Contenu connexe Similaire à PCI and the Cloud (20) Plus de CloudPassage (20) PCI and the Cloud1. PCI and the Cloud
Dave Shackleford, CTO, IANS
Andrew Hay, Chief Evangelist,
CloudPassage
Hashtag - #PCIcloud
8/29/2012
2. Who We Are
Dave Shackleford Andrew Hay
SVP of Research & Chief Evangelist at
CTO at IANS CloudPassage, Inc.
Interact with us on Twitter using the #PCIcloud hashtag
Copyright © 2012 IANS. All rights reserved. 2
3. Introduction
• There are lots of questions about PCI in cloud
environments…but few answers to date
How will compliance
be affected with
What should we How can I
various cloud
look for in PCI- satisfy the
configurations?
compliant security and
providers? control
What does requirements?
a ‘PCI
Compliant’ Can I even What am I
cloud even Will my be PCI responsible for
mean? existing compliant in in
technical the cloud? Private/Public/H
controls work ybrid clouds?
in cloud?
Copyright © 2012 IANS. All rights reserved. 3
4. It’s Not All Doom and Gloom
• Yes, you can be PCI
compliant in the cloud!
• You will likely need some
different tools and
processes
• Not all providers are created
equal!
• There is no “silver bullet” –
but the responsibility is still
yours
Copyright © 2012 IANS. All rights reserved. 4
5. Survey Results: Compliance & Standards
• What standards or regulatory compliance
mandates apply to your cloud project(s)?
PCI DSS 84.2%
HIPAA 42.1%
SOX 36.8%
ISO 31.6%
CoBIT 15.8%
CIPA 5.3%
Cloud Audit 5.3%
COPPA 5.3%
FISMA 5.3%
GLBA 5.3%
0.0% 20.0% 40.0% 60.0% 80.0% 100.0%
Copyright © 2012 IANS. All rights reserved. 5
6. A Little About Cloud Types
US Public Cloud Provider
EU Public Cloud Provider
DB App App App
Server Server Server
DB App App App Auth
Server Server Server Server
Auth
Server
DB App Load App Load Auth DB DB App
Server Balancer Server Balancer Server Server
Legacy Datacenter / Colo
Private Cloud / Hybrid Staging
Copyright © 2012 IANS. All rights reserved. 6
7. Survey Results - Environments
• Which of the following cloud hosting
environments are leveraged by your project(s)?
A private cloud hosted and/or operated by an
44.4%
external provider
A public, multi-tenant cloud provider 38.9%
A public, multi-tenant Platform-as-a-Service
33.3%
(PaaS)
A private cloud hosted in your own data
27.8%
center
A private Platform-as-a-Service (PaaS) 16.7%
Copyright © 2012 IANS. All rights reserved. 7
8. Who is responsible for Security?
AWS Shared Responsibility Model
Data
“…the customer should assume
Responsibility
Customer
responsibility and management App Code
of, but not limited to, the guest
operating system…and associated App Framework
application software...”
Operating System
“it is possible for customers to
enhance security and/or meet more
Virtual Machine
stringent compliance requirements
with the addition of… host based
Responsibility
Hypervisor
firewalls, host based intrusion
Provider
detection/prevention, encryption and Compute & Storage
key management.”
Amazon Web Services: Shared Network
Overview of Security Processes
Physical Facilities
Copyright © 2012 IANS. All rights reserved. 8
9. General Notes on Cloud Service Providers (CSPs)
• Compliance concerns will vary depending on
whether CSP is SaaS, PaaS, IaaS
• CSPs should be on the card brands’ “approved
list”
• PCI compliance should
be in contract
Copyright © 2012 IANS. All rights reserved. 9
10. What Else to Look For: CSPs
• Evidence of audit and attestation – combination
of “PCI Compliance” and perhaps SSAE 16
• Cloud SLAs and contract provisions
• Who is responsible for what? This should be
clear!
• You cannot outsource your compliance
status!
• But you CAN take steps to secure the
requirements under your control
Copyright © 2012 IANS. All rights reserved. 10
11. Requirement Areas 1-3
PCI DSS Requirement Cloud Concerns and Comments
1: Install/maintain firewall configs 1. Data flow is important
2. Host-based firewalls may make the
most sense
Protect the perimeter, internal, and
wireless networks.
3. Hardware and some network may be
up to the CSP
2: Vendor defaults 1. Virtualization templates can help
(once they are secured properly)
2. CSP audit data may be needed
Secure payment card applications.
3. Always check for inappropriate
settings
3: Protect stored data 1. Options will depend on data storage
type
Protect stored cardholder data. 2. Cloud storage platforms may have
their own options
Copyright © 2012 IANS. All rights reserved. 11
12. Requirement Areas 4-6
PCI DSS Requirement Cloud Concerns and Comments
4: Encrypt data in transit 1. VPN connections to/from cloud
Protect stored cardholder data.
environment
2. Leverage SSL connections
5: Use and update anti-malware 1. Ensure anti-malware is built into
Monitor and control access to your templates for deployment
systems.
6: Develop/maintain secure systems and 1. Build security into apps and VM
apps templates in the cloud
Secure payment card applications. 2. Be wary of provisioning and “cloud
bursting”
Copyright © 2012 IANS. All rights reserved. 12
13. Requirement Areas 7-9
PCI DSS Requirement Cloud Concerns and Comments
7: Restrict access to Cardholder Data 1. Leverage any role-based controls (e.g.
(CHD) by “Need to Know” Amazon IAM and others)
Monitor and control access to your 2. Build controls into cloud systems and
systems.
manage normally (if possible)
8: Use unique IDs for accessing PCI 1. Proper configuration management
systems and role/group management are
Monitor and control access to your required
systems.
9: Restrict physical access 1. This is entirely on the CSP – similar to
Monitor and control access to your a hosting environment
systems.
Copyright © 2012 IANS. All rights reserved. 13
14. Requirement Areas 10-12
PCI DSS Requirement Cloud Concerns and Comments
10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so,
which ones?
Monitor and control access to your 2. Send your own logs to a central log
systems.
server in the cloud or elsewhere
11: Test PCI systems and processes 1. Test your cloud assets – this may
require a different coordination level
Monitor and control access to your with the CSP
systems.
2. Ask for CSP test reports if relevant
12: Maintain information security policies 1. Update any/all policies that may have
Finalize remaining compliance
ties to the new cloud-based assets.
efforts, and ensure all controls are in
place.
Copyright © 2012 IANS. All rights reserved. 14
15. Survey Results: Audit
• How many times has your cloud project been
audited for adherence to the compliance
standards above?
23.8%
Never
Once
9.5%
More than three
66.7%
times
Copyright © 2012 IANS. All rights reserved. 15
16. Survey Results: Controls
• What cloud security technologies did your
auditors expect you to have deployed?
Firewalls & Access Patch management 57.1%
78.6%
control
SIEM/LM 71.4% Disk encryption 42.9%
WAF 71.4% HIDS 35.7%
Multi-factor Configuration
64.3% 35.7%
authentication monitoring
Database encryption 57.1%
FIM 35.7%
Network encryption 57.1%
NIDS 57.1% Code scanning 35.7%
Copyright © 2012 IANS. All rights reserved. 16
17. Survey Results: Who Audited?
• Who performed your cloud compliance audit (big
four, small firm, QSA)?
A LARGE ACCOUNTING FIRM (E.G. ONE OF
6.7% THE “BIG FOUR”)
6.7%
6.7% A LARGE TECHNOLOGY INTEGRATOR OR
TECHNICAL CONSULTING FIRM
13.3% A SMALLER FIRM SPECIALIZING IN
66.7% INFORMATION SECURITY TECHNOLOGY
A SMALLER FIRM SPECIALIZING IN GENERAL
RISK MANAGEMENT, GOVERNANCE AND
COMPLIANCE
INTERNAL/SELF AUDIT
Copyright © 2012 IANS. All rights reserved. 17
18. How Do I Secure Servers in the Cloud?
Servers in hybrid and public clouds must be
self-defending with highly automated
controls like…
Dynamic firewall & Server compromise &
access control intrusion alerting
Configuration and Server forensics and
package security security analysis
Server account Integration & automation
visibility & control capabilities
Copyright © 2012 IANS. All rights reserved. 18
21. Traditional Datacenter (DC) Firewalling
Auth DB DB DB
Server
core core
Firewal
l
Load App Load www-4
App
Balancer Server Balancer Server
!
dmz dmz
Firewal
l
Copyright © 2012 IANS. All rights reserved. 21
22. Moving to the Cloud
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
Copyright © 2012 IANS. All rights reserved. 22
23. Moving to the Cloud
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
public cloud
Copyright © 2012 IANS. All rights reserved. 23
24. Moving to the Cloud
Auth DB DB DB
Server
Load App Load App
Balancer Server Balancer Server
public cloud
Copyright © 2012 IANS. All rights reserved. 24
25. Moving to the Cloud
Load
Balancer
App App
Server Server
!
DB
Master
!
public cloud
Copyright © 2012 IANS. All rights reserved. 25
26. Dynamic Cloud Firewalling
Load
Balancer
FW
App App
Server Server
FW FW
DB
Master
FW
public cloud
Copyright © 2012 IANS. All rights reserved. 26
27. Dynamic Cloud Firewalling
Load Load
Balancer Balancer
FW FW
App App App
Server Server Server
FW FW FW
DB DB
Master Slave
FW FW
public cloud
Copyright © 2012 IANS. All rights reserved. 27
28. Dynamic Cloud Firewalling
Load Load
Balancer Balancer
FW FW
App App App
Server Server App
Server
FW FW FW Server
IP
DB DB
Master Slave
FW FW
public cloud
Copyright © 2012 IANS. All rights reserved. 28
29. Dynamic Cloud Firewalling
Load Load
Balancer Balancer
FW FW
App App
Server Server App
FW FW Server
IP
DB DB
Master Slave
FW FW
public cloud
Copyright © 2012 IANS. All rights reserved. 29
30. Lessons to Learn
Whatever firewall options you have, use them
Make sure your firewall rules are updated
quickly and automatically
Plan for the future, because you will be multi-cloud
Copyright © 2012 IANS. All rights reserved. 30
32. Traditional DC Operations Model
www-1 www-2 www-3 www-4
! ! ! !
