Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2011 Cloud Security Alliance, Inc. All rights reserved.

Published byBeverly Briggs Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2011 Cloud Security Alliance, Inc. All rights reserved."— Presentation transcript:

1

2 © 2011 Cloud Security Alliance, Inc. All rights reserved.

3 Thanks to Class Sponsors 2 Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance

4 © 2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 3

5 © 2011 Cloud Security Alliance, Inc. All rights reserved. About the Class Learn/refresh knowledge about PCI DSS Learn/refresh knowledge about cloud computing Understand how to assess PCI compliance in cloud environments Understand how to implement PCI DSS controls in cloud environments Gain useful tools for planning/doing this 4

6 © 2011 Cloud Security Alliance, Inc. All rights reserved. 5 5

7 Show of hands please… 1. QSA 2. Merchant a) L1 b) L2-4 3. Service provider 4. Security tool vendor 5. Security consultant 6. Other 6 6

8 © 2011 Cloud Security Alliance, Inc. All rights reserved. Prerequisites Know how to spell “P-C-I D-S-S” Have heard about “The Cloud” Possess basic information security knowledge, IT management 7

9 © 2011 Cloud Security Alliance, Inc. All rights reserved. Full Class Outline Introduction What this class is about, prerequisites, how to benefit PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items 8

10 © 2011 Cloud Security Alliance, Inc. All rights reserved. 9

11 How to benefit? If you are a merchant… Learn how to stay compliant in the cloud, what to ask of CSPs, what to show to QSAs If you are a QSA… Figure how to assess merchants and CSPs If you are a cloud service provider… Learn how to keep you and merchants compliant If you are a security vendor… Learn about the new problems you can solve If you are a consultant around PCI and cloud… Learn the “pain points” around PCI DSS and cloud 10

12 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI in the Cloud... In the Media 11

13 © 2011 Cloud Security Alliance, Inc. All rights reserved. 12

14 © 2011 Cloud Security Alliance, Inc. All rights reserved. Quick Reality Check 13

15 © 2011 Cloud Security Alliance, Inc. All rights reserved. Cloud? 14

16 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS? 15

17 © 2011 Cloud Security Alliance, Inc. All rights reserved. Together? 16

18 © 2011 Cloud Security Alliance, Inc. All rights reserved. DISCUSSION! 17

19 © 2011 Cloud Security Alliance, Inc. All rights reserved. 18

20 © 2011 Cloud Security Alliance, Inc. All rights reserved. Why is PCI Here? 19 Criminals need money Credit cards = MONEY Where are the most cards? In computers. Data theft grows and reaches HUGE volume. Some organizations still don’t care… especially if the loss is not theirs PAYMENT CARD BRANDS ENFORCE DSS!

21 © 2011 Cloud Security Alliance, Inc. All rights reserved. Laggards vs. Leaders 20 Issue: many merchants don’t even want to “grow up” to the floor of security Result: breaches, loss of card data, lawsuits, unhappy consumers, threat of regulation Action: PCI DSS mandate!

22 © 2011 Cloud Security Alliance, Inc. All rights reserved. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard = 21

23 © 2011 Cloud Security Alliance, Inc. All rights reserved. 22 PCI DSS: Basic Security Practices!

24 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS Domain Coverage … In no particular order: Security policy and procedures Network security Malware protection Application security (and web) Vulnerability scanning and remediation Logging and monitoring Security awareness 23

25 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS 2.0 is Here! Select items changing for PCI 2.0 Scoping clarification Data storage Virtualization (!!) DMZ clarification Vulnerability remediation Remote data access 24

26 © 2011 Cloud Security Alliance, Inc. All rights reserved. Does it Apply to Me? “PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.” 25

27 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Game: The Players 26 PCI Security Standards Council

28 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimum data security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime) 27

29 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Security Standards Council Founded by: American Express Discover Financial Services JCB MasterCard Worldwide Visa International Publishes PCI DSS, PA-DSS and PTS Releases additional security guidance Approves security vendors Approved Scanning Vendors (ASV) – Quarterly Scans Qualified Security Assessor (QSA) – On-Site Assessments 28

30 © 2011 Cloud Security Alliance, Inc. All rights reserved. My Data – Their Risk!? *I* GIVE *YOU* DATA *YOU* LOSE IT *ANOTHER* SUFFERS! 29

