2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com
3. Agenda
Cloud Anatomy
•Characteristics, Delivery & Deployment Models
•What's Different in the Cloud?
•Security Challenges in the Cloud
PCI DSS
•What is it?
•Implementation Challenges
•Cloud Compliance Keys
Cloudy QSA Advice
•Clients
•Vendors
5. Both Sides Now
"Rows and flows of angel hair
And ice cream castles in the air
And feather canyons everywhere
I've looked at clouds that way"
Joni Mitchell
7. Both Sides Now
"But now they only block the sun
They rain and snow on everyone
So many things I would have done
Clouds got in my way "
Joni Mitchell
11. What's Different in the
Cloud
Security Security ~
THEM
Ownership
Security ~
YOU SaaS
Software as a Service
IaaS PaaS
Platform as a Service
Infrastructure as a
Service
14. Most Significant
Accountability
“Cloud” Provider Datacenter in London, U.K.
Your Corporate Data?
“Cloud” Provider Datacenter in Sao Paolo, Brazil
“Cloud” Provider Datacenter in Geneva, Switzerland
“Cloud” Provider Datacenter in Tokyo, Japan
“Cloud” Provider Datacenter in San Francisco, USA
16. Top Threats to Cloud
Abuse & Nefarious Use:
Insecure Applications Programming:
Malicious Insiders:
Shared Technology Vulnerabilities:
Data Loss & Leakage:
Account, Service & Traffic Hijacking:
Unknown Risk Profile:
17. Basic Misconceptions
• "But its Cloud! How can you
attack a Cloud?"
• "There's security in anonymity".
• "Time sharing" with a new name
& technology.
Security Requirements
Cloud Benefits
18. Cloudy Thinking
Same as your existing server environment only virtualised and in
someone else's Data Centre running on Windows and Linux with
Windows and Linux vulnerabilities
20. The Standard
First published January 2005,
V.1 released September 7,
2006, the PCI DSS is a set of
comprehensive requirements
for securing payment data.
V2 released November 2010.
A multifaceted standard that includes requirements for security
management, policies, procedures, network architecture,
software design and other critical protective measures.
21. Applicable
• All systems that process, store or transmit credit or debit
cardholder data
• All systems that connect to them
26. The Question Then
Salesforce -
SaaS Q: How do you implement 264 detailed
control requirements across a public
cloud solution?
A: It depends .
Google AppEngine -
PaaS
Amazon EC2 -
IaaS
28. Compliance Keys
= Service Level Agreements
= Compensating Controls
29. SLA
Amazon Web Services™ Customer
Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that
we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you acknowledge
that you bear sole responsibility for adequate security, protection and backup of
Your Content and Applications. We strongly encourage you, where available and
appropriate, to (a) use encryption technology to protect Your Content
from unauthorized access, (b) routinely archive Your Content, and (c) keep your
Applications or any software that you use or run with our Services current with the
latest security patches or updates. We will have no liability to you for any
unauthorized access or use, corruption, deletion, destruction or loss of any of Your
Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
30. Remember
Security Security ~
THEM
Ownership
Security ~
YOU SaaS
Software as a Service
IaaS PaaS
Platform as a Service
Infrastructure as a
Service
Amazon EC2 - Google AppEngine - Salesforce -
IaaS PaaS SaaS
31. Control Mapping
Cloud Model
Find the Gaps!
Governance Model
Applications SDLC, Binary Analysis, Scanners, WebApp
Firewalls, Transactional Sec.
Compliance Model
Information DLP, CMF, Database Activity Monitoring,
Encryption
Management GRC, IAM, VA/VM, Patch Management,
Configuration Management, Monitoring
Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS,
QoS, DNSSEC, OAuth
Trust Hardware & Software RoT & API’s
Host-based Firewalls, HIDS/HIPS,
Storage Integrity & File/log Management,
Encryption, Masking
Physical Physical Plant Security, CCTV, Guards
32. Where Cannot Be Mapped
• Conduct risk assessment
• Identify unacceptable risks
• Implement compensating controls!
– Designed, accepted for the business
– Must produce evidence
– Accompanied by process
33. Modelling
Cloud Architecture
Cloud Architecture
Governance and Enterprise Risk Management
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Legal and Electronic Discovery
Compliance and Audit
Compliance and Audit
Operating in the Cloud
Governing the Cloud
Information Lifecycle Management
Information Lifecycle Management
Portability and Interoperability
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Data Center Operations
Incident Response, Notification, Remediation
Incident Response, Notification, Remediation
Application Security
Application Security
Encryption and Key Management
Encryption and Key M anagement
Identity and Access Management
Identity and Access Management
Virtualization
Virtualization
36. QSA Client Advice
• Don't believe what you hear. Get out of your office Go see it. Touch it. Taste it.
Smell it. Its about due diligence.
• Interrogate vendors focusing on security, resiliency, recovery, confidentiality,
privacy and segmentation. See if they twitch.
• PCI Compliance comes down to implementing the controls, compensating controls
or just accepting the risk. Go through each control with your vendor (as applicable)
and determine actions.
• If you don't see it in black and white in the vendor SLA, do not assume its there. If
you do see it, go check it.
• Your mantra should be "How will you identify a breach?" At the end of the day, if
you have a beach it will be your company's name in the paper, your company
receiving the fine or your company in court - not the cloud provider.
• Do everything you can possible do. Then get your Acquirer's buy in.
• Get insurance.
38. QSA Vendor Advice
• Embrace it. Be proactive. Get out in front of it. Bring it up
before they do.
• Know your subject matter. Clients need mentors.
• Be transparent. If you can't meet a compliance requirement,
say it.
• Never twitch.
• Lay out liability in the SLA. Be clear. Be concise. State both
what you are liable and what you are not liable for.
• Rephrase the question: "How will we identify a breach?"
• Get insurance
39. "I've looked at clouds from both sides
now,
from up and down, and still somehow,
it's clouds illusions I recall
I really don't know clouds...at all."
Joni Mitchell
40. 26 Dover Street
London
United Kingdom
W1S 4LY
+44 (0)20 3586 1025
+44 (0)20 7763 7101(fax)
Editor's Notes
Give out cards
Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX