SlideShare ist ein Scribd-Unternehmen logo

What You Need To Know About The New PCI Cloud Guidelines

CloudPassage
CloudPassage
1 von 21
Downloaden Sie, um offline zu lesen
#PCICloud What You Need To Know About The New PCI Cloud Guidelines Dave Shackleford Chris Brenton CTO, IANS Director of Security, CloudPassage, Inc.
Session Agenda •  Can PCI DSS compliance be achieved in public cloud?! •  Scope and responsibility example! •  Checklist for PCI DSS compliance! •  Suggestions for limiting PCI scope! •  Breakdown of the shared responsibility model! •  Securing and assessing data in a CSP environment ! •  Incident Response! •  Questions!
Helpful PCI Cloud Guidance? PCI DSS = 75 Pages of compliance goodness� � PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to:� � •  Public cloud� •  Private cloud� •  Hybrid cloud� •  IaaS� •  PaaS� •  SaaS� •  Nested providers� •  and more!�
First, take a deep breath…
The Big Question •  Can PCI DSS compliance be achieved in public cloud? –  Yes and folks are doing it •  The easy way –  Work with a PCI DSS certified CSP –  Perform a gap analysis against the CSPs “PCI scope and responsibility” documentation •  Their scope should include any nested providers –  Make sure you fill in all the gaps J •  The hard way –  Work with a CSP that has not achieved PCI compliance –  Your auditor must scope and review their environment –  You essentially must certify the CSP while footing the bill
Study Figure 3
Scope & Responsibility Example - CSP PCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility� 9.1� Use appropriate Verify the FUBAR Cloud facility entry existence of Services maintains controls to limit and physical security the physical monitor physical controls for each security for all in- access to systems computer room, scope services.� in the cardholder data center, and data environment.� other physical areas with systems in the cardholder data environment.�
Scope & Responsibility Example - Client PCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility� 1.3.1� Implement a DMZ to Verify that a DMZ is FUBAR customers limit inbound traffic implemented to are responsible for to only system limit inbound traffic implementing components that to only system perimeter firewalls provide authorized components that through the FUBAR publicly accessible provide authorized GUI interface for services, protocols publicly accessible their in-scope and ports.� services, protocols services. FUBAR and ports.� customers are responsible for developing appropriate firewall rules for their DMZ and internal network.�
A Basic Checklist ü  Understand the flow of credit card info –  What processes/services handle it? –  What communications exchange it? –  What drives/partitions store it? ü  Understand what SaaS services will have Admin control –  Can be in-scope if controlling servers handling credit card info ü  Flow diagrams are your friend, leverage them ü  Delineate portions that are internal vs. external ü  For internal portions, you need to address all 12 PCI req. ü  For external portions –  Understand the CSPs scope and responsibility documentation –  Fill in the gaps as required
Section 6.5 •  Does not directly address PCI requirements •  Has lots of good info on how/why cloud is an evolving tech •  Caveats for legacy security tools •  Example: Introspection –  Expands the functionality of the hypervisor –  Provides visibility of VM memory, disk & network via API –  In private virtualization, leveraged for implementing security –  Problematic in public cloud •  Expands the attack surface of the hypervisor •  Leaves no forensic trail on the VM itself •  Can be a serious issue in public IaaS –  Provider manages hypervisor –  Client manages their unique VMs
Limiting PCI Scope� The new guidance offers the following suggestions for limiting PCI scope:� –  Don’t store, process or transmit payment card data in the cloud� –  Implement a dedicated physical infrastructure� –  Minimize reliance on third-party CSPs for protecting payment card data� –  Ensure that clear-text account data is never accessible in the cloud �
A Scoping Example�
Who is responsible for Security?� AWS Shared Responsibility Model Data! “…the customer should assume responsibility and management of, Responsibility� App Code! but not limited to, the guest operating Customer system…and associated application App Framework! software...” “it is possible for customers to Operating System! enhance security and/or meet more stringent compliance requirements Virtual Machine! with the addition of… host based Hypervisor! Responsibility� firewalls, host based intrusion Provider detection/prevention, encryption and Compute & Storage! key management.” Amazon Web Services: Shared Network! Overview of Security Processes Physical Facilities!
Data Security� •  Securing and assessing data in a CSP environment can be very challenging� •  The data may be in:� –  Multiple physical locations� –  Multiple countries� –  Multiple data formats� •  Data security processes within a CSP environment needs to be closely evaluated�
Data Acquisition, Storage, Lifecycle� •  Data flows need to be developed and constructed for all client and CSP networks� •  All data “capture” points need to be identified and protected� –  Memory and VM snapshots included, as are hypervisor access methods� •  Data lifecycle is critical to identify and clarify� –  Data should be protected at all stages in and out of CSP environment, and disposed of properly�
Data Classification and Encryption� •  CSPs should meet data classification requirements for clients before migration to the cloud� –  Cardholder data, credentials, and crypto keys are examples� •  All sensitive data should use data-level encryption� –  Crypto keys should be stored separately� –  All key custodians should be defined and listed, in both client and CSP environments� –  Unique keys should be in place for each client�
Data Decommissioning and Disposal� •  Clearly define data disposal techniques within the CSP � •  Document “Termination of Service” procedures � •  Ensure that all data is deleted permanently when agreements have been terminated, even if encrypted�
Incident Response� •  Clients need to discuss data breach notification with CSPs� –  Clients may also need to notify CSPs about data breaches in their environments, to mitigate risk to other clients� •  Definitions of what constitutes a breach should be defined and agreed on before doing business�
Incident Response Continued� •  Notification processes and timelines should be in SLAs� •  Discuss the potential for client data to be captured by 3rd parties during a breach investigation � •  The PCI guidance acknowledges that incident response and detection may be almost impossible if a VM has been decommissioned or removed!�
Questions? Dave Shackleford" Chris Brenton" CTO, IANS" Director of Security, CloudPassage" @IANS_Security" @CloudPassage"
Thank You www.cloudpassage.com! @cloudpassage! !

