Professional Documents
Culture Documents
66
Prerequisites
Know how to spell P-C-I D-S-S
Have heard about The Cloud Possess basic information security knowledge, IT management
PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items
2011 Cloud Security Alliance, Inc. All rights reserved.
10
How to benefit?
If you are a merchant
Learn how to stay compliant in the cloud, what to ask of CSPs, what to show to QSAs
11
12
13
14
Cloud?
15
PCI DSS?
16
Together?
17
DISCUSSION!
18
19
20
21
22
Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks
Use and regularly update anti-virus software Develop and maintain secure systems and applications
Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security
23
24
25
26
27
29
*YOU* LOSE IT
*ANOTHER* SUFFERS!
Key Concept//
30
Scoping
Sidenote//
31
Key Concept//
32
Compliance vs Validation
Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted.
Use what you built for PCI to reduce risk Own PCI DSS; make it the basis for your policies
Key Concept//
33
Stay Compliant
Ongoing compliance with PCI DSS tasks:
TASK Risk assessment, security awareness, key changes, review off-site backups, QSA assessment, etc ASV and internal scans, wireless scans File integrity checking Log and alerts review, other operational procedures FREQUENCY
Annual
Quarterly Weekly Daily
34
Failing That
Classic example from my PCI book, co-author Branden Williams
35
36
37
38
39 39
40
To be considered cloud they must be deployed on top of cloud infrastructure that has the essential characteristics
2011 Cloud Security Alliance, Inc. All rights reserved.
41 41
Community cloud
Shared infrastructure for specific community
Hybrid cloud
Composition of two or more clouds
2011 Cloud Security Alliance, Inc. All rights reserved.
42
43 43
Resource Pooling
Massive Scale Common Characteristics Homogeneity
Measured Service
Resilient Computing Geographic Distribution
Virtualization
Low Cost Software
Service Orientation
Advanced Security
Example IaaS//
44 44
Amazon Cloud
Amazon cloud components
Elastic Compute Cloud (EC2)
Run your own or Amazons OS instances
Example PaaS//
45
Example SaaS//
46 46
Salesforce
Well-known SaaS CRM application Cloud CRM + a lot more applications
Example P/IaaS //
47 47
Azure
48 48
50
Security?
51
52
53 53
54
SaaS
PaaS
IaaS
Network
Physical
Provider
Provider
Provider
Provider
Joint
Provider
55
56
57
58
59
60
61
Discussion
What do YOU think are actual, relevant, TRUE threats to cloud computing?
62
63
Control Requirements
Provider Assertions
64
CSA CloudAudit
Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring
65
66
Next?
67
68
69
Requirement 9//
70
Amazon Example
Q: Do QSAs for Level 1 merchants require a physical walkthrough of a service providers data center? A: No. A merchant can obtain certification without a physical walkthrough of a service providers data center if the service provider is a Level 1 validated service provider (such as AWS). A merchants QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.
2011 Cloud Security Alliance, Inc. All rights reserved.
June 2011//
71
72
73
And now
a brainteaser
Requirement 11.3//
74
Pentesting
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification 11.3.1 Network-layer penetration tests
75
Audience Poll
Q: How should we address it?
A: Only pentest applications with narrow rules B: Go full blast and own providers datacenter C: Trust that they do it D: Hide under our desks and squeal
2011 Cloud Security Alliance, Inc. All rights reserved.
Detailed Example//
76
Amazon PCI
Happy now?
77
Say What.
Q: What does this mean to me as a PCI merchant or service provider? A: Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.
2011 Cloud Security Alliance, Inc. All rights reserved.
Example//
78
Example//
79
Amazon Guidance
Sidenote//
80
81
82
Scenarios Introduction
In scope for discussion:
Public IaaS, PaaS, SaaS Chained or multiple CSPs
NOT in scope:
Traditional hosting providers Outsourced data center or call center Private cloud and virtualization on-prem Virtual private cloud (sort of)
83
84
Key Goal
DO build a framework for assessing/complying, based on the scenarios DO NOT memorize the scenarios, yours might be different or be a combination of these
Scenario 1//
85
Clean Cloud
Merchant ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Cloud environment segmented from CDE NO PANs in any cloud environment or so they think
86
Description
Sells books online Level 1 merchant Uses cloud provider(s) for testing, training, etc Cloud provider NOT PCI-OK NO payment data stored in the cloud NO payment data processed in the cloud NO payment data passed through cloud
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 1//
87
Visual
88
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes B: No
C: Cannot tell
89
How to Assess?
