What You Need To Know About The New PCI Cloud Guidelines
1. #PCICloud
What You Need To Know About
The New PCI Cloud Guidelines
Dave Shackleford Chris Brenton
CTO, IANS Director of Security,
CloudPassage, Inc.
2. Session Agenda
• Can PCI DSS compliance be achieved in public cloud?!
• Scope and responsibility example!
• Checklist for PCI DSS compliance!
• Suggestions for limiting PCI scope!
• Breakdown of the shared responsibility model!
• Securing and assessing data in a CSP environment !
• Incident Response!
• Questions!
3. Helpful PCI Cloud Guidance?
PCI DSS = 75 Pages of compliance goodness�
�
PCI Cloud SIG Guidance = 52 pages describing how to
apply those 75 pages to:�
�
• Public cloud�
• Private cloud�
• Hybrid cloud�
• IaaS�
• PaaS�
• SaaS�
• Nested providers�
• and more!�
5. The Big Question
• Can PCI DSS compliance be achieved in public cloud?
– Yes and folks are doing it
• The easy way
– Work with a PCI DSS certified CSP
– Perform a gap analysis against the CSPs “PCI scope and
responsibility” documentation
• Their scope should include any nested providers
– Make sure you fill in all the gaps J
• The hard way
– Work with a CSP that has not achieved PCI compliance
– Your auditor must scope and review their environment
– You essentially must certify the CSP while footing the bill
7. Scope & Responsibility Example - CSP
PCI #� PCI DSS Requirement� Testing Procedure� Customer
Responsibility�
9.1� Use appropriate Verify the FUBAR Cloud
facility entry existence of Services maintains
controls to limit and physical security the physical
monitor physical controls for each security for all in-
access to systems computer room, scope services.�
in the cardholder data center, and
data environment.� other physical
areas with
systems in the
cardholder data
environment.�
8. Scope & Responsibility Example - Client
PCI #� PCI DSS Requirement� Testing Procedure� Customer
Responsibility�
1.3.1� Implement a DMZ to Verify that a DMZ is FUBAR customers
limit inbound traffic implemented to are responsible for
to only system limit inbound traffic implementing
components that to only system perimeter firewalls
provide authorized components that through the FUBAR
publicly accessible provide authorized GUI interface for
services, protocols publicly accessible their in-scope
and ports.� services, protocols services. FUBAR
and ports.� customers are
responsible for
developing
appropriate firewall
rules for their DMZ
and internal network.�
9. A Basic Checklist
ü Understand the flow of credit card info
– What processes/services handle it?
– What communications exchange it?
– What drives/partitions store it?
ü Understand what SaaS services will have Admin control
– Can be in-scope if controlling servers handling credit card info
ü Flow diagrams are your friend, leverage them
ü Delineate portions that are internal vs. external
ü For internal portions, you need to address all 12 PCI req.
ü For external portions
– Understand the CSPs scope and responsibility documentation
– Fill in the gaps as required
10. Section 6.5
• Does not directly address PCI requirements
• Has lots of good info on how/why cloud is an evolving tech
• Caveats for legacy security tools
• Example: Introspection
– Expands the functionality of the hypervisor
– Provides visibility of VM memory, disk & network via API
– In private virtualization, leveraged for implementing security
– Problematic in public cloud
• Expands the attack surface of the hypervisor
• Leaves no forensic trail on the VM itself
• Can be a serious issue in public IaaS
– Provider manages hypervisor
– Client manages their unique VMs
11. Limiting PCI Scope�
The new guidance offers the following
suggestions for limiting PCI scope:�
– Don’t store, process or transmit payment card
data in the cloud�
– Implement a dedicated physical infrastructure�
– Minimize reliance on third-party CSPs for
protecting payment card data�
– Ensure that clear-text account data is never
accessible in the cloud �
13. Who is responsible for Security?�
AWS Shared Responsibility Model
Data!
“…the customer should assume
responsibility and management of,
Responsibility�
App Code!
but not limited to, the guest operating
Customer
system…and associated application App Framework!
software...”
“it is possible for customers to
Operating System!
enhance security and/or meet more
stringent compliance requirements
Virtual Machine!
with the addition of… host based Hypervisor!
Responsibility�
firewalls, host based intrusion
Provider
detection/prevention, encryption and Compute & Storage!
key management.”
Amazon Web Services: Shared Network!
Overview of Security Processes
Physical Facilities!
14. Data Security�
• Securing and assessing data in a CSP
environment can be very challenging�
• The data may be in:�
– Multiple physical locations�
– Multiple countries�
– Multiple data formats�
• Data security processes within a CSP
environment needs to be closely evaluated�
15. Data Acquisition, Storage, Lifecycle�
• Data flows need to be developed and
constructed for all client and CSP networks�
• All data “capture” points need to be identified
and protected�
– Memory and VM snapshots included, as are
hypervisor access methods�
• Data lifecycle is critical to identify and clarify�
– Data should be protected at all stages in and out
of CSP environment, and disposed of properly�
16. Data Classification and Encryption�
• CSPs should meet data classification requirements
for clients before migration to the cloud�
– Cardholder data, credentials, and crypto keys are
examples�
• All sensitive data should use data-level encryption�
– Crypto keys should be stored separately�
– All key custodians should be defined and listed, in both
client and CSP environments�
– Unique keys should be in place for each client�
17. Data Decommissioning and Disposal�
• Clearly define data disposal techniques within
the CSP �
• Document “Termination of Service”
procedures �
• Ensure that all data is deleted permanently
when agreements have been terminated,
even if encrypted�
18. Incident Response�
• Clients need to discuss data breach
notification with CSPs�
– Clients may also need to notify CSPs about data
breaches in their environments, to mitigate risk to
other clients�
• Definitions of what constitutes a breach
should be defined and agreed on before
doing business�
19. Incident Response Continued�
• Notification processes and timelines should
be in SLAs�
• Discuss the potential for client data to be
captured by 3rd parties during a breach
investigation �
• The PCI guidance acknowledges that incident
response and detection may be almost
impossible if a VM has been decommissioned
or removed!�
20. Questions?
Dave Shackleford" Chris Brenton"
CTO, IANS" Director of Security, CloudPassage"
@IANS_Security" @CloudPassage"