Transcript of © 2011 Cloud Security Alliance, Inc. All rights reserved.
- Slide 1
- Slide 2
- 2011 Cloud Security Alliance, Inc. All rights reserved.
- Slide 3
- Thanks to Class Sponsors 2 Courseware created by Dr. Anton
Chuvakin for Cloud Security Alliance
- Slide 4
- 2011 Cloud Security Alliance, Inc. All rights reserved. About
the Cloud Security Alliance Global, not-for-profit organization
Building best practices and a trusted cloud ecosystem Comprehensive
research and tools Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org 3
- Slide 5
- 2011 Cloud Security Alliance, Inc. All rights reserved. About
the Class Learn/refresh knowledge about PCI DSS Learn/refresh
knowledge about cloud computing Understand how to assess PCI
compliance in cloud environments Understand how to implement PCI
DSS controls in cloud environments Gain useful tools for
planning/doing this 4
- Slide 6
- 2011 Cloud Security Alliance, Inc. All rights reserved. 5
5
- Slide 7
- Show of hands please 1. QSA 2. Merchant a) L1 b) L2-4 3.
Service provider 4. Security tool vendor 5. Security consultant 6.
Other 6 6
- Slide 8
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Prerequisites Know how to spell P-C-I D-S-S Have heard about The
Cloud Possess basic information security knowledge, IT management
7
- Slide 9
- 2011 Cloud Security Alliance, Inc. All rights reserved. Full
Class Outline Introduction What this class is about, prerequisites,
how to benefit PCI DSS reminder Cloud basics Where cloud interacts
with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios
Conclusions and action items 8
- Slide 10
- 2011 Cloud Security Alliance, Inc. All rights reserved. 9
- Slide 11
- How to benefit? If you are a merchant Learn how to stay
compliant in the cloud, what to ask of CSPs, what to show to QSAs
If you are a QSA Figure how to assess merchants and CSPs If you are
a cloud service provider Learn how to keep you and merchants
compliant If you are a security vendor Learn about the new problems
you can solve If you are a consultant around PCI and cloud Learn
the pain points around PCI DSS and cloud 10
- Slide 12
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI in
the Cloud... In the Media 11
- Slide 13
- 2011 Cloud Security Alliance, Inc. All rights reserved. 12
- Slide 14
- 2011 Cloud Security Alliance, Inc. All rights reserved. Quick
Reality Check 13
- Slide 15
- 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud?
14
- Slide 16
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI
DSS? 15
- Slide 17
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Together? 16
- Slide 18
- 2011 Cloud Security Alliance, Inc. All rights reserved.
DISCUSSION! 17
- Slide 19
- 2011 Cloud Security Alliance, Inc. All rights reserved. 18
- Slide 20
- 2011 Cloud Security Alliance, Inc. All rights reserved. Why is
PCI Here? 19 Criminals need money Credit cards = MONEY Where are
the most cards? In computers. Data theft grows and reaches HUGE
volume. Some organizations still dont care especially if the loss
is not theirs PAYMENT CARD BRANDS ENFORCE DSS!
- Slide 21
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Laggards vs. Leaders 20 Issue: many merchants dont even want to
grow up to the floor of security Result: breaches, loss of card
data, lawsuits, unhappy consumers, threat of regulation Action: PCI
DSS mandate!
- Slide 22
- 2011 Cloud Security Alliance, Inc. All rights reserved. What is
PCI DSS or PCI? Payment Card Industry Data Security Standard
Payment Card = Payment Card Industry = Data Security = Data
Security Standard = 21
- Slide 23
- 2011 Cloud Security Alliance, Inc. All rights reserved. 22 PCI
DSS: Basic Security Practices!
