Download presentation
Presentation is loading. Please wait.
Published byBeverly Briggs Modified over 8 years ago
2
© 2011 Cloud Security Alliance, Inc. All rights reserved.
3
Thanks to Class Sponsors 2 Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance
4
© 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 3
5
© 2011 Cloud Security Alliance, Inc. All rights reserved. About the Class Learn/refresh knowledge about PCI DSS Learn/refresh knowledge about cloud computing Understand how to assess PCI compliance in cloud environments Understand how to implement PCI DSS controls in cloud environments Gain useful tools for planning/doing this 4
6
© 2011 Cloud Security Alliance, Inc. All rights reserved. 5 5
7
Show of hands please… 1. QSA 2. Merchant a) L1 b) L2-4 3. Service provider 4. Security tool vendor 5. Security consultant 6. Other 6 6
8
© 2011 Cloud Security Alliance, Inc. All rights reserved. Prerequisites Know how to spell “P-C-I D-S-S” Have heard about “The Cloud” Possess basic information security knowledge, IT management 7
9
© 2011 Cloud Security Alliance, Inc. All rights reserved. Full Class Outline Introduction What this class is about, prerequisites, how to benefit PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items 8
10
© 2011 Cloud Security Alliance, Inc. All rights reserved. 9
11
How to benefit? If you are a merchant… Learn how to stay compliant in the cloud, what to ask of CSPs, what to show to QSAs If you are a QSA… Figure how to assess merchants and CSPs If you are a cloud service provider… Learn how to keep you and merchants compliant If you are a security vendor… Learn about the new problems you can solve If you are a consultant around PCI and cloud… Learn the “pain points” around PCI DSS and cloud 10
12
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI in the Cloud... In the Media 11
13
© 2011 Cloud Security Alliance, Inc. All rights reserved. 12
14
© 2011 Cloud Security Alliance, Inc. All rights reserved. Quick Reality Check 13
15
© 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 14
16
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS? 15
17
© 2011 Cloud Security Alliance, Inc. All rights reserved. Together? 16
18
© 2011 Cloud Security Alliance, Inc. All rights reserved. DISCUSSION! 17
19
© 2011 Cloud Security Alliance, Inc. All rights reserved. 18
20
© 2011 Cloud Security Alliance, Inc. All rights reserved. Why is PCI Here? 19 Criminals need money Credit cards = MONEY Where are the most cards? In computers. Data theft grows and reaches HUGE volume. Some organizations still don’t care… especially if the loss is not theirs PAYMENT CARD BRANDS ENFORCE DSS!
21
© 2011 Cloud Security Alliance, Inc. All rights reserved. Laggards vs. Leaders 20 Issue: many merchants don’t even want to “grow up” to the floor of security Result: breaches, loss of card data, lawsuits, unhappy consumers, threat of regulation Action: PCI DSS mandate!
22
© 2011 Cloud Security Alliance, Inc. All rights reserved. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard = 21
23
© 2011 Cloud Security Alliance, Inc. All rights reserved. 22 PCI DSS: Basic Security Practices!
