Presentation is loading. Please wait.

Presentation is loading. Please wait.

2 nd InfoCom Security Conference 5 April 2012 Konstantinos Papadatos Commercial Director & Co-founder MSc InfoSec, CISSP, ISO 27001 LA, ISSMP, PMI, MBCI.

Similar presentations


Presentation on theme: "2 nd InfoCom Security Conference 5 April 2012 Konstantinos Papadatos Commercial Director & Co-founder MSc InfoSec, CISSP, ISO 27001 LA, ISSMP, PMI, MBCI."— Presentation transcript:

1 2 nd InfoCom Security Conference 5 April 2012 Konstantinos Papadatos Commercial Director & Co-founder MSc InfoSec, CISSP, ISO LA, ISSMP, PMI, MBCI

2 Cloud Security & Compliance PCI-DSS is here to stay … Conclusions Cloud is here to stay…

3 Physical Servers & Storage Networks / Directories Infrastructure SW / Databases Hosted Applications Operating Systems Virtualization Data Center Physical, Mechanical & Electrical Infrastructure (IaaS) Platform (PaaS) Software Applications (SaaS)

4  Public cloud ◦ Applications, storage, and other resources are made available to the general public by a service provider. Public cloud services may be free or offered on a pay-per-usage model.  Private cloud (Internal or Hosted) ◦ Private cloud is cloud infrastructure operated solely for a single organization.  Community cloud ◦ Shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally.  Hybrid cloud ◦ A composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. Public Private Community Hybrid

5  Allows IT to Shift Focus – With the quick availability of Cloud services, it frees an organization to leverage and focus their time and resources in bringing innovations in applications and solutions  Utility Service – Utility service model – pay per use / pay per go subscription based model. Availability of ready to go cloud offerings with limited time for implementation and customization (if provided)  Dynamic scaling - Scales up and down of services based on the application usage, best for the applications where there are significantly spikes and troughs on the usage of infrastructures  Investment Cap – More beneficial for companies with limited capital to invest in hardware and infrastructure  Reduces TCO (Total Cost of Ownership) – Changes the cost from Capital expense (Capex) to Opex (Operational expense) for an enterprise. No need to buy an asset to use that asset and reduces other related costs of maintenance and support  Metered Service – Cloud usage is metered and priced on the basis of units (or instances) consumed. Pay for what you use and when you use  Flexible offering - Access infrastructure from anywhere, any location on any device ……  … If provided properly: Better Security & Compliance

6 Source: Gartner (March 2011) Cloud trends for the Western European Public Sector IDC CEMA ICT MARKETS ALERT - MARCH 2012 “46% of respondents expressed that concerns about security are holding back the adoption of cloud computing by governments” Cloud trends for the Western European Public Sector IDC CEMA ICT MARKETS ALERT - MARCH 2012 “46% of respondents expressed that concerns about security are holding back the adoption of cloud computing by governments”

7 October 2010 “Q&A: Demystifying Cloud Security” IT decision-makers and influencers say that cloud is a critical or high priority. The business need is such that security will not have the power to veto for long…

8

9 Cloud Security & Compliance PCI-DSS is here to stay … Conclusions Cloud is here to stay…

10  Merchant Banks x  Merchants  QSA’s  & ASV’s  Card Associations  PCI SSC -Enforce PCI DSS -Promote its adoption (i.e. Punishments, Rewards) -Communicate with and educate merchants -Report merchant compliance to Card Associations -Attain compliance with PCI DSS -Secure cardholder data - Use PCI certified service providers - Maintain PCI DSS - Certify QSA’s & ASV’s -Verify compliance through on-site audits & quarterly vulnerability scans -Render opinions to merchant bank on compensating controls  Service Providers -Secure cardholder data -Attain compliance with PCI DSS

11 Build & Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor & Test Networks Maintain an Information Security Policy Install & maintain a firewall configuration to protect cardholder data 1 2 Do not use vendor-supplied defaults for system passwords & other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software or programs 6 Develop & maintain secure systems and applications 7 Restrict access to cardholder data by business need-to-know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data 10 Regularly test security systems and processes 11 Maintain a policy that addresses information security for employees and contractors 12

12 Network Segmentation (Firewalls, NAC, ACLs …) IDS & IPS Wireless Security System Security (File Integrity Monitoring, AV, Patch Management …) Application Security (WAF, Code Review …) Storage & DB Encryption (or DB Firewalling or Tokenization …) Log Management Password Management Vulnerability & Patch Management Physical Security

13 In the event of a breach : Any fines from Payment Brands ( Up to $100,000 per incident) Cost to notify victims Cost to replace cards (about $10/card) Cost for any fraudulent transactions Forensics from a QDSC Level 1 certification from a QSA Business as Usual: $5,000 – $25,000 per month for non-compliance

14 Cloud Security & Compliance PCI-DSS is here to stay … Conclusions Cloud is here to stay…

15 Cloud Related Threats e-Services VPN Back office Access Interfaces IT Services & Data IT Services & Data 3 rd -parties Business Users IT Users Web Users Partners, etc. Web Applications Mobile Access … IPSec or Other VPN Web Application Web Services DB Access System Access … CSP IT Users Other Cloud Customers

16  Data Center Physical Security  Availability/Accessibility ◦ Network ◦ DR/BCP  Isolation ◦ At the application level (multitenant app SaaS) ◦ At the network/System level (Virtual Machines)  Data Privacy & Regulatory Compliance  Security Infrastructure as a Service ◦ Protection from External Threats ◦ Protection from Internal Threats & Misuse (customer’s internal environment)  Protection from Service Provider Access Misuse  Protection from Other Customers Access Misuse

17 SecIaaS: Security Infrastructure as a Service SecIaaS: Security Infrastructure as a Service Security of the Cloud Data Center /CSP Security of the Cloud Data Center /CSP Risk Assessments Penetration Tests …

18 SecIaaS: Secure & PCI Compliant Cloud CDC/CSP Security System Security (Hypervisor Protection, CCM/FIM, AV/HIPS, Hardening, PIM/PUPM) Application Security (WAF, optional Anti-DDoS) Secure Access (Dedicated VDI/TS, Strong Authentication, Workflows) Identity & Access Management (Automation, Delegation, Governance) Log Management & Archiving (Collection from all systems, applications and security controls) Vulnerability & Patch Management (Automation, Streamlining, Integration) 24x7 Real Time Threat Management (Advanced Reporting & Response) Compliance Management (Dashboards, Integration with: CCM, VM/PM, IAM…) Customer Portal(s) & Provisioning Network Security (FW & DMZs, IDS/IPS, VPNs, Virtual FW) System Security Application Security Secure Access IAM Log Management & Archiving Vulnerability Assessment 24x7 RTTM Compliance Management Network Security Data Security (Storage & DB Encryption, DBFW, Tokenisation) Data Security

19 Cloud Security & Compliance PCI-DSS is here to stay … Conclusions Cloud is here to stay…

20 Move Major Operations to Cloud Implement PCI controls to remaining Infrastructure Attestation of Compliance

21 IaaS PaaS SaaS Required Effort for PCI Compliance PCI Compliant CSP Offerings Assuming that all CSP services comply With PCI-DSS requirements! SecIaaS: Security Infrastructure as a Service PCI compliant Applications

22  Data dispersal and international privacy laws ◦ EU Data Protection Directive ◦ Exposure of data to foreign government ◦ Data retention issues  Look for CSP with strong security certifications / proof of compliance. ◦ ISO/IEC  Implementation of the standard for the cloud  Scope: Cloud Service Provider own IT systems ◦ Cloud Security Alliance  Enhancement of the ISMS & security controls with CSA guidelines ◦ PCI DSS  Enhancement of the ISMS & security controls with PCI DSS guidelines  If CSP is NOT Compliant, consider using a Hosted Private Cloud ◦ Ability to impose stringent security and privacy policies. ◦ Ability to have the infrastructure certified by auditors.  The organization itself is still responsible for full compliance of the CDE (cardholder data environment) and only a part of that CDE might intersect a CSP.  Cloud security is shifting from inhibitor to enabler.

23 Simplify your PCI compliance through our … Cloud! Security Strategy: Risk Assessment & Management Security Policies & Procedures Development PCI-DSS Scoping & GAP analysis Security Awareness Programs PCI-DSS Certification (QSA) Security Architecture: Network Infrastructure Security File Integrity Monitoring AV/HIPS Security Hardening Web Application & DB Firewalls DB & Storage Encryption Tokenisation Password Management Security Event Management Identity & Access Management Patch Management Enterprise Information Protection Security Assurance: Infrastructure Pentest Web Application Pentest Internal Pentest Code Review Wireless Security Assessments Digital Forensics Vulnerability Assessment Authorized ASV Managed Security Services: Real Time Threat Management Managed Security Infrastructure Brand Protection & Intelligence Incident Handling & Support Managed Vulnerability Assessments PCI DSS Compliance SecIaaS PCI ready Hosting SecIaaS PCI ready Hosting

24 _


Download ppt "2 nd InfoCom Security Conference 5 April 2012 Konstantinos Papadatos Commercial Director & Co-founder MSc InfoSec, CISSP, ISO 27001 LA, ISSMP, PMI, MBCI."

Similar presentations


Ads by Google