private datacenter
Capacity is mostly static
Servers are long-lived
Security risk on servers is mitigated
by network defenses
Copyright © 2012 IANS. All rights reserved. 32
33. Cloud Operations Model
www www www www
www
Gold Master
Capacity is highly dynamic
Copyright © 2012 IANS. All rights reserved. 33
34. Cloud Operations Model
www www-2
www www www
www
!
public cloud
Gold Master
Capacity is highly dynamic
Servers are short lived
Copyright © 2012 IANS. All rights reserved. 34
35. Cloud Operations Model
www www
www
! !
!
Gold Master
Capacity is highly dynamic
Servers are short lived
Copyright © 2012 IANS. All rights reserved. 35
36. Cloud Operations Model
www www www www
www
! !
!
Gold Master
Capacity is highly dynamic
Servers are short lived
Gold Master updates are rolled out incrementally
Copyright © 2012 IANS. All rights reserved. 36
37. Cloud Operations Model
www-1
www www-2
www www www
www
! !
! What does server security mean
Gold Master
in this environment?
Capacity is highly dynamic
Servers are short lived
Gold Master updates are rolled out incrementally
Copyright © 2012 IANS. All rights reserved. 37
38. Ensuring Cloud Server Integrity
www-1
www www-2
www www www
! !
Copyright © 2012 IANS. All rights reserved. 38
39. Ensuring Cloud Server Integrity
www-1
www www-2
www www www
! ?
!
Scan for misconfigurations due to deployment
or debugging issues
Copyright © 2012 IANS. All rights reserved. 39
40. Ensuring Cloud Server Integrity
www-1
www www-2
www www www
! ?
! ?
!
Scan for misconfigurations due to deployment or
debugging issues
Ensure software packages are up-to-date and watch
for remote exploits that must be patched quickly
Copyright © 2012 IANS. All rights reserved. 40
41. Ensuring Cloud Server Integrity
www-1
www www-2
www www www
! ?
! ?
! !
Scan for misconfigurations due to deployment or
debugging issues
Ensure software packages are up-to-date and watch
for remote exploits that must be patched quickly
Monitor business code for unintended or malicious changes
Copyright © 2012 IANS. All rights reserved. 41
42. Ensuring Cloud Server Integrity
www-1 www-2 www-3 www-4
? ?!
! Automate
! !
management and monitoring of these critical
Scan for misconfigurations duepoints
operational security to deployment or
debugging issues
Ensure software packages are up-to-date and watch
for remote exploits that must be patched quickly
Monitor business code for unintended or malicious changes
Copyright © 2012 IANS. All rights reserved. 42
43. Lessons to Learn
Embrace the flexibility of the cloud;
re-think operations
Secure your server integrity by keeping images
up-to-date and monitor closely for changes
Know what areas of security you are responsible
for and automate them heavily
Copyright © 2012 IANS. All rights reserved. 43
44. Best Practices
• Read and understand what your provider
does, and what you are responsible for, with
regards to PCI
• When moving servers outside your data
center, ensure that they are hardened and
compliant before they are exposed to the public
• Start with public cloud, PCI everywhere else is
relatively easy!
• Focus on securing the tenets of PCI that you
can control
Copyright © 2012 IANS. All rights reserved. 44
45. Thank You & Questions
Dave Shackleford
CTO, IANS
Follow us on Twitter:
dshackleford@iansresearch.com twitter.com/ians_security
twitter.com/cloudpassage
Andrew Hay
Chief Evangelist, CloudPassage
andrew@cloudpassage.com
www.cloudpassage.com/pci-kit
Copyright © 2012 IANS. All rights reserved. 45
Notes de l'éditeur Many organizations are looking to outsource systems, applications, and data into the cloudSome of these may fall under the helm of PCI complianceThere are lots of questions about this, but few answers to dateHow will compliance be affected with various cloud configurations?What should we look for in PCI-compliant providers?How can security be improved for cloud infrastructure?We’ll explore all these topics Can you be PCI compliant in the cloud?Absolutely.Depends on the model and your architectureYou will likely need some different tools and processes.Not all providers are created equal!Be sure to check claims of compliance very carefullyLook for any additional audit data, as wellThere is no “silver bullet” – the responsibility is still yours. Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaSResponsibility and control levels differCSPs should be on the card brands’ “approved list” if at all possiblePCI Compliance shouldbe in contractDelineate which partsof the “stack” you areresponsible for