Empfohlen

Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...Novell
 
Distil technical-white-paper
Distil technical-white-paperDistil technical-white-paper
Distil technical-white-paperDr. Augustine Fou - Independent Ad Fraud Researcher
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltDDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltMazeBolt Technologies
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Why DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesWhy DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesMazeBolt Technologies
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 

Empfohlen

Securing Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSecuring Digital Identities and Transactions in the Cloud Security Guide
Securing Digital Identities and Transactions in the Cloud Security GuideSafeNet
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...Novell
 
Distil technical-white-paper
Distil technical-white-paperDistil technical-white-paper
Distil technical-white-paperDr. Augustine Fou - Independent Ad Fraud Researcher
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...Skoda Minotti
 
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltDDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBolt
DDoS Mitigation Guide |DDoS Protection Cyber Security | MazeBoltMazeBolt Technologies
 
Cloud Security: Perception VS Reality
Cloud Security: Perception VS RealityCloud Security: Perception VS Reality
Cloud Security: Perception VS RealityKVH Co. Ltd.
 
Why DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesWhy DDoS RADAR | MazeBolt Technologies
Why DDoS RADAR | MazeBolt TechnologiesMazeBolt Technologies
 
Data center webinar_v2_1
Data center webinar_v2_1Data center webinar_v2_1
Data center webinar_v2_1Lancope, Inc.
 
NCR Hosting Services
NCR Hosting ServicesNCR Hosting Services
NCR Hosting Serviceswebhostingguy
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesAutomatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesMazeBolt Technologies
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltDDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltMazeBolt Technologies
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersStephanie Weagle
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
Paul hobbs @ Verzon Digital Media Services
Paul hobbs @ Verzon Digital Media ServicesPaul hobbs @ Verzon Digital Media Services
Paul hobbs @ Verzon Digital Media ServicesPaul Hobbs
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyEliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyMazeBolt Technologies
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureInnoTech
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesCost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesMazeBolt Technologies
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.Mindtree Ltd.
 
Secure on demand from cdg
Secure on demand from cdgSecure on demand from cdg
Secure on demand from cdgShekar N.
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 

Weitere ähnliche Inhalte

Was ist angesagt?

NCR Hosting Services
NCR Hosting ServicesNCR Hosting Services
NCR Hosting Serviceswebhostingguy
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesAutomatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesMazeBolt Technologies
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltDDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltMazeBolt Technologies
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the FutureCisco Security
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersStephanie Weagle
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudBob Rhubart
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationCisco Security
 
Paul hobbs @ Verzon Digital Media Services
Paul hobbs @ Verzon Digital Media ServicesPaul hobbs @ Verzon Digital Media Services
Paul hobbs @ Verzon Digital Media ServicesPaul Hobbs
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyEliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyMazeBolt Technologies
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureInnoTech
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesCost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesMazeBolt Technologies
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.Mindtree Ltd.
 