- Slide 24
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS
Domain Coverage In no particular order: Security policy and
procedures Network security Malware protection Application security
(and web) Vulnerability scanning and remediation Logging and
monitoring Security awareness 23
- Slide 25
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS
2.0 is Here! Select items changing for PCI 2.0 Scoping
clarification Data storage Virtualization (!!) DMZ clarification
Vulnerability remediation Remote data access 24
- Slide 26
- 2011 Cloud Security Alliance, Inc. All rights reserved. Does it
Apply to Me? PCI DSS compliance includes merchants and service
providers who accept, capture, store, transmit or process credit
and debit card data. 25
- Slide 27
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI
Game: The Players 26 PCI Security Standards Council
- Slide 28
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI
Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined
the minimum data security protections measures for payment card
data. Defined Merchant & Service Provider Levels, and
compliance validation requirements. Left the enforcement to card
brands (Council doesnt fine anybody!) Key point: PCI DSS (document)
vs PCI (validation regime) 27
- Slide 29
- 2011 Cloud Security Alliance, Inc. All rights reserved. PCI
Security Standards Council Founded by: American Express Discover
Financial Services JCB MasterCard Worldwide Visa International
Publishes PCI DSS, PA-DSS and PTS Releases additional security
guidance Approves security vendors Approved Scanning Vendors (ASV)
Quarterly Scans Qualified Security Assessor (QSA) On-Site
Assessments 28
- Slide 30
- 2011 Cloud Security Alliance, Inc. All rights reserved. My Data
Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS!
29
- Slide 31
- 2011 Cloud Security Alliance, Inc. All rights reserved. Key
Concept// Scoping 30
- Slide 32
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Sidenote// FLAT NET to FLAT CLOUD REALITY: Without adequate network
segmentation (sometimes called a "flat network") the entire network
is in scope of the PCI DSS assessment. (PCI DSS 2.0) DREAM: Without
adequate network segmentation the entire CLOUD is in scope of the
PCI DSS assessment. 31
- Slide 33
- 2011 Cloud Security Alliance, Inc. All rights reserved. Key
Concept// Compliance vs Validation Q: What to do after your QSA
leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ
is submitted. Use what you built for PCI to reduce risk Own PCI
DSS; make it the basis for your policies 32
- Slide 34
- 2011 Cloud Security Alliance, Inc. All rights reserved. Key
Concept// Stay Compliant Ongoing compliance with PCI DSS tasks: 33
TASKFREQUENCY Risk assessment, security awareness, key changes,
review off-site backups, QSA assessment, etc Annual ASV and
internal scans, wireless scansQuarterly File integrity
checkingWeekly Log and alerts review, other operational procedures
Daily
- Slide 35
- 2011 Cloud Security Alliance, Inc. All rights reserved. Failing
That Classic example from my PCI book, co-author Branden Williams
34
- Slide 36
- 2011 Cloud Security Alliance, Inc. All rights reserved. Two BIG
Approaches to PCI DSS Compliance SECURE the data: Encrypt, access
control, monitor, block attempts, authenticate, authorized, etc 35
These apply to PCI in the cloud as well! DELETE the data: Organize
your business to avoid dealing with the data
- Slide 37
- 2011 Cloud Security Alliance, Inc. All rights reserved. 36
- Slide 38
- 2011 Cloud Security Alliance, Inc. All rights reserved. 37
- Slide 39
- 2011 Cloud Security Alliance, Inc. All rights reserved. NIST
Definition of Cloud Computing Cloud computing is a model for
enabling convenient, on-demand network access to a shared pool of
configurable computing resources that can be rapidly provisioned
and released with minimal management effort or service provider
interaction. 38
- Slide 40
- 2011 Cloud Security Alliance, Inc. All rights reserved. 5
Essential Cloud Characteristics 1. On-demand self-service 2. Broad
network access 3. Resource pooling Location independence 4. Rapid
elasticity 5. Measured service 39
- Slide 41
- 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud
Service Models 1. Cloud Software as a Service (SaaS) Use providers
applications over a network 2. Cloud Platform as a Service (PaaS)
Deploy customer-created applications to a cloud 3. Cloud
Infrastructure as a Service (IaaS) Rent processing, storage,
network capacity, and other fundamental computing resources To be
considered cloud they must be deployed on top of cloud
infrastructure that has the essential characteristics 40
- Slide 42
- 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud
Deployment Models Private cloud Enterprise owned or leased
Community cloud Shared infrastructure for specific community Public
cloud
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Decision Time If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the
only way to PCI is complete 3 rd party payment takeover
->Scenario 4 166 If PaaS CSP IS PCI-OK THEN build the control
matrix -> Scenario 3
- Slide 168
- 2011 Cloud Security Alliance, Inc. All rights reserved. How to
Scope? On-prem: as usual Cloud PaaS environment: PaaS systems are
in scope: systems, applications, network, devices, hypervisor Two
tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that
touch/manage systems with data Think outsourced IT- 167
- Slide 169
- 2011 Cloud Security Alliance, Inc. All rights reserved. How to
Get Compliant? One Approach!! 1. Review which controls the PaaS CSP
will handle for you 2. Check which PCI DSS controls they cannot
ever handle Example: your security policy, awareness training for
your employees (BTW, they should for theirs) 3. Create the matrix
and verify with the CSP Request additional information from them as
needed 4. Deploy additional controls where needed and where prudent
168
- Slide 170
- 2011 Cloud Security Alliance, Inc. All rights reserved. For
Example Project: replace marketing analytics application that uses
PAN with PaaS- deployed application PCI controls: all on the
application, most on management servers, etc Web application
scanning => Merchant All others =>CSP Decision: move the
payment data off CSP and off PCI you go 169
- Slide 171
- 2011 Cloud Security Alliance, Inc. All rights reserved. How to
Stay Compliant? Keep testing the CSP PCI-OK status and check the
matrix for missing controls 170
- Slide 172
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Compliance Evidence What to show to QSA? Evidence of ALL controls
yours and CSPs MUST DO: obtained detailed PCI evidence from CSP for
controls that apply to your environment! 171
- Slide 173
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Responsibility SPLIT// PaaS PCI PROVIDER Application platform
security Physical Network Encryption Key management System security
MERCHANT Application security Scoping Monitoring (unless extra $ to
CSP) 172
- Slide 174
- 2011 Cloud Security Alliance, Inc. All rights reserved. 173
Example Scenario 5// Control Matrix PCI DSS RequirementMerchant:
PaaS userCloud provider: PaaS Secure application development: R6
YesYes (for platform) Update OS: RXXNoYes Log management: R10Yes
application logsYes everything else (or data provided to merchant!)
Render PANs unreadable: R3.4 YesYes where touches their environment
Physical access control: R9 NoYes Vulnerability scanning: R11.2
NoYes Penetration tests: R11.3Yes application levelYes for
physical, network, application, etc Security policy: R12Yes -
applicableYes for the rest Wireless security: R11.1NoYes
- Slide 175
- 2011 Cloud Security Alliance, Inc. All rights reserved. Notable
PCI DSS Requirements to Watch Requirement 1 Firewall architecture
(cloud networks are flat) Requirement 4.1 Use strong cryptography
and security protocols Intra-CSP traffic may be seen as public
Requirement 6.1 patch management is Joint; and need to be done by
both Requirement 12.8 covers service providers and the matrix
174
- Slide 176
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Contract SLA Tips Clear acceptance of responsibility for their
controls Verification of provider controls Incident response
support for data breaches 175
- Slide 177
- 2011 Cloud Security Alliance, Inc. All rights reserved. Common
Pitfalls and Key Risks Failure to test the provider on the ongoing
basis SLA failures: no escalation, evidence sharing, incident
response cooperation 176
- Slide 178
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 6// Tiered PCI 177 Merchant ecommerce or stores Use public
cloud PaaS or SaaS provider who uses public IaaS provider Processes
cards and possibly stores them somewhere
- Slide 179
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Description A major ecommerce website Uses CSP for a broad spectrum
of tasks, including payments Their provider uses another cloud
provider Some cloud providers MAY BE PCI-OK PAN data stored/passed
in the cloud PAN data processed in the cloud 178
- Slide 180
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 6// Visual 179
- Slide 181
- 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can
they be PCI DSS compliant? 180 Audience Poll A: Yes C: Cannot tell
B: No Must the provider be PCI-OK? Must their providers provider be
PCI-OK? Can the merchant be PCI-OK if some CSPs are not?
- Slide 182
- 2011 Cloud Security Alliance, Inc. All rights reserved. Tiered
Merchant Example 181 Merchant uses CSP (SaaS) that uses Amazon EC2
(IaaS) A public Amazon case study http://aws.amazon.com/solution
s/case-studies/36boutiques/
- Slide 183
- 2011 Cloud Security Alliance, Inc. All rights reserved. How to
Assess? Key: The Matrix Must Have No Holes, Again but there are
more dimensions now 182
- Slide 184
- 2011 Cloud Security Alliance, Inc. All rights reserved. Your
CSPs CSP is NOT your CSP! and that some controls are NOT
implemented by your CSP and they simply trust their CSP assertions
183
- Slide 185
- 2011 Cloud Security Alliance, Inc. All rights reserved. How to
Scope? Worst case: FORGET IT! We can never figure it out . reality
Best case: payment chain is isolated from ALL the CSPs (zero scope
for you, all scope is with payment provider) 184
- Slide 186
- 2011 Cloud Security Alliance, Inc. All rights reserved. We went
through six PCI-in-the- cloud scenarios! 185 Ahhhhhh
- Slide 187
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Business: ecommerce Setup: uses CSP for web hosting and all
application hosting, accepts payment cards, sells to consumers
Challenge: we are a QSA they hired to get them compliant Next
steps? 186 Exercise// How to Comply/Assess?
- Slide 188
- 2011 Cloud Security Alliance, Inc. All rights reserved. What do
the scenarios teach us about PCI and cloud? 1. Kill the scope works
in the cloud as well 2. It is better to have the payment processor
handle more and merchant/CSP handle less of the PCI burden 3. CSP
may do it, but MERCHANT is responsible and need to validate it 4.
Finally, we CAN have PCI in the cloud! 187
- Slide 189
- 2011 Cloud Security Alliance, Inc. All rights reserved. Final
Recommendations Follow the scenarios as templates for your projects
Learn to scope in the cloud Make a matrix of shared responsibility
(and keep it with you at all times ) Remember: MERCHANT is on the
hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT
a punt 188
- Slide 190
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Additional Tips from Past Class Discussions Use PCI + cloud
security thinking for other sensitive data: SSN, PHI, financials,
etc Involve legal in SLA and other discussions about regulated data
in the cloud (!) Scan for YOUR sensitive data being put in the
cloud by business partners in THEIR clouds Trust but verify
principle MUST be applied to your CSP 189
- Slide 191
- 2011 Cloud Security Alliance, Inc. All rights reserved. Any
Lessons from the Audience? Anything juicy I missed to conclude?
190
- Slide 192
- 2011 Cloud Security Alliance, Inc. All rights reserved. A
one-liner version? 191 If you can get rid of the PANs in the cloud,
DO IT!
- Slide 193
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Questions? 192
- Slide 194
- 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks
for Your Review! Courseware author Dr. Anton Chuvakin would like to
thank the following people for their thoughtful review of class
materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn
@ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix 193
- Slide 195
- 2011 Cloud Security Alliance, Inc. All rights reserved.
Additional Materials In the notes, there are links to various
useful reading, in addition to CSA and other sites mentioned in the
class. Go to www.cloudsecurityalliance.org for the latest
information on our educational
resourceswww.cloudsecurityalliance.org 194
- Slide 196
- 2011 Cloud Security Alliance, Inc. All rights reserved.
195