24
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS Domain Coverage … In no particular order: Security policy and procedures Network security Malware protection Application security (and web) Vulnerability scanning and remediation Logging and monitoring Security awareness 23
25
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS 2.0 is Here! Select items changing for PCI 2.0 Scoping clarification Data storage Virtualization (!!) DMZ clarification Vulnerability remediation Remote data access 24
26
© 2011 Cloud Security Alliance, Inc. All rights reserved. Does it Apply to Me? “PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.” 25
27
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Game: The Players 26 PCI Security Standards Council
28
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimum data security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime) 27
29
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Security Standards Council Founded by: American Express Discover Financial Services JCB MasterCard Worldwide Visa International Publishes PCI DSS, PA-DSS and PTS Releases additional security guidance Approves security vendors Approved Scanning Vendors (ASV) – Quarterly Scans Qualified Security Assessor (QSA) – On-Site Assessments 28
30
© 2011 Cloud Security Alliance, Inc. All rights reserved. My Data – Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS! 29
31
© 2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Scoping 30
32
© 2011 Cloud Security Alliance, Inc. All rights reserved. Sidenote// FLAT NET to FLAT CLOUD REALITY: “Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment.“ (PCI DSS 2.0) DREAM: “Without adequate network segmentation the entire CLOUD is in scope of the PCI DSS assessment.“ 31
33
© 2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Compliance vs Validation Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted. Use what you built for PCI to reduce risk “Own” PCI DSS; make it the basis for your policies 32
34
© 2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Stay Compliant Ongoing compliance with PCI DSS – tasks: 33 TASKFREQUENCY Risk assessment, security awareness, key changes, review off-site backups, QSA assessment, etc Annual ASV and internal scans, wireless scansQuarterly File integrity checkingWeekly Log and alerts review, other operational procedures Daily
35
© 2011 Cloud Security Alliance, Inc. All rights reserved. Failing That… “Classic” example from my PCI book, co-author Branden Williams 34
36
© 2011 Cloud Security Alliance, Inc. All rights reserved. Two BIG Approaches to PCI DSS Compliance SECURE the data: Encrypt, access control, monitor, block attempts, authenticate, authorized, etc… 35 These apply to PCI in the cloud as well! DELETE the data: Organize your business to avoid dealing with the data
37
© 2011 Cloud Security Alliance, Inc. All rights reserved. 36
38
© 2011 Cloud Security Alliance, Inc. All rights reserved. 37
39
© 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 38
40
© 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 39
41
© 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 40
42
© 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 41
43
© 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 42 42
44
© 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud CommunityCloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network AccessRapid Elasticity Measured Service On Demand Self-Service Low Cost Software VirtualizationService Orientation Advanced Security Homogeneity Massive ScaleResilient Computing Geographic Distribution 43
45
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 44
46
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 45
47
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 46
48
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 47
49
© 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures 48
50
© 2011 Cloud Security Alliance, Inc. All rights reserved. Foundational Elements of Cloud Computing Virtualization Grid technology Service Oriented Architectures Distributed Computing Broadband Networks Browser as a platform Free and Open Source Software Autonomic Systems Web 2.0 Web application frameworks Service Level Agreements Primary TechnologiesOther Technologies 49
51
© 2011 Cloud Security Alliance, Inc. All rights reserved. Security? Are there …mmm …cloud security issues? 50
52
© 2011 Cloud Security Alliance, Inc. All rights reserved. 51 Security: Barrier to Adoption?
53
© 2011 Cloud Security Alliance, Inc. All rights reserved. 52 What is Different about Cloud?
54
© 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 53
55
© 2011 Cloud Security Alliance, Inc. All rights reserved. 54 What is Different about Cloud?
56
© 2011 Cloud Security Alliance, Inc. All rights reserved. 55 What is Different about Cloud?
57
© 2011 Cloud Security Alliance, Inc. All rights reserved. 56 What is Different about Cloud?
58
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 57
59
© 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Risks 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 58
60
© 2011 Cloud Security Alliance, Inc. All rights reserved. iSEC Realistic Cloud “Threats” 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 59
61
© 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 60
62
© 2011 Cloud Security Alliance, Inc. All rights reserved. Discussion 61 What do YOU think are actual, relevant, TRUE threats to cloud computing?
63
© 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 62
64
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 63 Control Requirements Provider Assertions Private, Community & Public Clouds
65
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 64
66
© 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 65 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
67
© 2011 Cloud Security Alliance, Inc. All rights reserved. 66 Next?
68
© 2011 Cloud Security Alliance, Inc. All rights reserved. Do We See A Cloud in There? Requirement 12.8 “If cardholder data is shared with service providers, maintain and implement policies and procedures to 67 manage service providers…” Requirement A.1: “Shared hosting providers must protect the cardholder data environment”
69
© 2011 Cloud Security Alliance, Inc. All rights reserved. Magic of Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ……………………… 68
70
© 2011 Cloud Security Alliance, Inc. All rights reserved. Magic of 12.8 Revealed “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.” 69
71
© 2011 Cloud Security Alliance, Inc. All rights reserved. Requirement 9// Amazon Example Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.” 70
72
© 2011 Cloud Security Alliance, Inc. All rights reserved. June 2011// PCI SSC Virtualization Guidance Key Cloud Items: “CSP should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider’s PCI DSS compliance program.” 71
73
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI SSC on Cloud Challenges “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who ‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment” 72
74
© 2011 Cloud Security Alliance, Inc. All rights reserved. And now… … a brainteaser 73
75
© 2011 Cloud Security Alliance, Inc. All rights reserved. Requirement 11.3// Pentesting “11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests” “Cloudify” this for me, please! 74
76
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: How should we address it? 75 Audience Poll A: Only pentest applications with narrow rules D: Hide under our desks and squeal C: Trust that “they do it” B: Go full blast and “own” provider’s datacenter
77
© 2011 Cloud Security Alliance, Inc. All rights reserved. Detailed Example// Amazon PCI 76 Happy now? “Amazon is PCI OK” Huh?
78
© 2011 Cloud Security Alliance, Inc. All rights reserved. Say What…. Q: “What does this mean to me as a PCI merchant or service provider? A: Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.” 77
79
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Amazon view of this 78
80
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Amazon Guidance 79
81
© 2011 Cloud Security Alliance, Inc. All rights reserved. 80 Sidenote// “Compliant” Provider of What?
82
© 2011 Cloud Security Alliance, Inc. All rights reserved. 81
83
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenarios Introduction In scope for discussion: – Public IaaS, PaaS, SaaS – Chained or multiple CSPs NOT in scope: – Traditional hosting providers – Outsourced data center or call center – Private cloud and virtualization on-prem – Virtual private cloud (sort of) 82
84
© 2011 Cloud Security Alliance, Inc. All rights reserved. Learn Using Scenarios Description How to assess this scenarios / Assessment tips How to scope this scenario / Scoping tips How to get compliant How to stay compliant What to show to QSA / compliance evidence Notable PCI requirements to watch Responsibility split Pitfalls, Risks and Tips 83
85
© 2011 Cloud Security Alliance, Inc. All rights reserved. Key Goal DO build a framework for assessing/complying, based on the scenarios DO NOT memorize the scenarios, yours might be different or be a combination of these 84
86
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 1// Clean Cloud 85 Merchant – ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Cloud environment segmented from CDE NO PANs in any cloud environment … or so they think
87
© 2011 Cloud Security Alliance, Inc. All rights reserved. Description Sells books online Level 1 merchant Uses cloud provider(s) for testing, training, etc Cloud provider NOT PCI-OK NO payment data stored in the cloud NO payment data processed in the cloud NO payment data passed through cloud 86
88
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 1// Visual 87
89
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 88 Audience Poll A: Yes C: Cannot tell B: No
90
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Are they right? Test that PANs didn’t “escape” to Amazon 89
91
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud environment: IaaS: run a discovery tool Example: DLP tool, open source data discovery, dedicated PAN discovery tool, custom script to look for unencrypted PANs Q: What about encrypted PANs? 90
92
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get / Stay Compliant? Easy huh: Keep the PANs out of the cloud Recheck (via discovery tools) that cloud systems are not contaminated by the PANs Look for old PANs, “test” PANs, etc. 91
93
© 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Discovery scan results Other data that confirms that PCI data does not get to the cloud systems Policies and procedures BANNING card data in the cloud; evidence of people actually following them…. 92
94
© 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT PROVIDER Nothing (not even being PCI compliant) 93 MERCHANT All PCI controls Scoping Keeping cloud systems out of scope
95
© 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Requirement 12.8 does NOT play No SLA in regards to cardholder data 94
96
© 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failing to assure that PANs don’t leak to the cloud Failing to maintain “no PANs in the cloud” status “Rogue PANs” theft is still CHD theft… Tip: run a discovery tool on cloud systems Tip: assure segmentation (no data flow from CDE to YOUR cloud) 95
97
© 2011 Cloud Security Alliance, Inc. All rights reserved. Common PAN Leakage Excel spreadsheet on cloud systems – Excel spreadsheet on Google Documents Application screenshots Finance and HR documents with PANs Other Office formats with PAN information Text dumps from poorly-written/legacy applications 96
98
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 2// Storage in the Cloud 97 Merchant – ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Stores PANs in public cloud environment!
99
© 2011 Cloud Security Alliance, Inc. All rights reserved. Description A chain of stores across the US West Level 2 merchant Uses cloud provider(s) for testing, training, backup systems, data storage, etc Cloud provider MAY BE PCI-OK PAN data stored in the cloud PAN data transmitted through cloud NO payment data processed in the cloud 98
100
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 2// Visual 99
101
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 100 Audience Poll A: Yes C: Cannot tell B: No What about their service provider(s)? Must they be PCI-OK for merchant to be PCI-OK? Bonus question: What about their CSPs’ CSP?
102
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Encryption AND/OR Provider PCI Status Case #1: Unencrypted PANs at CSP => no PCI compliance possible Case #2: Encrypted with provider having the key => provider must be PCI-OK Case #3: Encrypted with provider NOT having the key => presumably, provider may be NOT PCI-OK 101
103
© 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? What does it mean? IaaS (e.g. VMs in the cloud, EC2 instances, etc) = likely case #3 Merchant deals with PCI DSS, provider may not know anything about it No unencrypted data possible in/across the cloud NO WAY for CSP to decrypt the data Reminder: scan for unintended cloud PANs 102
104
© 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? What does it mean? Part II SaaS or PaaS (e.g SalesForce, etc) = likely case #2 Provider MUST be PCI-OK Merchant and CSP share PCI responsibilities CSP encrypts the data AND/OR can decrypt it 103
105
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud environment: – IaaS (case #2) Cloud environment can be claimed to be out of scope (if CSP has NO key!!!) Merchant is responsible for all controls Look for unintentional PANs – SaaS and maybe PaaS (case #3) Cloud environment IS in scope Controls shared between CSP and Merchant 104
106
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… “For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware. In an alternative scenario, a SaaS service offering may encompass management of all hardware and software, including virtual components and hypervisor configurations. In this scenario, the entity may only be responsible for protecting their data, and all other security requirements would be implemented and managed by the service provider.” 105
107
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? 1. Realize what scenario you are in, then either a) Ensure CSP cooperation and PCI-OK status (see matrix), or (“PCI in cloud”, SaaS/PaaS) b) Encrypt all PANs and prevent the provider from having the key (“no PCI in cloud”, IaaS) 2. In case a), build the control matrix and test it 106
108
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Either … Keep testing the CSP PCI-OK status and check the matrix for missing controls Keep encrypting, preventing the provider from seeing the key and testing for “rogue PANs” 107
109
© 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? By case… CSP PCI status and additional evidence of how they do PCI DSS Proof of your scoping decision to exclude the cloud due to encryption + evidence of all other PCI controls, of course 108
110
© 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS/No Cloud PCI/Encryption PROVIDER Nothing (may not even be PCI compliant) 109 MERCHANT All PCI controls Encryption + key management Scoping Keeping cloud systems out of scope
111
© 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// SaaS/Cloud PCI provider PROVIDER Security policy Physical Network Encryption Key management System security Parts of application security 110 MERCHANT Security policy Application security Scoping Monitoring (unless extra $ to CSP)
112
© 2011 Cloud Security Alliance, Inc. All rights reserved. 111 Example Scenario 2// Control Matrix
113
© 2011 Cloud Security Alliance, Inc. All rights reserved. Ooops! Merchant uses IaaS, manages the systems, encrypts the data – (so far, case “No Cloud PCI”) …but SHARES THE KEY WITH CSP! What now? 112
114
© 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers 113
115
© 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Case SaaS/“PCI in the cloud” Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 114
116
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… “The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider’s PCI DSS compliance program. Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity to manage and assess. The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant. “ 115
117
© 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks For IaaS/No PCI in cloud/encryption case, assurance of provider not being able to decrypt the data For SaaS/PCI in cloud, failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation “Finger pointing” 116
118
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 3// IaaS PCI 117 Merchant – ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud
119
© 2011 Cloud Security Alliance, Inc. All rights reserved. Description Global airline with physical and online purchases Uses CSP for a broad spectrum of payment tasks Cloud provider MUST be PCI-OK PAN data stored in the cloud PAN data passed through cloud PAN data processed in the cloud – at the same provider! 118
120
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 3// Visual 119
121
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 120 Audience Poll A: Yes C: Cannot tell B: No Who is doing what for the merchant to be PCI-OK? Bonus question: What about their SPs’ SP’s SP?
122
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: The Matrix … Must Have No Holes ALL PCI DSS controls are in place for all layers of the cloud environment – and somebody must … pay for it 121
123
© 2011 Cloud Security Alliance, Inc. All rights reserved. 122 Secret to PCI In the Cloud
124
© 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? The Matrix? Two basic FACTS: 1. Merchant CANNOT do PCI DSS without the CSP! 2. CSP CANNOT make merchant compliant! The only way is a clear delineation of duties aka … The Control Matrix 123
125
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… “For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware.” 124
126
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud IaaS environment: – IaaS systems are in scope: systems, applications, network, devices, hypervisor – Two tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that touch/manage systems with data Think “outsourced datacenter+” 125
127
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Pretend all IaaS infrastructure is YOUR ON-PREMISE network 2. Plan PCI DSS controls for it 3. Realize which controls you CANNOT do since it is really NOT an on-prem network and you don’t control some domains (e.g. physical) – Then have a talk with a provider on whether THEY a) CAN and b) WILL cover that 4. Realize which controls DON’T APPLY verbatim to the cloud environment – Then and figure how to compensate!! 126
128
© 2011 Cloud Security Alliance, Inc. All rights reserved. For Example Project: replace branch servers with IaaS- deployed servers PCI controls: all on branch server replacement, most on management servers, etc – Physical? => CSP – Firewall management => CSP – Monitoring? => CSP MSSP service ($) – Web application scanning => Ooops! 127
129
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 128
130
© 2011 Cloud Security Alliance, Inc. All rights reserved. PAN Flow 129
131
© 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls – yours and CSPs Evidence of ongoing compliance: logging, testing, etc MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 130
132
© 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS PCI PROVIDER Physical Network Encryption Key management System security Parts of application security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 131
133
© 2011 Cloud Security Alliance, Inc. All rights reserved. 132 Example Scenario 3// Control Matrix
134
© 2011 Cloud Security Alliance, Inc. All rights reserved. Sidenote// Owner vs Manager 133 Setting: IaaS provider (EC2 or other) PCI Requirement: Req 1 firewall management CSP OWNS the firewall appliance Merchant, CSP, CSP MSSP or 3 rd party MANAGES the firewall settings Who is left holding the PCI bag?
135
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… 134 … you go figure it out!
136
© 2011 Cloud Security Alliance, Inc. All rights reserved. Full SAMPLE Matrix Review This matrix is JUST A SAMPLE Used here AS AN EXAMPLE This is NOT YOUR REAL THING EXAMPLE means “here is what CAN be” EXAMPLE SAMPLE ILLUSTRATION! Did I mention it is just an example? 135
137
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to use the shared PCI control matrix? The class addendum, EXAMPLE PCI DSS shared control matrix can be used as follows: To review one possible control sharing methodology between CSP and merchant To validate one’s own control sharing For security discussion with CSPs As a foundation for one’s control sharing – with caution! 136
138
© 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers 137
139
© 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Case SaaS/“PCI in the cloud” Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 138
140
© 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis Trusting the provider without evidence SLA failures: no escalation, evidence sharing, incident response cooperation Tip: make SLA as detailed as possible – involve both information security AND legal 139
141
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 4// Twice-Cloudy PCI 140 Merchant – ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud Uses a dedicated CSP for payment processing (P), NOT hosting CSP (H)
142
© 2011 Cloud Security Alliance, Inc. All rights reserved. Description An ecommerce company with seasonal highly sales Uses CSP H, but with payment processing handled by CSP P Cloud provider P MUST be PCI-OK Cloud provider H SHOULD be PCI-OK (?) PAN data processed and stored in the cloud – by CSP P 141
143
© 2011 Cloud Security Alliance, Inc. All rights reserved. 142 Scenario 4// Visual
144
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 143 Audience Poll A: Yes C: Cannot tell B: No Should CSP H be PCI compliant? Can merchant be PCI compliant if CSP H is NOT?
145
© 2011 Cloud Security Alliance, Inc. All rights reserved. This is VERY COMMON… … but there is A LOT OF DEVIL in the details 144
146
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Cloud Sites by Rackspace 145
147
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Microsoft Azure 146 Official Azure FAQ (2011) Q: “Can you host PCI (e.g. credit card) data [on Azure]? A: Microsoft makes no claim regarding these standards for 3rd party hosting. There are ways to develop cloud based applications to use 3rd party PCI data processers that may keep the cloud application itself out of scope.” Bonus question: where does here point?
148
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Contain Toxic (=PCI) Data In “Special Clouds”, Don’t Taint Your IaaS! The logic here is to offload all (if possible) operations with PANs to a payment provider 147
149
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Don’t SCOPE - KILL the scope to nothing in the cloud Minimize “rogue PANs” 148
150
© 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? Toxic What? Three basic FACTS: 1. If neither Merchant nor CSP can see payment data, there is tiny scope of PCI for them (*) 2. If CSP cannot see the data, but Merchant can, then this is a traditional on-prem PCI environment 3. The more payment provider takes on, the better: PCI stays in their cloud 149
151
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example// PayPal API “With Website Payments Standard, Email Payments, and Payflow Link*, PayPal handles the payment card information for you. So you don’t have to worry about your buyers’ payment card security or about compliance with PCI DSS for your business.” Will they really sign such agreement? 150
152
© 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Amazon FPS Perfect “cloud shield”: “As a part of Amazon Payments' services you [=merchant!] may not have access to certain information associated with Cards being processed, including without limitation account number, expiration date, and the card verification value (CVV2/CVC2) (collectively, “Cardholder Data”).” 151
153
© 2011 Cloud Security Alliance, Inc. All rights reserved. 152 Example// Rackspace “Compliant” Cloud
154
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get and Stay Compliant? 1. Avoid PANs 2. Engineer the payment chain to avoid having PANs in CSP H and your own environment 3. Verify CSP P compliant status (duh!) 153
155
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 154
156
© 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of zero scope – Data flow, system architecture, etc Evidence of CSP P PCI compliance 155
157
© 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS PCI 156 CSP H Nothing MERCHANT Application security (maybe) Provider management Others as deployed CSP P All PCI Controls
158
© 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… 157 … you go figure it out!
159
© 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Possibly none – if no merchant ID and no relationship with acquirer Requirement 12.8 covers service providers 158
160
© 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls, Risks and SLA Tips PAN leakage, temporary files and other artifacts of bad coding of payment provider APIs Web application attacks that redirect the PAN flow to the attacker Crash dumps with PANs 159
161
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 5// PaaS PCI 160 Merchant – ecommerce or stores Use public cloud PaaS provider Processes cards and possibly stores them as well in the cloud
162
© 2011 Cloud Security Alliance, Inc. All rights reserved. PaaS… Come Again? PaaS is EXACTLY between IaaS and SaaS IaaS: OS, VM, networks, etc SaaS: application What’s in between? An environment for application development … PaaS 161
163
© 2011 Cloud Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Cloud provider MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud Merchant does NOT control the OS/VMs at the CSP 162
164
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 5// Visual 163
165
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 164 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Can the merchant be PCI-OK if the CSP is not? What must merchant do because the provider cannot do it?
166
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Need to Understand Your CSP… Really Well 165
167
© 2011 Cloud Security Alliance, Inc. All rights reserved. Decision Time If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the only way to PCI is complete “3 rd party payment takeover” ->Scenario 4 166 If PaaS CSP IS PCI-OK THEN build the control matrix -> Scenario 3
168
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud PaaS environment: – PaaS systems are in scope: systems, applications, network, devices, hypervisor – Two tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that touch/manage systems with data Think “outsourced IT-” 167
169
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Review which controls the PaaS CSP will handle for you 2. Check which PCI DSS controls they cannot ever handle – Example: your security policy, awareness training for your employees (BTW, they should – for theirs) 3. Create the matrix and verify with the CSP – Request additional information from them as needed 4. Deploy additional controls where needed and where prudent 168
170
© 2011 Cloud Security Alliance, Inc. All rights reserved. For Example Project: replace marketing analytics application that uses PAN with PaaS- deployed application PCI controls: all on the application, most on management servers, etc – Web application scanning => Merchant – All others =>CSP Decision: move the payment data off CSP and “off PCI” you go 169
171
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 170
172
© 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls – yours and CSPs MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 171
173
© 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// PaaS PCI PROVIDER Application platform security Physical Network Encryption Key management System security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 172
174
© 2011 Cloud Security Alliance, Inc. All rights reserved. 173 Example Scenario 5// Control Matrix PCI DSS RequirementMerchant: PaaS userCloud provider: PaaS Secure application development: R6 YesYes (for platform) Update OS: RXXNoYes Log management: R10Yes – application logsYes – everything else (or data provided to merchant!) Render PANs unreadable: R3.4 YesYes – where touches their environment Physical access control: R9 NoYes Vulnerability scanning: R11.2 NoYes Penetration tests: R11.3Yes – application levelYes – for physical, network, application, etc Security policy: R12Yes - applicableYes – for the rest Wireless security: R11.1NoYes
175
© 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 1 Firewall architecture (“cloud networks are flat”) Requirement 4.1 “Use strong cryptography and security protocols “ – Intra-CSP traffic may be seen as public Requirement 6.1 patch management is Joint; and need to be done by both Requirement 12.8 covers service providers and the matrix 174
176
© 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 175
177
© 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation 176
178
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 6// Tiered PCI 177 Merchant – ecommerce or stores Use public cloud PaaS or SaaS provider … … who uses public IaaS provider Processes cards and possibly stores them … somewhere
179
© 2011 Cloud Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Their provider uses another cloud provider Some cloud providers MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud 178
180
© 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 6// Visual 179
181
© 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 180 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Must their provider’s provider be PCI-OK? Can the merchant be PCI-OK if some CSPs are not?
182
© 2011 Cloud Security Alliance, Inc. All rights reserved. Tiered Merchant Example 181 Merchant uses CSP (SaaS) that uses Amazon EC2 (IaaS) A public Amazon case study http://aws.amazon.com/solution s/case-studies/36boutiques/
183
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: The Matrix … Must Have No Holes, Again …but there are more dimensions now 182
184
© 2011 Cloud Security Alliance, Inc. All rights reserved. Your CSP’s CSP is NOT your CSP! … and that some controls are NOT implemented by your CSP and they simply “trust their CSP assertions” 183
185
© 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? Worst case: FORGET IT! We can never figure it out… ……. reality ……………… Best case: payment chain is isolated from ALL the CSPs (zero scope for you, all scope is with payment provider) 184
186
© 2011 Cloud Security Alliance, Inc. All rights reserved. We went through six PCI-in-the- cloud scenarios! 185 Ahhhhhh……
187
© 2011 Cloud Security Alliance, Inc. All rights reserved. Business: ecommerce Setup: uses CSP for web hosting and all application hosting, accepts payment cards, sells to consumers Challenge: we are a QSA they hired to “get them compliant” Next steps? 186 Exercise// How to Comply/Assess?
188
© 2011 Cloud Security Alliance, Inc. All rights reserved. What do the scenarios teach us about PCI and cloud? 1. “Kill the scope” works in the cloud as well 2. It is better to have the payment processor handle more and merchant/CSP handle less of the PCI burden 3. CSP may do it, but MERCHANT is responsible and need to validate it 4. Finally, we CAN have PCI in the cloud! 187
189
© 2011 Cloud Security Alliance, Inc. All rights reserved. Final Recommendations Follow the scenarios as templates for your projects Learn to scope in the cloud Make a matrix of shared responsibility (and “keep it with you at all times” ) Remember: MERCHANT is on the hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT “a punt” 188
190
© 2011 Cloud Security Alliance, Inc. All rights reserved. Additional Tips from Past Class Discussions Use PCI + cloud security thinking for other sensitive data: SSN, PHI, financials, etc Involve legal in SLA and other discussions about regulated data in the cloud (!) Scan for YOUR sensitive data being put in the cloud by business partners – in THEIR clouds “Trust but verify” principle MUST be applied to your CSP 189
191
© 2011 Cloud Security Alliance, Inc. All rights reserved. Any Lessons from the Audience? Anything “juicy” I missed to conclude? 190
192
© 2011 Cloud Security Alliance, Inc. All rights reserved. A one-liner version? 191 If you can get rid of the PANs in the cloud, DO IT!
193
© 2011 Cloud Security Alliance, Inc. All rights reserved. Questions? 192
194
© 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Courseware author Dr. Anton Chuvakin would like to thank the following people for their thoughtful review of class materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn @ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix 193
195
© 2011 Cloud Security Alliance, Inc. All rights reserved. Additional Materials In the notes, there are links to various useful reading, in addition to CSA and other sites mentioned in the class. Go to www.cloudsecurityalliance.org for the latest information on our educational resourceswww.cloudsecurityalliance.org 194
196
© 2011 Cloud Security Alliance, Inc. All rights reserved. 195
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.