31 © 2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Scoping 30

32 © 2011 Cloud Security Alliance, Inc. All rights reserved. Sidenote// FLAT NET to FLAT CLOUD REALITY: “Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment.“ (PCI DSS 2.0) DREAM: “Without adequate network segmentation the entire CLOUD is in scope of the PCI DSS assessment.“ 31

33 © 2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Compliance vs Validation Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted. Use what you built for PCI to reduce risk “Own” PCI DSS; make it the basis for your policies 32

34 © 2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Stay Compliant Ongoing compliance with PCI DSS – tasks: 33 TASKFREQUENCY Risk assessment, security awareness, key changes, review off-site backups, QSA assessment, etc Annual ASV and internal scans, wireless scansQuarterly File integrity checkingWeekly Log and alerts review, other operational procedures Daily

35 © 2011 Cloud Security Alliance, Inc. All rights reserved. Failing That… “Classic” example from my PCI book, co-author Branden Williams 34

36 © 2011 Cloud Security Alliance, Inc. All rights reserved. Two BIG Approaches to PCI DSS Compliance SECURE the data: Encrypt, access control, monitor, block attempts, authenticate, authorized, etc… 35 These apply to PCI in the cloud as well! DELETE the data: Organize your business to avoid dealing with the data

37 © 2011 Cloud Security Alliance, Inc. All rights reserved. 36

38 © 2011 Cloud Security Alliance, Inc. All rights reserved. 37

39 © 2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. “ 38

40 © 2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling – Location independence 4. Rapid elasticity 5. Measured service 39

41 © 2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) – Use provider’s applications over a network 2. Cloud Platform as a Service (PaaS) – Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) – Rent processing, storage, network capacity, and other fundamental computing resources To be considered “cloud” they must be deployed on top of cloud infrastructure that has the essential characteristics 40

42 © 2011 Cloud Security Alliance, Inc. All rights reserved. 4 Cloud Deployment Models Private cloud Enterprise owned or leased Community cloud Shared infrastructure for specific community Public cloud <- our focus in this class! Sold to the public, mega-scale infrastructure Hybrid cloud Composition of two or more clouds 41

43 © 2011 Cloud Security Alliance, Inc. All rights reserved. 7 Common Cloud Characteristics 1. Massive scale 2. Homogeneity 3. Virtualization 4. Resilient computing 5. Low cost software 6. Geographic distribution 7. Service orientation 42 42

44 © 2011 Cloud Security Alliance, Inc. All rights reserved. All of this TOGETHER: The Cloud CommunityCloud Private Cloud Public Cloud Hybrid Clouds Deployment Models Service Models Essential Characteristics Common Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Resource Pooling Broad Network AccessRapid Elasticity Measured Service On Demand Self-Service Low Cost Software VirtualizationService Orientation Advanced Security Homogeneity Massive ScaleResilient Computing Geographic Distribution 43

45 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example IaaS// Amazon Cloud Amazon cloud components – Elastic Compute Cloud (EC2) Run your own or Amazon’s OS “instances” – Simple Storage Service (S3) – SimpleDB – Other services 44

46 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example PaaS// Google App Engine Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run “natively” in the cloud 45

47 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example SaaS// Salesforce Well-known SaaS CRM application Cloud CRM + a lot more applications 46

48 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example P/IaaS // Azure Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das 47

49 © 2011 Cloud Security Alliance, Inc. All rights reserved. Service Model Architectures 48

50 © 2011 Cloud Security Alliance, Inc. All rights reserved. Foundational Elements of Cloud Computing Virtualization Grid technology Service Oriented Architectures Distributed Computing Broadband Networks Browser as a platform Free and Open Source Software Autonomic Systems Web 2.0 Web application frameworks Service Level Agreements Primary TechnologiesOther Technologies 49

51 © 2011 Cloud Security Alliance, Inc. All rights reserved. Security? Are there …mmm …cloud security issues? 50

52 © 2011 Cloud Security Alliance, Inc. All rights reserved. 51 Security: Barrier to Adoption?

53 © 2011 Cloud Security Alliance, Inc. All rights reserved. 52 What is Different about Cloud?

54 © 2011 Cloud Security Alliance, Inc. All rights reserved. Security Relevant Cloud Components Cloud Provisioning Services Cloud Data Storage Services Cloud Processing Infrastructure Cloud Support Services Cloud Network and Perimeter Security Elastic Elements: Storage, Processing, and Virtual Networks 53

55 © 2011 Cloud Security Alliance, Inc. All rights reserved. 54 What is Different about Cloud?

