ?! !

Scan for misconfigurations due to deployment or debugging issues

Ensure software packages are up-to-date and watch

for remote exploits that must be patched quicklyMonitor business code for unintended or malicious

changes

Automate

management and monitoring of these

critical operational security points


Lessons to Learn

Embrace the flexibility of the cloud; re-think operations

Secure your server integrity by keeping images up-to-date and monitor closely for changes

Know what areas of security you are responsible for and automate them heavily


Best Practices

• Read and understand what your provider does, and what you are responsible for, with regards to PCI

• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public

• Start with public cloud, PCI everywhere else is relatively easy!

• Focus on securing the tenets of PCI that you can control


Thank You & Questions

Dave Shackleford

CTO, IANS

[email protected]

Andrew Hay

Chief Evangelist, CloudPassage

[email protected]

Follow us on Twitter:twitter.com/ians_securitytwitter.com/cloudpassage

www.cloudpassage.com/pci-kit

Technology

PCI and the Cloud