SlideShare a Scribd company logo

Risk Factory: PCI Compliance in the Cloud

Risk Crew
Risk Crew

The document discusses PCI compliance in the cloud. It begins with an overview of cloud computing models including IaaS, PaaS, and SaaS. It then discusses the PCI Data Security Standard and some of the challenges in implementing it in the cloud. Key points for cloud compliance are scoping requirements carefully, using service level agreements, and implementing compensating controls where needed. The document provides advice for both cloud clients and vendors in achieving PCI compliance.

Related slideshows

PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
1 of 40
PCI: Compliance in the Cloud
A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
Agenda Cloud Anatomy •Characteristics, Delivery & Deployment Models •What's Different in the Cloud? •Security Challenges in the Cloud PCI DSS •What is it? •Implementation Challenges •Cloud Compliance Keys Cloudy QSA Advice •Clients •Vendors
Cloud Security Visionary
Both Sides Now "Rows and flows of angel hair And ice cream castles in the air And feather canyons everywhere I've looked at clouds that way" Joni Mitchell
Side 1 - Consumer
Both Sides Now "But now they only block the sun They rain and snow on everyone So many things I would have done Clouds got in my way " Joni Mitchell
Side 2 - Service Providers
Cloud Anatomy
Cloud Benefit$
What's Different in the Cloud Security Security ~ THEM Ownership Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service
What's Different in the Cloud Access Control
What's Different in the Cloud Vulnerability
Most Significant Accountability “Cloud” Provider Datacenter in London, U.K. Your Corporate Data? “Cloud” Provider Datacenter in Sao Paolo, Brazil “Cloud” Provider Datacenter in Geneva, Switzerland “Cloud” Provider Datacenter in Tokyo, Japan “Cloud” Provider Datacenter in San Francisco, USA
Cloudy Issues Confidentiality Availability Integrity Trust: Lack of transparency Trust: Identity management & access control Risk Management Liability Governance Compliance
Top Threats to Cloud Abuse & Nefarious Use: Insecure Applications Programming: Malicious Insiders: Shared Technology Vulnerabilities: Data Loss & Leakage: Account, Service & Traffic Hijacking: Unknown Risk Profile:
Basic Misconceptions • "But its Cloud! How can you attack a Cloud?" • "There's security in anonymity". • "Time sharing" with a new name & technology. Security Requirements Cloud Benefits
Cloudy Thinking Same as your existing server environment only virtualised and in someone else's Data Centre running on Windows and Linux with Windows and Linux vulnerabilities
Black Swan Sightings
The Standard First published January 2005, V.1 released September 7, 2006, the PCI DSS is a set of comprehensive requirements for securing payment data. V2 released November 2010. A multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
Applicable • All systems that process, store or transmit credit or debit cardholder data • All systems that connect to them
6 Goals, 12 Requirements
264 Controls
Specific Cloud Controls
The PCI DSS Implementing the PCI DSS in the Cloud is like...
The Question Then Salesforce - SaaS Q: How do you implement 264 detailed control requirements across a public cloud solution? A: It depends . Google AppEngine - PaaS Amazon EC2 - IaaS
Scoping is Everything
