14. Compliance vs Validation
• Compliance is a state of being, like auto
insurance you need to have it continuously
• Validation is
proof of compliance
you do annually
Friday, November 20, 2009
16. Compliance vs Security
“The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and enhance
cardholder data security and facilitate
the broad adoption of consistent data
security measures globally.”
Friday, November 20, 2009
17. Compliance vs Security
“The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and enhance Myth 4 - PCI Will Make Us Secure
cardholder data security and facilitate Successful completion of a system
the broad adoption of consistent data
scan or assessment for PCI is but a
security measures globally.”
snapshot in time. Security exploits are
non-stop and get stronger every day,
which is why PCI compliance efforts
must be a continuous process of
assessment and remediation to ensure
safety of cardholder data.
Friday, November 20, 2009
18. Compliance vs Security
“The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and enhance Myth 4 - PCI Will Make Us Secure
cardholder data security and facilitate Successful completion of a system
the broad adoption of consistent data
scan or assessment for PCI is but a
security measures globally.”
snapshot in time. Security exploits are
non-stop and get stronger every day,
which is why PCI compliance efforts
must be a continuous process of
assessment and remediation to ensure
safety of cardholder data.
Compliant
until you're
compromised...
Friday, November 20, 2009
20. the “Singularity”
• “When falls the Coliseum, Rome shall fall;
And when Rome falls--the World”
- Lord Byron
Friday, November 20, 2009
21. the “Singularity”
• “When falls the Coliseum, Rome shall fall;
And when Rome falls--the World”
- Lord Byron
• If someone dies wearing a seat belt, does
that make them useless?
Friday, November 20, 2009
22. Risk & Transference
• #1 Question everyone has: Liability?
• “You can outsource the work, but you
cannot outsource the responsibility”
• Cloud-sourcing does not transfer risk
Friday, November 20, 2009
24. There is No Spoon
• Can any firewall be used to segment a
network?
Friday, November 20, 2009
25. There is No Spoon
• Can any firewall be used to segment a
network?
✓No! Only a properly configured firewall
Friday, November 20, 2009
26. There is No Spoon
• Can any firewall be used to segment a
network?
✓No! Only a properly configured firewall
• Can any Cloud be used and achieve
compliance?
Friday, November 20, 2009
27. There is No Spoon
• Can any firewall be used to segment a
network?
✓No! Only a properly configured firewall
• Can any Cloud be used and achieve
compliance?
✓Maybe... if considerations are made
Friday, November 20, 2009
28. There is No Spoon
• Can any firewall be used to segment a
network?
✓No! Only a properly configured firewall
• Can any Cloud be used and achieve
compliance?
✓Maybe... if considerations are made
• Think beyond technology, checklists, and
compliance. Think Risk.
Friday, November 20, 2009
31. Problems: PCI DSS
• Requirement 2.2.1: when creating baseline
configuration standards “only one primary
function per server”
Friday, November 20, 2009
32. Problems: PCI DSS
• Requirement 2.2.1: when creating baseline
configuration standards “only one primary
function per server”
✓Virtualization?
Friday, November 20, 2009
33. Problems: PCI DSS
• Requirement 2.2.1: when creating baseline
configuration standards “only one primary
function per server”
✓Virtualization?
✓Cloud?
Friday, November 20, 2009
34. Problems: PCI DSS
• Requirement 2.2.1: when creating baseline
configuration standards “only one primary
function per server”
✓Virtualization?
✓Cloud?
✓WAF in the cloud?
Friday, November 20, 2009
35. Problems: PCI DSS
• Requirement 2.2.1: when creating baseline
configuration standards “only one primary
function per server”
✓Virtualization?
✓Cloud?
✓WAF in the cloud?
• Requirement 11.2 - ASV Scans
Friday, November 20, 2009
36. Problems: Service Level Agreement
• Uptime/Availability? Yes’ish
• Security? No.
• Compliance? No.
• Assurance of data integrity? No.
Friday, November 20, 2009
37. Problems: Image Sprawl
12% month-over-month
growth of Amazon
Machine Images (AMI)
in 2008
Friday, November 20, 2009
38. Problems: Image Sprawl
12% month-over-month
growth of Amazon
Machine Images (AMI)
in 2008
• First rule of fight club? Find your data!
Friday, November 20, 2009
39. Problems: Image Sprawl
12% month-over-month
growth of Amazon
Machine Images (AMI)
in 2008
• First rule of fight club? Find your data!
• Second rule of fight club? Find your data
(no really)!
Friday, November 20, 2009
40. Problems: Image Sprawl
12% month-over-month
growth of Amazon
Machine Images (AMI)
in 2008
• First rule of fight club? Find your data!
• Second rule of fight club? Find your data
(no really)!
• Always “ask twice” - how it works? fails?
Friday, November 20, 2009
41. Problems: Image Sprawl
12% month-over-month
growth of Amazon
Machine Images (AMI)
in 2008
• First rule of fight club? Find your data!
• Second rule of fight club? Find your data
(no really)!
• Always “ask twice” - how it works? fails?
• Now assume everything moves
Friday, November 20, 2009
42. Problems: Image Sprawl
12% month-over-month
growth of Amazon
Machine Images (AMI)
in 2008
Friday, November 20, 2009
44. Problems: Audit Logging
• Goals:
✓Alert on suspicious activity? Yes
✓Facilitate a forensic investigation? Maybe
Friday, November 20, 2009
45. Problems: Audit Logging
• Goals:
✓Alert on suspicious activity? Yes
✓Facilitate a forensic investigation? Maybe
• Are the logs backed up?
Friday, November 20, 2009
46. Problems: Audit Logging
• Goals:
✓Alert on suspicious activity? Yes
✓Facilitate a forensic investigation? Maybe
• Are the logs backed up?
• Are they accessible 12-18 months later?
✓What if the server is no longer there?
Friday, November 20, 2009
47. Problems: Forensic Issues
• During peak retail months systems are
scaled up and then down
• Fraud patterns have lead time of 12-18 mo.
• How do you forensically examine a ‘ghost’
server?
Friday, November 20, 2009
48. Problems: Third-Party Access
Who has
Remote admin
on my server?
• People you give data to
• People you give access to
data
• People who have access to
your data
Friday, November 20, 2009
49. Problems: Third-Party Access
Who has
Remote admin
on my server?
• People you give data to
• People you give access to
data
• People who have access to
your data
Maintain a written agreement that
includes an acknowledgement that the
... monitor service providers!
service providers are responsible for
PCI DSS compliance status.
the security of cardholder data the
service providers possess.
Friday, November 20, 2009
50. Problems: Data Destruction
• Where do the following go?
✓Failed hard drive
✓Deleted VM
Who owns the data? You or your cloud?
Friday, November 20, 2009
51. Problems: Backup?
• Who is backing up?
• How is it backed up?
• Where do the backups go?
✓Offsite to a third-party? New scope/
contract
Friday, November 20, 2009
52. Conclusion
• Cloud Compliance is possible but not
probable .. until the services evolve
• Cloud gives you scalability, but not
security .. unless you bake it in
Friday, November 20, 2009
53. Thank You
• Questions?
• Contact Mike Dahn?
Friday, November 20, 2009