56 © 2011 Cloud Security Alliance, Inc. All rights reserved. 55 What is Different about Cloud?

57 © 2011 Cloud Security Alliance, Inc. All rights reserved. 56 What is Different about Cloud?

58 © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud “Threats” 1. Abuse & Nefarious Use of Cloud Computing 2. Insecure Interfaces & APIs 3. Malicious Insiders 4. Shared Technology Issues 5. Data Loss or Leakage 6. Account or Service Hijacking 7. Unknown Risk Profile 57

59 © 2011 Cloud Security Alliance, Inc. All rights reserved. ENISA Cloud Risks 1. Loss of governance 2. Lock-in 3. Isolation failure 4. Compliance risks 5. Management interface compromise 6. Data protection 7. Insecure or incomplete data deletion 8. Malicious insider 58

60 © 2011 Cloud Security Alliance, Inc. All rights reserved. iSEC Realistic Cloud “Threats” 1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology 59

61 © 2011 Cloud Security Alliance, Inc. All rights reserved. FBI Takes Cloud Away 60

62 © 2011 Cloud Security Alliance, Inc. All rights reserved. Discussion 61 What do YOU think are actual, relevant, TRUE threats to cloud computing?

63 © 2011 Cloud Security Alliance, Inc. All rights reserved. While we are “in the cloud” Here are some additional CSA/cloud security resources… 62

64 © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA GRC Stack Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption. 63 Control Requirements Provider Assertions Private, Community & Public Clouds

65 © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA CloudAudit Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring 64

66 © 2011 Cloud Security Alliance, Inc. All rights reserved. CSA Cloud Controls Matrix 65 Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the “cloud gap” for IT & IT auditors https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

67 © 2011 Cloud Security Alliance, Inc. All rights reserved. 66 Next?

68 © 2011 Cloud Security Alliance, Inc. All rights reserved. Do We See A Cloud in There? Requirement 12.8 “If cardholder data is shared with service providers, maintain and implement policies and procedures to 67 manage service providers…” Requirement A.1: “Shared hosting providers must protect the cardholder data environment”

69 © 2011 Cloud Security Alliance, Inc. All rights reserved. Magic of Requirement 12.8 Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. ….…………………. however ……………………… 68

70 © 2011 Cloud Security Alliance, Inc. All rights reserved. Magic of 12.8 Revealed “If the merchant shares cardholder data with a … service provider, the merchant must ensure that there is an agreement with that …service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the … provider's compliance with PCI DSS via other means, such as via a letter of attestation.” 69

71 © 2011 Cloud Security Alliance, Inc. All rights reserved. Requirement 9// Amazon Example Q: “Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center? A: No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.” 70

72 © 2011 Cloud Security Alliance, Inc. All rights reserved. June 2011// PCI SSC Virtualization Guidance Key Cloud Items: “CSP should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider’s PCI DSS compliance program.” 71

73 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI SSC on Cloud Challenges “The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of ―who ‖ they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment” 72

74 © 2011 Cloud Security Alliance, Inc. All rights reserved. And now… … a brainteaser 73

75 © 2011 Cloud Security Alliance, Inc. All rights reserved. Requirement 11.3// Pentesting “11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests” “Cloudify” this for me, please! 74

76 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: How should we address it? 75 Audience Poll A: Only pentest applications with narrow rules D: Hide under our desks and squeal C: Trust that “they do it” B: Go full blast and “own” provider’s datacenter

77 © 2011 Cloud Security Alliance, Inc. All rights reserved. Detailed Example// Amazon PCI 76 Happy now? “Amazon is PCI OK” Huh?

78 © 2011 Cloud Security Alliance, Inc. All rights reserved. Say What…. Q: “What does this mean to me as a PCI merchant or service provider? A: Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.” 77

79 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Amazon view of this 78

80 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Amazon Guidance 79

81 © 2011 Cloud Security Alliance, Inc. All rights reserved. 80 Sidenote// “Compliant” Provider of What?