Compliance Keys = Service Level Agreements = Compensating Controls
SLA Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
Remember Security Security ~ THEM Ownership Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service Amazon EC2 - Google AppEngine - Salesforce - IaaS PaaS SaaS
Control Mapping Cloud Model Find the Gaps! Governance Model Applications SDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec. Compliance Model Information DLP, CMF, Database Activity Monitoring, Encryption Management GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth Trust Hardware & Software RoT & API’s Host-based Firewalls, HIDS/HIPS, Storage Integrity & File/log Management, Encryption, Masking Physical Physical Plant Security, CCTV, Guards
Where Cannot Be Mapped • Conduct risk assessment • Identify unacceptable risks • Implement compensating controls! – Designed, accepted for the business – Must produce evidence – Accompanied by process
Modelling Cloud Architecture Cloud Architecture Governance and Enterprise Risk Management Governance and Enterprise Risk Management Legal and Electronic Discovery Legal and Electronic Discovery Compliance and Audit Compliance and Audit Operating in the Cloud Governing the Cloud Information Lifecycle Management Information Lifecycle Management Portability and Interoperability Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Security, Bus. Cont,, and Disaster Recovery Data Center Operations Data Center Operations Incident Response, Notification, Remediation Incident Response, Notification, Remediation Application Security Application Security Encryption and Key Management Encryption and Key M anagement Identity and Access Management Identity and Access Management Virtualization Virtualization
QSA Words of Wisdom
QSA Client Advice "Never trust the vendor"
QSA Client Advice • Don't believe what you hear. Get out of your office Go see it. Touch it. Taste it. Smell it. Its about due diligence. • Interrogate vendors focusing on security, resiliency, recovery, confidentiality, privacy and segmentation. See if they twitch. • PCI Compliance comes down to implementing the controls, compensating controls or just accepting the risk. Go through each control with your vendor (as applicable) and determine actions. • If you don't see it in black and white in the vendor SLA, do not assume its there. If you do see it, go check it. • Your mantra should be "How will you identify a breach?" At the end of the day, if you have a beach it will be your company's name in the paper, your company receiving the fine or your company in court - not the cloud provider. • Do everything you can possible do. Then get your Acquirer's buy in. • Get insurance.
QSA Vendor Advice "Never trust the client"
QSA Vendor Advice • Embrace it. Be proactive. Get out in front of it. Bring it up before they do. • Know your subject matter. Clients need mentors. • Be transparent. If you can't meet a compliance requirement, say it. • Never twitch. • Lay out liability in the SLA. Be clear. Be concise. State both what you are liable and what you are not liable for. • Rephrase the question: "How will we identify a breach?" • Get insurance
"I've looked at clouds from both sides now, from up and down, and still somehow, it's clouds illusions I recall I really don't know clouds...at all." Joni Mitchell
26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025 +44 (0)20 7763 7101(fax)

More Related Content

Risk Factory: PCI Compliance in the Cloud

  • 1. PCI: Compliance in the Cloud
  • 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
  • 3. Agenda Cloud Anatomy •Characteristics, Delivery & Deployment Models •What's Different in the Cloud? •Security Challenges in the Cloud PCI DSS •What is it? •Implementation Challenges •Cloud Compliance Keys Cloudy QSA Advice •Clients •Vendors
  • 5. Both Sides Now "Rows and flows of angel hair And ice cream castles in the air And feather canyons everywhere I've looked at clouds that way" Joni Mitchell
  • 6. Side 1 - Consumer
  • 7. Both Sides Now "But now they only block the sun They rain and snow on everyone So many things I would have done Clouds got in my way " Joni Mitchell
  • 8. Side 2 - Service Providers
  • 11. What's Different in the Cloud Security Security ~ THEM Ownership Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service
  • 12. What's Different in the Cloud Access Control
  • 13. What's Different in the Cloud Vulnerability
  • 14. Most Significant Accountability “Cloud” Provider Datacenter in London, U.K. Your Corporate Data? “Cloud” Provider Datacenter in Sao Paolo, Brazil “Cloud” Provider Datacenter in Geneva, Switzerland “Cloud” Provider Datacenter in Tokyo, Japan “Cloud” Provider Datacenter in San Francisco, USA
  • 15. Cloudy Issues Confidentiality Availability Integrity Trust: Lack of transparency Trust: Identity management & access control Risk Management Liability Governance Compliance
  • 16. Top Threats to Cloud Abuse & Nefarious Use: Insecure Applications Programming: Malicious Insiders: Shared Technology Vulnerabilities: Data Loss & Leakage: Account, Service & Traffic Hijacking: Unknown Risk Profile:
  • 17. Basic Misconceptions • "But its Cloud! How can you attack a Cloud?" • "There's security in anonymity". • "Time sharing" with a new name & technology. Security Requirements Cloud Benefits
  • 18. Cloudy Thinking Same as your existing server environment only virtualised and in someone else's Data Centre running on Windows and Linux with Windows and Linux vulnerabilities
  • 20. The Standard First published January 2005, V.1 released September 7, 2006, the PCI DSS is a set of comprehensive requirements for securing payment data. V2 released November 2010. A multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
  • 21. Applicable • All systems that process, store or transmit credit or debit cardholder data • All systems that connect to them
  • 22. 6 Goals, 12 Requirements
  • 25. The PCI DSS Implementing the PCI DSS in the Cloud is like...
  • 26. The Question Then Salesforce - SaaS Q: How do you implement 264 detailed control requirements across a public cloud solution? A: It depends . Google AppEngine - PaaS Amazon EC2 - IaaS
  • 28. Compliance Keys = Service Level Agreements = Compensating Controls
  • 29. SLA Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
  • 30. Remember Security Security ~ THEM Ownership Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service Amazon EC2 - Google AppEngine - Salesforce - IaaS PaaS SaaS
  • 31. Control Mapping Cloud Model Find the Gaps! Governance Model Applications SDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec. Compliance Model Information DLP, CMF, Database Activity Monitoring, Encryption Management GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth Trust Hardware & Software RoT & API’s Host-based Firewalls, HIDS/HIPS, Storage Integrity & File/log Management, Encryption, Masking Physical Physical Plant Security, CCTV, Guards
  • 32. Where Cannot Be Mapped • Conduct risk assessment • Identify unacceptable risks • Implement compensating controls! – Designed, accepted for the business – Must produce evidence – Accompanied by process
  • 33. Modelling Cloud Architecture Cloud Architecture Governance and Enterprise Risk Management Governance and Enterprise Risk Management Legal and Electronic Discovery Legal and Electronic Discovery Compliance and Audit Compliance and Audit Operating in the Cloud Governing the Cloud Information Lifecycle Management Information Lifecycle Management Portability and Interoperability Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Security, Bus. Cont,, and Disaster Recovery Data Center Operations Data Center Operations Incident Response, Notification, Remediation Incident Response, Notification, Remediation Application Security Application Security Encryption and Key Management Encryption and Key M anagement Identity and Access Management Identity and Access Management Virtualization Virtualization
  • 34. QSA Words of Wisdom
  • 35. QSA Client Advice "Never trust the vendor"
  • 36. QSA Client Advice • Don't believe what you hear. Get out of your office Go see it. Touch it. Taste it. Smell it. Its about due diligence. • Interrogate vendors focusing on security, resiliency, recovery, confidentiality, privacy and segmentation. See if they twitch. • PCI Compliance comes down to implementing the controls, compensating controls or just accepting the risk. Go through each control with your vendor (as applicable) and determine actions. • If you don't see it in black and white in the vendor SLA, do not assume its there. If you do see it, go check it. • Your mantra should be "How will you identify a breach?" At the end of the day, if you have a beach it will be your company's name in the paper, your company receiving the fine or your company in court - not the cloud provider. • Do everything you can possible do. Then get your Acquirer's buy in. • Get insurance.
  • 37. QSA Vendor Advice "Never trust the client"
  • 38. QSA Vendor Advice • Embrace it. Be proactive. Get out in front of it. Bring it up before they do. • Know your subject matter. Clients need mentors. • Be transparent. If you can't meet a compliance requirement, say it. • Never twitch. • Lay out liability in the SLA. Be clear. Be concise. State both what you are liable and what you are not liable for. • Rephrase the question: "How will we identify a breach?" • Get insurance
  • 39. "I've looked at clouds from both sides now, from up and down, and still somehow, it's clouds illusions I recall I really don't know clouds...at all." Joni Mitchell
  • 40. 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025 +44 (0)20 7763 7101(fax)

Editor's Notes

  1. Give out cards
  2. Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX