SlideShare a Scribd company logo
1 of 40
PCI: Compliance in the Cloud
A simple, easy to use, online, B2B procurement
 portal for purchasing products and services to
  identify, minimise and manage the security
             threat to business data.
               www.riskfactory.com
Agenda
Cloud Anatomy
•Characteristics, Delivery & Deployment Models
•What's Different in the Cloud?
•Security Challenges in the Cloud
PCI DSS
•What is it?
•Implementation Challenges
•Cloud Compliance Keys
Cloudy QSA Advice
•Clients
•Vendors
Cloud Security Visionary
Both Sides Now

 "Rows and flows of angel hair
 And ice cream castles in the air
 And feather canyons everywhere
 I've looked at clouds that way"

                    Joni Mitchell
Side 1 - Consumer
Both Sides Now


"But now they only block the sun
They rain and snow on everyone
So many things I would have done
Clouds got in my way "

                  Joni Mitchell
Side 2 - Service
Providers
Cloud Anatomy
Cloud Benefit$
What's Different in the
Cloud
Security                                                 Security ~
                                                         THEM
Ownership

  Security ~
  YOU                                                       SaaS
                                                      Software as a Service




             IaaS                   PaaS
                              Platform as a Service
        Infrastructure as a
                Service
What's Different in the Cloud
Access Control
What's Different in the Cloud
Vulnerability
Most Significant
Accountability

    “Cloud” Provider Datacenter in London, U.K.




                                                         Your Corporate Data?
    “Cloud” Provider Datacenter in Sao Paolo, Brazil



    “Cloud” Provider Datacenter in Geneva, Switzerland



    “Cloud” Provider Datacenter in Tokyo, Japan



    “Cloud” Provider Datacenter in San Francisco, USA
Cloudy Issues
 Confidentiality
 Availability
 Integrity
 Trust: Lack of transparency
 Trust: Identity management & access
  control
 Risk Management
 Liability
 Governance
 Compliance
Top Threats to Cloud

 Abuse & Nefarious Use:

 Insecure Applications Programming:

 Malicious Insiders:

 Shared Technology Vulnerabilities:

 Data Loss & Leakage:

 Account, Service & Traffic Hijacking:

 Unknown Risk Profile:
Basic Misconceptions

 • "But its Cloud! How can you
   attack a Cloud?"
 • "There's security in anonymity".
 • "Time sharing" with a new name
   & technology.




                                      Security Requirements




      Cloud Benefits
Cloudy Thinking




Same as your existing server environment only virtualised and in
someone else's Data Centre running on Windows and Linux with
              Windows and Linux vulnerabilities
Black Swan Sightings
The Standard

First published January 2005,
V.1 released September 7,
2006, the PCI DSS is a set of
comprehensive requirements
for securing payment data.
V2 released November 2010.



A multifaceted standard that includes requirements for security
   management, policies, procedures, network architecture,
    software design and other critical protective measures.
Applicable

• All systems that process, store or transmit credit or debit
  cardholder data

• All systems that connect to them
6 Goals, 12 Requirements
264 Controls
Specific Cloud Controls
The PCI DSS



Implementing the PCI
 DSS in the Cloud is
       like...
The Question Then
  Salesforce -
  SaaS           Q: How do you implement 264 detailed
                 control requirements across a public
                 cloud solution?

                 A: It depends .


                 Google AppEngine -
                 PaaS
                                          Amazon EC2 -
                                          IaaS
Scoping is Everything
Compliance Keys


          = Service Level Agreements

          = Compensating Controls
SLA


 Amazon Web Services™ Customer
 Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that
we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you acknowledge
that you bear sole responsibility for adequate security, protection and backup of
Your Content and Applications. We strongly encourage you, where available and
appropriate, to (a) use encryption technology to protect Your Content
from unauthorized access, (b) routinely archive Your Content, and (c) keep your
Applications or any software that you use or run with our Services current with the
latest security patches or updates. We will have no liability to you for any
unauthorized access or use, corruption, deletion, destruction or loss of any of Your
Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
Remember
Security                                                 Security ~
                                                         THEM
Ownership

  Security ~
  YOU                                                       SaaS
                                                      Software as a Service




             IaaS                   PaaS
                              Platform as a Service
        Infrastructure as a
                Service




       Amazon EC2 -           Google AppEngine -       Salesforce -
       IaaS                   PaaS                     SaaS
Control Mapping
 Cloud Model
                 Find the Gaps!
                    Governance Model

               Applications   SDLC, Binary Analysis, Scanners, WebApp
                              Firewalls, Transactional Sec.
                                                                        Compliance Model
               Information    DLP, CMF, Database Activity Monitoring,
                              Encryption



               Management     GRC, IAM, VA/VM, Patch Management,
                              Configuration Management, Monitoring




               Network        NIDS/NIPS, Firewalls, DPI, Anti-DDoS,
                              QoS, DNSSEC, OAuth


               Trust          Hardware & Software RoT & API’s

                              Host-based Firewalls, HIDS/HIPS,
               Storage        Integrity & File/log Management,
                              Encryption, Masking

               Physical       Physical Plant Security, CCTV, Guards
Where Cannot Be Mapped
• Conduct risk assessment

• Identify unacceptable risks

• Implement compensating controls!
  – Designed, accepted for the business
  – Must produce evidence
  – Accompanied by process
Modelling
                                      Cloud Architecture
                                       Cloud Architecture

                         Governance and Enterprise Risk Management
                          Governance and Enterprise Risk Management

                                Legal and Electronic Discovery
                                 Legal and Electronic Discovery

                                    Compliance and Audit
                                     Compliance and Audit
Operating in the Cloud




                                                                         Governing the Cloud
                              Information Lifecycle Management
                               Information Lifecycle Management

                                Portability and Interoperability
                                 Portability and Interoperability

                         Security, Bus. Cont,, and Disaster Recovery
                          Security, Bus. Cont,, and Disaster Recovery

                                   Data Center Operations
                                    Data Center Operations

                         Incident Response, Notification, Remediation
                          Incident Response, Notification, Remediation

                                     Application Security
                                      Application Security

                               Encryption and Key Management
                                Encryption and Key M anagement

                               Identity and Access Management
                                Identity and Access Management

                                         Virtualization
                                          Virtualization
QSA Words of Wisdom
QSA Client Advice



     "Never trust the
        vendor"
QSA Client Advice
•   Don't believe what you hear. Get out of your office Go see it. Touch it. Taste it.
    Smell it. Its about due diligence.

•   Interrogate vendors focusing on security, resiliency, recovery, confidentiality,
    privacy and segmentation. See if they twitch.

•   PCI Compliance comes down to implementing the controls, compensating controls
    or just accepting the risk. Go through each control with your vendor (as applicable)
    and determine actions.

•   If you don't see it in black and white in the vendor SLA, do not assume its there. If
    you do see it, go check it.

•   Your mantra should be "How will you identify a breach?" At the end of the day, if
    you have a beach it will be your company's name in the paper, your company
    receiving the fine or your company in court - not the cloud provider.

•   Do everything you can possible do. Then get your Acquirer's buy in.

•   Get insurance.
QSA Vendor Advice



    "Never trust the
        client"
QSA Vendor Advice
•   Embrace it. Be proactive. Get out in front of it. Bring it up
    before they do.

•   Know your subject matter. Clients need mentors.

•   Be transparent. If you can't meet a compliance requirement,
    say it.

•   Never twitch.

•   Lay out liability in the SLA. Be clear. Be concise. State both
    what you are liable and what you are not liable for.

•   Rephrase the question: "How will we identify a breach?"

•   Get insurance
"I've looked at clouds from both sides
  now,
  from up and down, and still somehow,
  it's clouds illusions I recall
  I really don't know clouds...at all."


                     Joni Mitchell
26 Dover Street
        London
    United Kingdom
        W1S 4LY
  +44 (0)20 3586 1025
+44 (0)20 7763 7101(fax)

More Related Content

What's hot

Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesNJVC, LLC
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Acrodex
 
AIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationAIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationShadrach White
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...Amazon Web Services
 
Securing and Governing Cloud APIs
Securing and Governing Cloud APIsSecuring and Governing Cloud APIs
Securing and Governing Cloud APIsCA API Management
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTARJeroen Mengerink
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)ijceronline
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
IT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACAIT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACARamsés Gallego
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs EliteJon G. Hall
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsErnest Mueller
 
Panda Security Corporate Presentation
Panda Security Corporate PresentationPanda Security Corporate Presentation
Panda Security Corporate PresentationNatalia
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Jean-François LOMBARDO
 
Panda Security: Corporate Presentation
Panda Security: Corporate PresentationPanda Security: Corporate Presentation
Panda Security: Corporate PresentationYolanda Ruiz Hervás
 

What's hot (20)

PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
 
Cloud Security for U.S. Military Agencies
Cloud Security for U.S. Military AgenciesCloud Security for U.S. Military Agencies
Cloud Security for U.S. Military Agencies
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
 
AIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC CorporationAIIM Cloud Webinar - EMC Corporation
AIIM Cloud Webinar - EMC Corporation
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
 
Securing and Governing Cloud APIs
Securing and Governing Cloud APIsSecuring and Governing Cloud APIs
Securing and Governing Cloud APIs
 
Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019Cloud Security Top 10 Risk Mitigation Techniques for 2019
Cloud Security Top 10 Risk Mitigation Techniques for 2019
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTAR
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
IT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACAIT Controls Cloud Webinar - ISACA
IT Controls Cloud Webinar - ISACA
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and AuditSukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
 
Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs Elite
 
Alta 3-2013
Alta 3-2013Alta 3-2013
Alta 3-2013
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
Panda Security Corporate Presentation
Panda Security Corporate PresentationPanda Security Corporate Presentation
Panda Security Corporate Presentation
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
 
Panda Security: Corporate Presentation
Panda Security: Corporate PresentationPanda Security: Corporate Presentation
Panda Security: Corporate Presentation
 

Viewers also liked

Efficiency of newer generation edge wise applience /certified fixed orthodont...
Efficiency of newer generation edge wise applience /certified fixed orthodont...Efficiency of newer generation edge wise applience /certified fixed orthodont...
Efficiency of newer generation edge wise applience /certified fixed orthodont...Indian dental academy
 
Le menace malveillante dans l'industrie - Strasbourg 01.04.2016
Le menace malveillante dans l'industrie - Strasbourg 01.04.2016Le menace malveillante dans l'industrie - Strasbourg 01.04.2016
Le menace malveillante dans l'industrie - Strasbourg 01.04.2016David Kapp
 
Företagsmassage i Stockholm hos Adolf Fredriks Fysiocenter
Företagsmassage i Stockholm hos Adolf Fredriks FysiocenterFöretagsmassage i Stockholm hos Adolf Fredriks Fysiocenter
Företagsmassage i Stockholm hos Adolf Fredriks FysiocenterAdolf Fredriks Fysiocenter AB
 
Ley universitaria
Ley universitariaLey universitaria
Ley universitariamaime23
 
Youtube video
Youtube videoYoutube video
Youtube videoshine78
 
AACI Newsletter Issue 1 PRINT
AACI Newsletter Issue 1 PRINTAACI Newsletter Issue 1 PRINT
AACI Newsletter Issue 1 PRINTNam Le
 
PECC - 2 de 5 = Fundamentação Teológica
PECC - 2 de 5 = Fundamentação TeológicaPECC - 2 de 5 = Fundamentação Teológica
PECC - 2 de 5 = Fundamentação TeológicaRicardo Cassen
 
K- Sir loop /certified fixed orthodontic courses by Indian dental academy
K- Sir loop /certified fixed orthodontic courses by Indian dental academy K- Sir loop /certified fixed orthodontic courses by Indian dental academy
K- Sir loop /certified fixed orthodontic courses by Indian dental academy Indian dental academy
 
Auktion av tiny house!
Auktion av tiny house!Auktion av tiny house!
Auktion av tiny house!Maria Simsek
 
En masse retraction and two step retraction of maxillary /certified fixed ort...
En masse retraction and two step retraction of maxillary /certified fixed ort...En masse retraction and two step retraction of maxillary /certified fixed ort...
En masse retraction and two step retraction of maxillary /certified fixed ort...Indian dental academy
 
WICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCE
WICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCEWICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCE
WICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCEIndian dental academy
 
orthodontic Implants
orthodontic Implants orthodontic Implants
orthodontic Implants Tony Pious
 
Begg seminar /certified fixed orthodontic courses by Indian dental academy
Begg seminar /certified fixed orthodontic courses by Indian dental academy Begg seminar /certified fixed orthodontic courses by Indian dental academy
Begg seminar /certified fixed orthodontic courses by Indian dental academy Indian dental academy
 
Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...
Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...
Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...Indian dental academy
 

Viewers also liked (20)

Efficiency of newer generation edge wise applience /certified fixed orthodont...
Efficiency of newer generation edge wise applience /certified fixed orthodont...Efficiency of newer generation edge wise applience /certified fixed orthodont...
Efficiency of newer generation edge wise applience /certified fixed orthodont...
 
Le menace malveillante dans l'industrie - Strasbourg 01.04.2016
Le menace malveillante dans l'industrie - Strasbourg 01.04.2016Le menace malveillante dans l'industrie - Strasbourg 01.04.2016
Le menace malveillante dans l'industrie - Strasbourg 01.04.2016
 
make a Seiza stool
make a Seiza stoolmake a Seiza stool
make a Seiza stool
 
Företagsmassage i Stockholm hos Adolf Fredriks Fysiocenter
Företagsmassage i Stockholm hos Adolf Fredriks FysiocenterFöretagsmassage i Stockholm hos Adolf Fredriks Fysiocenter
Företagsmassage i Stockholm hos Adolf Fredriks Fysiocenter
 
PROVAB FEEDBACK AND REVIEW
PROVAB FEEDBACK AND REVIEWPROVAB FEEDBACK AND REVIEW
PROVAB FEEDBACK AND REVIEW
 
Lauren
LaurenLauren
Lauren
 
Ley universitaria
Ley universitariaLey universitaria
Ley universitaria
 
Youtube video
Youtube videoYoutube video
Youtube video
 
AACI Newsletter Issue 1 PRINT
AACI Newsletter Issue 1 PRINTAACI Newsletter Issue 1 PRINT
AACI Newsletter Issue 1 PRINT
 
PECC - 2 de 5 = Fundamentação Teológica
PECC - 2 de 5 = Fundamentação TeológicaPECC - 2 de 5 = Fundamentação Teológica
PECC - 2 de 5 = Fundamentação Teológica
 
Blue_Print_March_2015
Blue_Print_March_2015Blue_Print_March_2015
Blue_Print_March_2015
 
Class 2 div.2 malocclusion
Class 2 div.2 malocclusionClass 2 div.2 malocclusion
Class 2 div.2 malocclusion
 
K- Sir loop /certified fixed orthodontic courses by Indian dental academy
K- Sir loop /certified fixed orthodontic courses by Indian dental academy K- Sir loop /certified fixed orthodontic courses by Indian dental academy
K- Sir loop /certified fixed orthodontic courses by Indian dental academy
 
Auktion av tiny house!
Auktion av tiny house!Auktion av tiny house!
Auktion av tiny house!
 
Debonding (2)
Debonding (2)Debonding (2)
Debonding (2)
 
En masse retraction and two step retraction of maxillary /certified fixed ort...
En masse retraction and two step retraction of maxillary /certified fixed ort...En masse retraction and two step retraction of maxillary /certified fixed ort...
En masse retraction and two step retraction of maxillary /certified fixed ort...
 
WICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCE
WICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCEWICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCE
WICK ALEXANDER TECNIQUE OF PRE-ADJUSTED EDGEWISE APPLIANCE
 
orthodontic Implants
orthodontic Implants orthodontic Implants
orthodontic Implants
 
Begg seminar /certified fixed orthodontic courses by Indian dental academy
Begg seminar /certified fixed orthodontic courses by Indian dental academy Begg seminar /certified fixed orthodontic courses by Indian dental academy
Begg seminar /certified fixed orthodontic courses by Indian dental academy
 
Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...
Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...
Anchorage in orthodontics /certified fixed orthodontic courses by Indian dent...
 

Similar to Risk Factory: PCI Compliance in the Cloud

Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in CloudLenin Aboagye
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story   Craig BaldingA Cloud Security Ghost Story   Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simpleSameer Paradia
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industriesdirkbeth
 
Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Amazon Web Services
 
Brave new world of encryption v1
Brave new world of encryption v1Brave new world of encryption v1
Brave new world of encryption v1Khazret Sapenov
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Cynthia Hsieh
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityBob Rhubart
 
AWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation SecurityAWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation SecurityAmazon Web Services
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Chad Lawler
 
Cybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerCybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerBen Boyd
 

Similar to Risk Factory: PCI Compliance in the Cloud (20)

Enterprise Security in Cloud
Enterprise Security in CloudEnterprise Security in Cloud
Enterprise Security in Cloud
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story   Craig BaldingA Cloud Security Ghost Story   Craig Balding
A Cloud Security Ghost Story Craig Balding
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
 
Cloud Security - Made simple
Cloud Security - Made simpleCloud Security - Made simple
Cloud Security - Made simple
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
 
The Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated IndustriesThe Move to the Cloud for Regulated Industries
The Move to the Cloud for Regulated Industries
 
Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101Security and Compliance – Most Commonly Asked Questions - Technical 101
Security and Compliance – Most Commonly Asked Questions - Technical 101
 
Clouds And Security
Clouds And SecurityClouds And Security
Clouds And Security
 
Brave new world of encryption v1
Brave new world of encryption v1Brave new world of encryption v1
Brave new world of encryption v1
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
Enterprise Strategy for Cloud Security
Enterprise Strategy for Cloud SecurityEnterprise Strategy for Cloud Security
Enterprise Strategy for Cloud Security
 
AWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation SecurityAWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation Security
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
Cybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something biggerCybersecurity Legos - We're all part of something bigger
Cybersecurity Legos - We're all part of something bigger
 

More from Risk Crew

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Risk Crew
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Risk Crew
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Crew
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Crew
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Crew
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Crew
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Crew
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Crew
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Crew
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Crew
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Crew
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Crew
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Crew
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Crew
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Crew
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Crew
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Crew
 

More from Risk Crew (20)

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a Hacker
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 Numbers
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best Practice
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big Data
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data Leakage
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron?
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back Door
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an Identity
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
 

Recently uploaded

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 

Recently uploaded (20)

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 
Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 

Risk Factory: PCI Compliance in the Cloud

  • 1. PCI: Compliance in the Cloud
  • 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
  • 3. Agenda Cloud Anatomy •Characteristics, Delivery & Deployment Models •What's Different in the Cloud? •Security Challenges in the Cloud PCI DSS •What is it? •Implementation Challenges •Cloud Compliance Keys Cloudy QSA Advice •Clients •Vendors
  • 5. Both Sides Now "Rows and flows of angel hair And ice cream castles in the air And feather canyons everywhere I've looked at clouds that way" Joni Mitchell
  • 6. Side 1 - Consumer
  • 7. Both Sides Now "But now they only block the sun They rain and snow on everyone So many things I would have done Clouds got in my way " Joni Mitchell
  • 8. Side 2 - Service Providers
  • 11. What's Different in the Cloud Security Security ~ THEM Ownership Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service
  • 12. What's Different in the Cloud Access Control
  • 13. What's Different in the Cloud Vulnerability
  • 14. Most Significant Accountability “Cloud” Provider Datacenter in London, U.K. Your Corporate Data? “Cloud” Provider Datacenter in Sao Paolo, Brazil “Cloud” Provider Datacenter in Geneva, Switzerland “Cloud” Provider Datacenter in Tokyo, Japan “Cloud” Provider Datacenter in San Francisco, USA
  • 15. Cloudy Issues Confidentiality Availability Integrity Trust: Lack of transparency Trust: Identity management & access control Risk Management Liability Governance Compliance
  • 16. Top Threats to Cloud Abuse & Nefarious Use: Insecure Applications Programming: Malicious Insiders: Shared Technology Vulnerabilities: Data Loss & Leakage: Account, Service & Traffic Hijacking: Unknown Risk Profile:
  • 17. Basic Misconceptions • "But its Cloud! How can you attack a Cloud?" • "There's security in anonymity". • "Time sharing" with a new name & technology. Security Requirements Cloud Benefits
  • 18. Cloudy Thinking Same as your existing server environment only virtualised and in someone else's Data Centre running on Windows and Linux with Windows and Linux vulnerabilities
  • 20. The Standard First published January 2005, V.1 released September 7, 2006, the PCI DSS is a set of comprehensive requirements for securing payment data. V2 released November 2010. A multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
  • 21. Applicable • All systems that process, store or transmit credit or debit cardholder data • All systems that connect to them
  • 22. 6 Goals, 12 Requirements
  • 25. The PCI DSS Implementing the PCI DSS in the Cloud is like...
  • 26. The Question Then Salesforce - SaaS Q: How do you implement 264 detailed control requirements across a public cloud solution? A: It depends . Google AppEngine - PaaS Amazon EC2 - IaaS
  • 28. Compliance Keys = Service Level Agreements = Compensating Controls
  • 29. SLA Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. http://aws.amazon.com/agreement/#7 (2 February 2012)
  • 30. Remember Security Security ~ THEM Ownership Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a Service Amazon EC2 - Google AppEngine - Salesforce - IaaS PaaS SaaS
  • 31. Control Mapping Cloud Model Find the Gaps! Governance Model Applications SDLC, Binary Analysis, Scanners, WebApp Firewalls, Transactional Sec. Compliance Model Information DLP, CMF, Database Activity Monitoring, Encryption Management GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring Network NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth Trust Hardware & Software RoT & API’s Host-based Firewalls, HIDS/HIPS, Storage Integrity & File/log Management, Encryption, Masking Physical Physical Plant Security, CCTV, Guards
  • 32. Where Cannot Be Mapped • Conduct risk assessment • Identify unacceptable risks • Implement compensating controls! – Designed, accepted for the business – Must produce evidence – Accompanied by process
  • 33. Modelling Cloud Architecture Cloud Architecture Governance and Enterprise Risk Management Governance and Enterprise Risk Management Legal and Electronic Discovery Legal and Electronic Discovery Compliance and Audit Compliance and Audit Operating in the Cloud Governing the Cloud Information Lifecycle Management Information Lifecycle Management Portability and Interoperability Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Security, Bus. Cont,, and Disaster Recovery Data Center Operations Data Center Operations Incident Response, Notification, Remediation Incident Response, Notification, Remediation Application Security Application Security Encryption and Key Management Encryption and Key M anagement Identity and Access Management Identity and Access Management Virtualization Virtualization
  • 34. QSA Words of Wisdom
  • 35. QSA Client Advice "Never trust the vendor"
  • 36. QSA Client Advice • Don't believe what you hear. Get out of your office Go see it. Touch it. Taste it. Smell it. Its about due diligence. • Interrogate vendors focusing on security, resiliency, recovery, confidentiality, privacy and segmentation. See if they twitch. • PCI Compliance comes down to implementing the controls, compensating controls or just accepting the risk. Go through each control with your vendor (as applicable) and determine actions. • If you don't see it in black and white in the vendor SLA, do not assume its there. If you do see it, go check it. • Your mantra should be "How will you identify a breach?" At the end of the day, if you have a beach it will be your company's name in the paper, your company receiving the fine or your company in court - not the cloud provider. • Do everything you can possible do. Then get your Acquirer's buy in. • Get insurance.
  • 37. QSA Vendor Advice "Never trust the client"
  • 38. QSA Vendor Advice • Embrace it. Be proactive. Get out in front of it. Bring it up before they do. • Know your subject matter. Clients need mentors. • Be transparent. If you can't meet a compliance requirement, say it. • Never twitch. • Lay out liability in the SLA. Be clear. Be concise. State both what you are liable and what you are not liable for. • Rephrase the question: "How will we identify a breach?" • Get insurance
  • 39. "I've looked at clouds from both sides now, from up and down, and still somehow, it's clouds illusions I recall I really don't know clouds...at all." Joni Mitchell
  • 40. 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025 +44 (0)20 7763 7101(fax)

Editor's Notes

  1. Give out cards
  2. Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX