Will Your Cloud Be Compliant?
description
Transcript of Will Your Cloud Be Compliant?
Will Your Cloud Be Compliant?Scott Carlson – PayPal
Evgeniya Shumakher - Mirantis
© MIRANTIS 2013
OpenStack Cloud Compliance
Evgeniya ShumakherBusiness Analyst
What is ‘Compliance’?Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations.
http://en.wikipedia.org/wiki/Regulatory_compliance
Compliance <> Security
Security Compliance
It’s all about informationConfidentiality
IntegrityAvailability
Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
Enterprise ecosystem
Data
Applications
Operating Systems
OpenStack
Processing and Memory, Data Storage, Network
Physical facilities
Peop
le
Busin
ess P
roce
sses
Regulations
Who is responsible?CloudStack IaaS PaaS SaaSDataApplicationsOperating SystemsOpenStackProcessing and Memory, Data Storage, NetworkPhysical facilities
Cloud user
Cloud builder
Standards• PCI DSS• HIPAA / HITECH• SOX• FedRAMP/FISMA• ISO/IEC 27001-2005• NIST SP800-53
Typical structure
Standard
Requirement #1
Control #1.1
Control #1.2
Control #1.NRequirement #2
Requirement #N
• CLOUD CONTROLS MATRIX VERSION 3.0
Controls are very similar
Standards are pretty generic: PCI DSSBuild and
Maintain a Secure
Network and Systems
1. Install and maintain a
firewall configuration
to protect cardholder
data 2. Do not use
vendor-supplied
defaults for system
passwords and other security
parameters
Protect Cardholder
Data
3. Protect stored
cardholder data
4. Encrypt transmission of cardholder
data across open, public
networks
Maintain a Vulnerability Management Program
5. Protect all systems against
malware and regularly
update anti-virus software or programs
6. Develop and maintain
secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to
cardholder data by
business need to know
8. Identify and authenticate
access to system
components
9. Restrict physical access to cardholder
data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network
resources and cardholder
data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses
information security for all
personnel
Cloud Guidelines • PCI DSS Virtualization Guidelines • PCI DSS Cloud Computing Guidelines• NIST Special Publication 800-144
Guidelines on Security and Privacy in Public Cloud Computing
PCI DSS Cloud Guidelines Don’t store, process or transmit payment card data in the cloud.
PCI DSS Virtualization Guidelines • Requirement 3: Protect stored cardholder data
– As well as being present in known locations, cardholder data could exist in archived, off-line or dormant VM images, or be unknowingly moved between virtual systems via dynamic mechanisms such as live migration or storage migration tools.
– Sensitive data, such as unencrypted PAN, sensitive authentication data, and cryptographic keys, could be inadvertently captured in active memory and replicated via VM imaging and snapshot functions...
OpenStack Security Guidelines• OpenStack Security Guide• Securing OpenStack for compliance
Q&A• email: [email protected]• irc: eshumakher
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Private Cloud ComplianceScott Carlson - @relaxed137
26CURRENCIES SUPPORTED
148MACTIVE REGISTERED ACCOUNTS
193MARKETS OFFER PAYPAL
80LOCALIZED MARKETING SITES
GLOBALLY
EUROPEAN UNIONEURO
AUSTRALIANDOLLAR
CANADIANDOLLAR
NEW ZEALANDDOLLAR
HUNGARIANFORINT
MALAYSIANRINGGIT
UNITED KINGDOMPOUNDS STERLING
HONG KONGDOLLAR
UNITED STATESDOLLAR
TAIWANNEW DOLLAR
CHINESERMB
SWEDISHKRONA
SINGAPOREDOLLAR
PHILIPPINEPESO
BRAZILIANREAL
RUSSIANRUBLE
NORWEGIANKRONE
JAPANESEYEN
MEXICANPESO
TURKISHLIRA
SWISSFRANC
CZECHKORUNA
ISRAELINEW SHEKEL
DANISHKRONE
THAIBAHT
POLISHZLOTY
148MACTIVE
ACCOUNTS1
$6,688 IN PAYMENTS PROCESSEDEVERY SECOND 2
9M PAYMENTS PROCESSEDEVERY DAY 3 +6M NEW ACTIVE
ACCOUNTS 1
1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses.
Q1 2014 Financial Metrics
$1.8BPAYPAL REVENUES
20% YOYTPV2
26% YOY
$52B
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
PayPal Cloud & Software Defined Data CenterAgility with Security
Cloud Design PrincipalsDeploy from TemplatesAny Image, Anywhere
Automatically scale up/down workloadsFollow devops auto-deployments CI/CDRespond to intra-cloud events
ELASTIC
VIRTUAL
PCI-DSS 2.0 and 3.0Local Country RequirementsSECURE
20
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Compliance requirements
Compliant with PCI-DSS 2.0 StandardsNon-US locations compliant with local country regulations
21
Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic MethodologyJust pretend its infrastructure
OpenStack has servers in itHardware Configured and dedicated to the cloud
Hypervisor/Build Image meeting NIST/CIS standard templates
Vulnerability Scanning with third party tooling
Patching 7, 30, 90 day windows with vendor provided patches to OS
Configuration Management for important system files
Password Management – non-default, complex and unique!
OpenStack has Users in itDo not use shared accounts for anything. Just don’t
Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time.
22
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic MethodologyJust pretend its infrastructure
Hypervisor ComponentsIts Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST)
Have a separate management interface from your production traffic (physical or virtual)
Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”
Audit Access, Audit changes, be ready to show your work
Be ready to defend decisions to share ports for components
OpenStack Software StackLimited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan)
Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!
You still need to code review if CDE passes through here
Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok)
23
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic MethodologyJust pretend its infrastructure
Physical Network Components? YepFirewall rules around the cloud to limit ingress and egress
Monitor what happens on your firewalls, send it somewhere, keep it a LONG time
Make sure the person building your network isn’t the person building your cloud (SOD)
Configuration Guidelines exist for most physical installations (avoid virtual for now…)
Automation is fine, but make sure you log it, and auto-ticket it.
Virtual Network Components? NopeToo early in the testing process to rely on virtual versions of components at scale
Okay for intra-tenant traffic with minimal rule set
Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing?
24
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
Basic MethodologyJust pretend its infrastructure
Data? If its Card-holder data, controls become interesting very quickly
Storing things encrypted at rest in VM’s mean you can’t use OpenStack components
HSM, crypto, key management required
User management, controls over data, logging, all of the standard stuff needed
25
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
For more information, please contact:
Scott [email protected]@relaxed137