Secure on demand from cdg
Secure on demand from cdgSecure on demand from cdg
Secure on demand from cdgShekar N.
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsBob Rhubart
 

Was ist angesagt? (20)

NCR Hosting Services
NCR Hosting ServicesNCR Hosting Services
NCR Hosting Services
 
Automatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt TechnologiesAutomatic DDoS Attack Simulator | MazeBolt Technologies
Automatic DDoS Attack Simulator | MazeBolt Technologies
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
 
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBoltDDoS Defenses | DDoS Protection and Mitigation | MazeBolt
DDoS Defenses | DDoS Protection and Mitigation | MazeBolt
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
 
DDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customersDDoS Defense for the Hosting Provider - Protection for you and your customers
DDoS Defense for the Hosting Provider - Protection for you and your customers
 
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the CloudRationalization and Defense in Depth - Two Steps Closer to the Cloud
Rationalization and Defense in Depth - Two Steps Closer to the Cloud
 
Defending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the ApplicationDefending the Data Center: Managing Users from the Edge to the Application
Defending the Data Center: Managing Users from the Edge to the Application
 
Paul hobbs @ Verzon Digital Media Services
Paul hobbs @ Verzon Digital Media ServicesPaul hobbs @ Verzon Digital Media Services
Paul hobbs @ Verzon Digital Media Services
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case StudyEliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
Eliminate DDoS Mitigation False Positive | DDoS Protection | Case Study
 
Why the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and SecureWhy the Cloud can be Compliant and Secure
Why the Cloud can be Compliant and Secure
 
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt TechnologiesCost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
Cost of DDoS Attacks | DDoS Attacks Cost | MazeBolt Technologies
 
Managed firewall service.
Managed firewall service.Managed firewall service.
Managed firewall service.
 
Secure on demand from cdg
Secure on demand from cdgSecure on demand from cdg
Secure on demand from cdg
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public Cloud
 
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the CloudsRationalization and Defense in Depth - Two Steps Closer to the Clouds
Rationalization and Defense in Depth - Two Steps Closer to the Clouds
 

Ähnlich wie What You Need To Know About The New PCI Cloud Guidelines

Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Khazret Sapenov
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfChinatu Uzuegbu
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationTejaswi Agarwal
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisationanupriti
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computingpallavikhandekar212
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerDavid Wallom
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 

Ähnlich wie What You Need To Know About The New PCI Cloud Guidelines (20)

Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...Yes, you can be pci compliant using a public iaas cloud a case study by phi...
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdf
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 
Bright and Gray areas of Clound Computing
Bright and Gray areas of Clound ComputingBright and Gray areas of Clound Computing
Bright and Gray areas of Clound Computing
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Trust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud providerTrust and Cloud Computing, removing the need to trust your cloud provider
Trust and Cloud Computing, removing the need to trust your cloud provider
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 

Mehr von CloudPassage

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage CareersCloudPassage
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessCloudPassage
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityCloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsCloudPassage
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage OverviewCloudPassage
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest SlidesCloudPassage
 

Mehr von CloudPassage (20)

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage Careers
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated Approach
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud Security
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS Products
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
 

What You Need To Know About The New PCI Cloud Guidelines

  • 1. #PCICloud What You Need To Know About The New PCI Cloud Guidelines Dave Shackleford Chris Brenton CTO, IANS Director of Security, CloudPassage, Inc.
  • 2. Session Agenda •  Can PCI DSS compliance be achieved in public cloud?! •  Scope and responsibility example! •  Checklist for PCI DSS compliance! •  Suggestions for limiting PCI scope! •  Breakdown of the shared responsibility model! •  Securing and assessing data in a CSP environment ! •  Incident Response! •  Questions!
  • 3. Helpful PCI Cloud Guidance? PCI DSS = 75 Pages of compliance goodness� � PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to:� � •  Public cloud� •  Private cloud� •  Hybrid cloud� •  IaaS� •  PaaS� •  SaaS� •  Nested providers� •  and more!�
  • 4. First, take a deep breath…
  • 5. The Big Question •  Can PCI DSS compliance be achieved in public cloud? –  Yes and folks are doing it •  The easy way –  Work with a PCI DSS certified CSP –  Perform a gap analysis against the CSPs “PCI scope and responsibility” documentation •  Their scope should include any nested providers –  Make sure you fill in all the gaps J •  The hard way –  Work with a CSP that has not achieved PCI compliance –  Your auditor must scope and review their environment –  You essentially must certify the CSP while footing the bill
  • 7. Scope & Responsibility Example - CSP PCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility� 9.1� Use appropriate Verify the FUBAR Cloud facility entry existence of Services maintains controls to limit and physical security the physical monitor physical controls for each security for all in- access to systems computer room, scope services.� in the cardholder data center, and data environment.� other physical areas with systems in the cardholder data environment.�
  • 8. Scope & Responsibility Example - Client PCI #� PCI DSS Requirement� Testing Procedure� Customer Responsibility� 1.3.1� Implement a DMZ to Verify that a DMZ is FUBAR customers limit inbound traffic implemented to are responsible for to only system limit inbound traffic implementing components that to only system perimeter firewalls provide authorized components that through the FUBAR publicly accessible provide authorized GUI interface for services, protocols publicly accessible their in-scope and ports.� services, protocols services. FUBAR and ports.� customers are responsible for developing appropriate firewall rules for their DMZ and internal network.�
  • 9. A Basic Checklist ü  Understand the flow of credit card info –  What processes/services handle it? –  What communications exchange it? –  What drives/partitions store it? ü  Understand what SaaS services will have Admin control –  Can be in-scope if controlling servers handling credit card info ü  Flow diagrams are your friend, leverage them ü  Delineate portions that are internal vs. external ü  For internal portions, you need to address all 12 PCI req. ü  For external portions –  Understand the CSPs scope and responsibility documentation –  Fill in the gaps as required
  • 10. Section 6.5 •  Does not directly address PCI requirements •  Has lots of good info on how/why cloud is an evolving tech •  Caveats for legacy security tools •  Example: Introspection –  Expands the functionality of the hypervisor –  Provides visibility of VM memory, disk & network via API –  In private virtualization, leveraged for implementing security –  Problematic in public cloud •  Expands the attack surface of the hypervisor •  Leaves no forensic trail on the VM itself •  Can be a serious issue in public IaaS –  Provider manages hypervisor –  Client manages their unique VMs
  • 11. Limiting PCI Scope� The new guidance offers the following suggestions for limiting PCI scope:� –  Don’t store, process or transmit payment card data in the cloud� –  Implement a dedicated physical infrastructure� –  Minimize reliance on third-party CSPs for protecting payment card data� –  Ensure that clear-text account data is never accessible in the cloud �
  • 13. Who is responsible for Security?� AWS Shared Responsibility Model Data! “…the customer should assume responsibility and management of, Responsibility� App Code! but not limited to, the guest operating Customer system…and associated application App Framework! software...” “it is possible for customers to Operating System! enhance security and/or meet more stringent compliance requirements Virtual Machine! with the addition of… host based Hypervisor! Responsibility� firewalls, host based intrusion Provider detection/prevention, encryption and Compute & Storage! key management.” Amazon Web Services: Shared Network! Overview of Security Processes Physical Facilities!
  • 14. Data Security� •  Securing and assessing data in a CSP environment can be very challenging� •  The data may be in:� –  Multiple physical locations� –  Multiple countries� –  Multiple data formats� •  Data security processes within a CSP environment needs to be closely evaluated�
  • 15. Data Acquisition, Storage, Lifecycle� •  Data flows need to be developed and constructed for all client and CSP networks� •  All data “capture” points need to be identified and protected� –  Memory and VM snapshots included, as are hypervisor access methods� •  Data lifecycle is critical to identify and clarify� –  Data should be protected at all stages in and out of CSP environment, and disposed of properly�
  • 16. Data Classification and Encryption� •  CSPs should meet data classification requirements for clients before migration to the cloud� –  Cardholder data, credentials, and crypto keys are examples� •  All sensitive data should use data-level encryption� –  Crypto keys should be stored separately� –  All key custodians should be defined and listed, in both client and CSP environments� –  Unique keys should be in place for each client�
  • 17. Data Decommissioning and Disposal� •  Clearly define data disposal techniques within the CSP � •  Document “Termination of Service” procedures � •  Ensure that all data is deleted permanently when agreements have been terminated, even if encrypted�
  • 18. Incident Response� •  Clients need to discuss data breach notification with CSPs� –  Clients may also need to notify CSPs about data breaches in their environments, to mitigate risk to other clients� •  Definitions of what constitutes a breach should be defined and agreed on before doing business�
  • 19. Incident Response Continued� •  Notification processes and timelines should be in SLAs� •  Discuss the potential for client data to be captured by 3rd parties during a breach investigation � •  The PCI guidance acknowledges that incident response and detection may be almost impossible if a VM has been decommissioned or removed!�
  • 20. Questions? Dave Shackleford" Chris Brenton" CTO, IANS" Director of Security, CloudPassage" @IANS_Security" @CloudPassage"

Hinweis der Redaktion

  1. This is an image but there’s a typo (Customer) and text is cut off in column 2
  2. Again text cut off