82 © 2011 Cloud Security Alliance, Inc. All rights reserved. 81

83 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenarios Introduction In scope for discussion: – Public IaaS, PaaS, SaaS – Chained or multiple CSPs NOT in scope: – Traditional hosting providers – Outsourced data center or call center – Private cloud and virtualization on-prem – Virtual private cloud (sort of) 82

84 © 2011 Cloud Security Alliance, Inc. All rights reserved. Learn Using Scenarios Description How to assess this scenarios / Assessment tips How to scope this scenario / Scoping tips How to get compliant How to stay compliant What to show to QSA / compliance evidence Notable PCI requirements to watch Responsibility split Pitfalls, Risks and Tips 83

85 © 2011 Cloud Security Alliance, Inc. All rights reserved. Key Goal DO build a framework for assessing/complying, based on the scenarios DO NOT memorize the scenarios, yours might be different or be a combination of these 84

86 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 1// Clean Cloud 85 Merchant – ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Cloud environment segmented from CDE NO PANs in any cloud environment … or so they think

87 © 2011 Cloud Security Alliance, Inc. All rights reserved. Description Sells books online Level 1 merchant Uses cloud provider(s) for testing, training, etc Cloud provider NOT PCI-OK NO payment data stored in the cloud NO payment data processed in the cloud NO payment data passed through cloud 86

88 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 1// Visual 87

89 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 88 Audience Poll A: Yes C: Cannot tell B: No

90 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Are they right? Test that PANs didn’t “escape” to Amazon 89

91 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud environment: IaaS: run a discovery tool Example: DLP tool, open source data discovery, dedicated PAN discovery tool, custom script to look for unencrypted PANs Q: What about encrypted PANs? 90

92 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get / Stay Compliant? Easy huh: Keep the PANs out of the cloud Recheck (via discovery tools) that cloud systems are not contaminated by the PANs Look for old PANs, “test” PANs, etc. 91

93 © 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Discovery scan results Other data that confirms that PCI data does not get to the cloud systems Policies and procedures BANNING card data in the cloud; evidence of people actually following them…. 92

94 © 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT PROVIDER Nothing (not even being PCI compliant) 93 MERCHANT All PCI controls Scoping Keeping cloud systems out of scope

95 © 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Requirement 12.8 does NOT play No SLA in regards to cardholder data 94

96 © 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failing to assure that PANs don’t leak to the cloud Failing to maintain “no PANs in the cloud” status “Rogue PANs” theft is still CHD theft… Tip: run a discovery tool on cloud systems Tip: assure segmentation (no data flow from CDE to YOUR cloud) 95

97 © 2011 Cloud Security Alliance, Inc. All rights reserved. Common PAN Leakage Excel spreadsheet on cloud systems – Excel spreadsheet on Google Documents Application screenshots Finance and HR documents with PANs Other Office formats with PAN information Text dumps from poorly-written/legacy applications 96

98 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 2// Storage in the Cloud 97 Merchant – ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Stores PANs in public cloud environment!

99 © 2011 Cloud Security Alliance, Inc. All rights reserved. Description A chain of stores across the US West Level 2 merchant Uses cloud provider(s) for testing, training, backup systems, data storage, etc Cloud provider MAY BE PCI-OK PAN data stored in the cloud PAN data transmitted through cloud NO payment data processed in the cloud 98

100 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 2// Visual 99

101 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 100 Audience Poll A: Yes C: Cannot tell B: No What about their service provider(s)? Must they be PCI-OK for merchant to be PCI-OK? Bonus question: What about their CSPs’ CSP?

102 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Encryption AND/OR Provider PCI Status Case #1: Unencrypted PANs at CSP => no PCI compliance possible Case #2: Encrypted with provider having the key => provider must be PCI-OK Case #3: Encrypted with provider NOT having the key => presumably, provider may be NOT PCI-OK 101

103 © 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? What does it mean? IaaS (e.g. VMs in the cloud, EC2 instances, etc) = likely case #3 Merchant deals with PCI DSS, provider may not know anything about it No unencrypted data possible in/across the cloud NO WAY for CSP to decrypt the data Reminder: scan for unintended cloud PANs 102

104 © 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? What does it mean? Part II SaaS or PaaS (e.g SalesForce, etc) = likely case #2 Provider MUST be PCI-OK Merchant and CSP share PCI responsibilities CSP encrypts the data AND/OR can decrypt it 103

105 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud environment: – IaaS (case #2) Cloud environment can be claimed to be out of scope (if CSP has NO key!!!) Merchant is responsible for all controls Look for unintentional PANs – SaaS and maybe PaaS (case #3) Cloud environment IS in scope Controls shared between CSP and Merchant 104

106 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… “For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware. In an alternative scenario, a SaaS service offering may encompass management of all hardware and software, including virtual components and hypervisor configurations. In this scenario, the entity may only be responsible for protecting their data, and all other security requirements would be implemented and managed by the service provider.” 105

107 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? 1. Realize what scenario you are in, then either a) Ensure CSP cooperation and PCI-OK status (see matrix), or (“PCI in cloud”, SaaS/PaaS) b) Encrypt all PANs and prevent the provider from having the key (“no PCI in cloud”, IaaS) 2. In case a), build the control matrix and test it 106

108 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Either … Keep testing the CSP PCI-OK status and check the matrix for missing controls Keep encrypting, preventing the provider from seeing the key and testing for “rogue PANs” 107

109 © 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? By case… CSP PCI status and additional evidence of how they do PCI DSS Proof of your scoping decision to exclude the cloud due to encryption + evidence of all other PCI controls, of course 108

110 © 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS/No Cloud PCI/Encryption PROVIDER Nothing (may not even be PCI compliant) 109 MERCHANT All PCI controls Encryption + key management Scoping Keeping cloud systems out of scope

111 © 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// SaaS/Cloud PCI provider PROVIDER Security policy Physical Network Encryption Key management System security Parts of application security 110 MERCHANT Security policy Application security Scoping Monitoring (unless extra $ to CSP)

112 © 2011 Cloud Security Alliance, Inc. All rights reserved. 111 Example Scenario 2// Control Matrix

113 © 2011 Cloud Security Alliance, Inc. All rights reserved. Ooops! Merchant uses IaaS, manages the systems, encrypts the data – (so far, case “No Cloud PCI”) …but SHARES THE KEY WITH CSP! What now? 112

114 © 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers 113

115 © 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Case SaaS/“PCI in the cloud” Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 114

116 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… “The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider’s PCI DSS compliance program. Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity to manage and assess. The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant. “ 115

117 © 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks For IaaS/No PCI in cloud/encryption case, assurance of provider not being able to decrypt the data For SaaS/PCI in cloud, failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation “Finger pointing” 116

118 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 3// IaaS PCI 117 Merchant – ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud

119 © 2011 Cloud Security Alliance, Inc. All rights reserved. Description Global airline with physical and online purchases Uses CSP for a broad spectrum of payment tasks Cloud provider MUST be PCI-OK PAN data stored in the cloud PAN data passed through cloud PAN data processed in the cloud – at the same provider! 118

120 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 3// Visual 119

121 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 120 Audience Poll A: Yes C: Cannot tell B: No Who is doing what for the merchant to be PCI-OK? Bonus question: What about their SPs’ SP’s SP?

122 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: The Matrix … Must Have No Holes ALL PCI DSS controls are in place for all layers of the cloud environment – and somebody must … pay for it 121

123 © 2011 Cloud Security Alliance, Inc. All rights reserved. 122 Secret to PCI In the Cloud

124 © 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? The Matrix? Two basic FACTS: 1. Merchant CANNOT do PCI DSS without the CSP! 2. CSP CANNOT make merchant compliant! The only way is a clear delineation of duties aka … The Control Matrix 123

125 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… “For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware.” 124

126 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud IaaS environment: – IaaS systems are in scope: systems, applications, network, devices, hypervisor – Two tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that touch/manage systems with data Think “outsourced datacenter+” 125

127 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Pretend all IaaS infrastructure is YOUR ON-PREMISE network 2. Plan PCI DSS controls for it 3. Realize which controls you CANNOT do since it is really NOT an on-prem network and you don’t control some domains (e.g. physical) – Then have a talk with a provider on whether THEY a) CAN and b) WILL cover that 4. Realize which controls DON’T APPLY verbatim to the cloud environment – Then and figure how to compensate!! 126

128 © 2011 Cloud Security Alliance, Inc. All rights reserved. For Example Project: replace branch servers with IaaS- deployed servers PCI controls: all on branch server replacement, most on management servers, etc – Physical? => CSP – Firewall management => CSP – Monitoring? => CSP MSSP service ($) – Web application scanning => Ooops! 127

129 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 128

130 © 2011 Cloud Security Alliance, Inc. All rights reserved. PAN Flow 129

131 © 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls – yours and CSPs Evidence of ongoing compliance: logging, testing, etc MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 130

132 © 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS PCI PROVIDER Physical Network Encryption Key management System security Parts of application security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 131

133 © 2011 Cloud Security Alliance, Inc. All rights reserved. 132 Example Scenario 3// Control Matrix

134 © 2011 Cloud Security Alliance, Inc. All rights reserved. Sidenote// Owner vs Manager 133 Setting: IaaS provider (EC2 or other) PCI Requirement: Req 1 firewall management CSP OWNS the firewall appliance Merchant, CSP, CSP MSSP or 3 rd party MANAGES the firewall settings Who is left holding the PCI bag?

135 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… 134 … you go figure it out!

136 © 2011 Cloud Security Alliance, Inc. All rights reserved. Full SAMPLE Matrix Review This matrix is JUST A SAMPLE Used here AS AN EXAMPLE This is NOT YOUR REAL THING EXAMPLE means “here is what CAN be” EXAMPLE SAMPLE ILLUSTRATION! Did I mention it is just an example? 135

137 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to use the shared PCI control matrix? The class addendum, EXAMPLE PCI DSS shared control matrix can be used as follows: To review one possible control sharing methodology between CSP and merchant To validate one’s own control sharing For security discussion with CSPs As a foundation for one’s control sharing – with caution! 136

138 © 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers 137

139 © 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Case SaaS/“PCI in the cloud” Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 138

140 © 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis Trusting the provider without evidence SLA failures: no escalation, evidence sharing, incident response cooperation Tip: make SLA as detailed as possible – involve both information security AND legal 139

141 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 4// Twice-Cloudy PCI 140 Merchant – ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud Uses a dedicated CSP for payment processing (P), NOT hosting CSP (H)

142 © 2011 Cloud Security Alliance, Inc. All rights reserved. Description An ecommerce company with seasonal highly sales Uses CSP H, but with payment processing handled by CSP P Cloud provider P MUST be PCI-OK Cloud provider H SHOULD be PCI-OK (?) PAN data processed and stored in the cloud – by CSP P 141

143 © 2011 Cloud Security Alliance, Inc. All rights reserved. 142 Scenario 4// Visual

144 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 143 Audience Poll A: Yes C: Cannot tell B: No Should CSP H be PCI compliant? Can merchant be PCI compliant if CSP H is NOT?

145 © 2011 Cloud Security Alliance, Inc. All rights reserved. This is VERY COMMON… … but there is A LOT OF DEVIL in the details 144

146 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Cloud Sites by Rackspace 145

147 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Microsoft Azure 146 Official Azure FAQ (2011) Q: “Can you host PCI (e.g. credit card) data [on Azure]? A: Microsoft makes no claim regarding these standards for 3rd party hosting. There are ways to develop cloud based applications to use 3rd party PCI data processers that may keep the cloud application itself out of scope.” Bonus question: where does here point?

148 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Contain Toxic (=PCI) Data In “Special Clouds”, Don’t Taint Your IaaS! The logic here is to offload all (if possible) operations with PANs to a payment provider 147

149 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Don’t SCOPE - KILL the scope to nothing in the cloud Minimize “rogue PANs” 148

150 © 2011 Cloud Security Alliance, Inc. All rights reserved. Huh? Toxic What? Three basic FACTS: 1. If neither Merchant nor CSP can see payment data, there is tiny scope of PCI for them (*) 2. If CSP cannot see the data, but Merchant can, then this is a traditional on-prem PCI environment 3. The more payment provider takes on, the better: PCI stays in their cloud 149

151 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example// PayPal API “With Website Payments Standard, Email Payments, and Payflow Link*, PayPal handles the payment card information for you. So you don’t have to worry about your buyers’ payment card security or about compliance with PCI DSS for your business.” Will they really sign such agreement? 150

152 © 2011 Cloud Security Alliance, Inc. All rights reserved. Example// Amazon FPS Perfect “cloud shield”: “As a part of Amazon Payments' services you [=merchant!] may not have access to certain information associated with Cards being processed, including without limitation account number, expiration date, and the card verification value (CVV2/CVC2) (collectively, “Cardholder Data”).” 151

153 © 2011 Cloud Security Alliance, Inc. All rights reserved. 152 Example// Rackspace “Compliant” Cloud

154 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get and Stay Compliant? 1. Avoid PANs 2. Engineer the payment chain to avoid having PANs in CSP H and your own environment 3. Verify CSP P compliant status (duh!) 153

155 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 154

156 © 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of zero scope – Data flow, system architecture, etc Evidence of CSP P PCI compliance 155

157 © 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// IaaS PCI 156 CSP H Nothing MERCHANT Application security (maybe) Provider management Others as deployed CSP P All PCI Controls

158 © 2011 Cloud Security Alliance, Inc. All rights reserved. PCI Council Says… 157 … you go figure it out!

159 © 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Possibly none – if no merchant ID and no relationship with acquirer Requirement 12.8 covers service providers 158

160 © 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls, Risks and SLA Tips PAN leakage, temporary files and other artifacts of bad coding of payment provider APIs Web application attacks that redirect the PAN flow to the attacker Crash dumps with PANs 159

161 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 5// PaaS PCI 160 Merchant – ecommerce or stores Use public cloud PaaS provider Processes cards and possibly stores them as well in the cloud

162 © 2011 Cloud Security Alliance, Inc. All rights reserved. PaaS… Come Again? PaaS is EXACTLY between IaaS and SaaS IaaS: OS, VM, networks, etc SaaS: application What’s in between? An environment for application development … PaaS 161

163 © 2011 Cloud Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Cloud provider MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud Merchant does NOT control the OS/VMs at the CSP 162

164 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 5// Visual 163

165 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 164 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Can the merchant be PCI-OK if the CSP is not? What must merchant do because the provider cannot do it?

166 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: Need to Understand Your CSP… Really Well 165

167 © 2011 Cloud Security Alliance, Inc. All rights reserved. Decision Time If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the only way to PCI is complete “3 rd party payment takeover” ->Scenario 4 166 If PaaS CSP IS PCI-OK THEN build the control matrix -> Scenario 3

168 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud PaaS environment: – PaaS systems are in scope: systems, applications, network, devices, hypervisor – Two tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that touch/manage systems with data Think “outsourced IT-” 167

169 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Review which controls the PaaS CSP will handle for you 2. Check which PCI DSS controls they cannot ever handle – Example: your security policy, awareness training for your employees (BTW, they should – for theirs) 3. Create the matrix and verify with the CSP – Request additional information from them as needed 4. Deploy additional controls where needed and where prudent 168

170 © 2011 Cloud Security Alliance, Inc. All rights reserved. For Example Project: replace marketing analytics application that uses PAN with PaaS- deployed application PCI controls: all on the application, most on management servers, etc – Web application scanning => Merchant – All others =>CSP Decision: move the payment data off CSP and “off PCI” you go 169

171 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Stay Compliant? Keep testing the CSP PCI-OK status and check the matrix for missing controls 170

172 © 2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls – yours and CSPs MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 171

173 © 2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// PaaS PCI PROVIDER Application platform security Physical Network Encryption Key management System security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 172

174 © 2011 Cloud Security Alliance, Inc. All rights reserved. 173 Example Scenario 5// Control Matrix PCI DSS RequirementMerchant: PaaS userCloud provider: PaaS Secure application development: R6 YesYes (for platform) Update OS: RXXNoYes Log management: R10Yes – application logsYes – everything else (or data provided to merchant!) Render PANs unreadable: R3.4 YesYes – where touches their environment Physical access control: R9 NoYes Vulnerability scanning: R11.2 NoYes Penetration tests: R11.3Yes – application levelYes – for physical, network, application, etc Security policy: R12Yes - applicableYes – for the rest Wireless security: R11.1NoYes

175 © 2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 1 Firewall architecture (“cloud networks are flat”) Requirement 4.1 “Use strong cryptography and security protocols “ – Intra-CSP traffic may be seen as public Requirement 6.1 patch management is Joint; and need to be done by both Requirement 12.8 covers service providers and the matrix 174

176 © 2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Clear acceptance of responsibility for “their” controls Verification of provider controls Incident response support for data breaches 175

177 © 2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation 176

178 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 6// Tiered PCI 177 Merchant – ecommerce or stores Use public cloud PaaS or SaaS provider … … who uses public IaaS provider Processes cards and possibly stores them … somewhere

179 © 2011 Cloud Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Their provider uses another cloud provider Some cloud providers MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud 178

180 © 2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 6// Visual 179

181 © 2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 180 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Must their provider’s provider be PCI-OK? Can the merchant be PCI-OK if some CSPs are not?

182 © 2011 Cloud Security Alliance, Inc. All rights reserved. Tiered Merchant Example 181 Merchant uses CSP (SaaS) that uses Amazon EC2 (IaaS) A public Amazon case study http://aws.amazon.com/solution s/case-studies/36boutiques/

183 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Assess? Key: The Matrix … Must Have No Holes, Again …but there are more dimensions now 182

184 © 2011 Cloud Security Alliance, Inc. All rights reserved. Your CSP’s CSP is NOT your CSP! … and that some controls are NOT implemented by your CSP and they simply “trust their CSP assertions” 183

185 © 2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? Worst case: FORGET IT! We can never figure it out… ……. reality ……………… Best case: payment chain is isolated from ALL the CSPs (zero scope for you, all scope is with payment provider) 184

186 © 2011 Cloud Security Alliance, Inc. All rights reserved. We went through six PCI-in-the- cloud scenarios! 185 Ahhhhhh……

187 © 2011 Cloud Security Alliance, Inc. All rights reserved. Business: ecommerce Setup: uses CSP for web hosting and all application hosting, accepts payment cards, sells to consumers Challenge: we are a QSA they hired to “get them compliant” Next steps? 186 Exercise// How to Comply/Assess?

188 © 2011 Cloud Security Alliance, Inc. All rights reserved. What do the scenarios teach us about PCI and cloud? 1. “Kill the scope” works in the cloud as well 2. It is better to have the payment processor handle more and merchant/CSP handle less of the PCI burden 3. CSP may do it, but MERCHANT is responsible and need to validate it 4. Finally, we CAN have PCI in the cloud! 187

189 © 2011 Cloud Security Alliance, Inc. All rights reserved. Final Recommendations Follow the scenarios as templates for your projects Learn to scope in the cloud Make a matrix of shared responsibility (and “keep it with you at all times” ) Remember: MERCHANT is on the hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT “a punt” 188

190 © 2011 Cloud Security Alliance, Inc. All rights reserved. Additional Tips from Past Class Discussions Use PCI + cloud security thinking for other sensitive data: SSN, PHI, financials, etc Involve legal in SLA and other discussions about regulated data in the cloud (!) Scan for YOUR sensitive data being put in the cloud by business partners – in THEIR clouds “Trust but verify” principle MUST be applied to your CSP 189

191 © 2011 Cloud Security Alliance, Inc. All rights reserved. Any Lessons from the Audience? Anything “juicy” I missed to conclude? 190

192 © 2011 Cloud Security Alliance, Inc. All rights reserved. A one-liner version? 191 If you can get rid of the PANs in the cloud, DO IT!

193 © 2011 Cloud Security Alliance, Inc. All rights reserved. Questions? 192

194 © 2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Courseware author Dr. Anton Chuvakin would like to thank the following people for their thoughtful review of class materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn @ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix 193

195 © 2011 Cloud Security Alliance, Inc. All rights reserved. Additional Materials In the notes, there are links to various useful reading, in addition to CSA and other sites mentioned in the class. Go to www.cloudsecurityalliance.org for the latest information on our educational resourceswww.cloudsecurityalliance.org 194

196 © 2011 Cloud Security Alliance, Inc. All rights reserved. 195

Download ppt "© 2011 Cloud Security Alliance, Inc. All rights reserved."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.

1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.

What is Cloud Computing? o Cloud computing:- is a style of computing in which dynamically scalable and often virtualized resources are provided as a service.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.

Be Smart, Use PwrSmart What Is The Cloud?. Where Did The Cloud Come From? We get the term “Cloud” from the early days of the internet where we drew a.
SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.

SPRING 2011 CLOUD COMPUTING Cloud Computing San José State University Computer Architecture (CS 147) Professor Sin-Min Lee Presentation by Vladimir Serdyukov.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.
Cloud computing Tahani aljehani.

Cloud computing Tahani aljehani.
Www.isaca.org Cloud Computing Risk Assessments Donald Gallien March 31, 2011.

Cloud Computing Risk Assessments Donald Gallien March 31, 2011.

Similar presentations

Ads by Google