Key: Are they right?
90
How to Scope?
On-prem: as usual Cloud environment:
IaaS: run a discovery tool Example: DLP tool, open source data discovery, dedicated PAN discovery tool, custom script to look for unencrypted PANs Q: What about encrypted PANs?
91
92
Compliance Evidence
What to show to QSA?
Discovery scan results Other data that confirms that PCI data does not get to the cloud systems Policies and procedures BANNING card data in the cloud; evidence of people actually following them.
93
Responsibility SPLIT
MERCHANT All PCI controls Scoping Keeping cloud systems out of scope PROVIDER Nothing (not even being PCI compliant)
94
95
Failing to assure that PANs dont leak to the cloud Failing to maintain no PANs in the cloud status Rogue PANs theft is still CHD theft Tip: run a discovery tool on cloud systems Tip: assure segmentation (no data flow from CDE to YOUR cloud)
2011 Cloud Security Alliance, Inc. All rights reserved.
96
Application screenshots Finance and HR documents with PANs Other Office formats with PAN information Text dumps from poorly-written/legacy applications
Scenario 2//
97
Merchant ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Stores PANs in public cloud environment!
98
Description
A chain of stores across the US West Level 2 merchant Uses cloud provider(s) for testing, training, backup systems, data storage, etc Cloud provider MAY BE PCI-OK PAN data stored in the cloud PAN data transmitted through cloud NO payment data processed in the cloud
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 2//
99
Visual
100
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
What about their service provider(s)? Must they be PCI-OK for merchant to be PCI-OK? Bonus question: What about their CSPs CSP?
101
How to Assess?
Key: Encryption AND/OR Provider PCI Status
Case #1: Unencrypted PANs at CSP => no PCI compliance possible Case #2: Encrypted with provider having the key => provider must be PCI-OK Case #3: Encrypted with provider NOT having the key => presumably, provider may be NOT PCI-OK
2011 Cloud Security Alliance, Inc. All rights reserved.
102
103
Provider MUST be PCI-OK Merchant and CSP share PCI responsibilities CSP encrypts the data AND/OR can decrypt it
104
How to Scope?
On-prem: as usual Cloud environment:
IaaS (case #2)
Cloud environment can be claimed to be out of scope (if CSP has NO key!!!) Merchant is responsible for all controls Look for unintentional PANs
105
106
107
108
Compliance Evidence
What to show to QSA? By case CSP PCI status and additional evidence of how they do PCI DSS Proof of your scoping decision to exclude the cloud due to encryption
+ evidence of all other PCI controls, of course
Responsibility SPLIT//
109
PROVIDER
Nothing (may not even be PCI compliant)
Responsibility SPLIT//
110
PROVIDER
Security policy Physical Network Encryption Key management System security Parts of application security
111
Control Matrix
PCI DSS Requirement Secure application development: R6 Update OS: R6 Log management: R10 Render PANs unreadable: R3.4 Physical access control: R9 Vulnerability scanning: R11.2 Penetration tests: R11.3 Merchant IaaS, PaaS IaaS (joint) IaaS (joint), PaaS (joint) IaaS, Maybe: PaaS None IaaS (joint per system), PaaS (joint) Cloud provider SaaS IaaS (joint), PaaS, SaaS IaaS (joint), PaaS (joint), SaaS SaaS, Maybe: PaaS IaaS, PaaS, SaaS IaaS (joint), PaaS (joint), SaaS
IaaS (joint), PaaS IaaS (joint), PaaS (joint), (joint), SaaS (joint) SaaS (joint) degree varies degree varies Security policy: R12 IaaS, PaaS, SaaS (all IaaS, PaaS, SaaS (all joint) joint) 2011 Cloud Security Alliance, Inc. All rights reserved. Wireless security: R11.1 None IaaS, PaaS, SaaS
112
Ooops!
Merchant uses IaaS, manages the systems, encrypts the data
(so far, case No Cloud PCI)
What now?
113
Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers
114
115
116
Scenario 3//
117
IaaS PCI
Merchant ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud
118
Description
Global airline with physical and online purchases Uses CSP for a broad spectrum of payment tasks Cloud provider MUST be PCI-OK PAN data stored in the cloud PAN data passed through cloud PAN data processed in the cloud at the same provider!
Scenario 3//
119
Visual
120
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Who is doing what for the merchant to be PCI-OK? Bonus question: What about their SPs SPs SP?
121
How to Assess?
Key: The Matrix Must Have No Holes
ALL PCI DSS controls are in place for all layers of the cloud environment and somebody must pay for it
122
123
124
125
How to Scope?
On-prem: as usual Cloud IaaS environment:
IaaS systems are in scope: systems, applications, network, devices, hypervisor Two tiered scoping (PCI 2.0 artifact)
Systems WITH data vs systems that touch/manage systems with data
126
127
For Example
Project: replace branch servers with IaaSdeployed servers PCI controls: all on branch server replacement, most on management servers, etc
Physical? => CSP Firewall management => CSP Monitoring? => CSP MSSP service ($) Web application scanning => Ooops!
2011 Cloud Security Alliance, Inc. All rights reserved.
128
Keep testing the CSP PCI-OK status and check the matrix for missing controls
129
PAN Flow
130
Compliance Evidence
What to show to QSA? Evidence of ALL controls yours and CSPs Evidence of ongoing compliance: logging, testing, etc MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment!
2011 Cloud Security Alliance, Inc. All rights reserved.
Responsibility SPLIT//
131
IaaS PCI
MERCHANT
Application security Scoping Monitoring (unless extra $ to CSP)
PROVIDER
Physical Network Encryption Key management System security Parts of application security
132
Control Matrix
PCI DSS Requirement Secure application development: R6 Update OS: RXX Log management: R10 Render PANs unreadable: R3.4 Physical access control: R9 Vulnerability scanning: R11.2 Penetration tests: R11.3 Merchant: IaaS Yes Yes for guest OS Yes for guess OS, applications, etc Yes None Yes for guest OS Yes for guest OS, applications Yes for PARTS None Cloud provider: IaaS No Yes for host OS Yes for host OS, management systems, etc No (!) Yes Yes for host OS, management systems, etc Yes for physical, host OS, etc Yes for ALL OTHER PARTS Yes
Sidenote//
133
Owner vs Manager
Setting: IaaS provider (EC2 or other) PCI Requirement: Req 1 firewall management
CSP OWNS the firewall appliance Merchant, CSP, CSP MSSP or 3rd party MANAGES the firewall settings Who is left holding the PCI bag?
134
135
136
137
Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers
138
139
Scenario 4//
140
Twice-Cloudy PCI
Merchant ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud Uses a dedicated CSP for payment processing (P), NOT hosting CSP (H)
141
Description
An ecommerce company with seasonal highly sales Uses CSP H, but with payment processing handled by CSP P Cloud provider P MUST be PCI-OK Cloud provider H SHOULD be PCI-OK (?) PAN data processed and stored in the cloud by CSP P
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 4//
142
Visual
143
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Should CSP H be PCI compliant? Can merchant be PCI compliant if CSP H is NOT?
144
Example//
145
Example//
146
Microsoft Azure
147
How to Assess?
Key: Contain Toxic (=PCI) Data In Special Clouds, Dont Taint Your IaaS!
The logic here is to offload all (if possible) operations with PANs to a payment provider
2011 Cloud Security Alliance, Inc. All rights reserved.
148
How to Scope?
On-prem: as usual Dont SCOPE - KILL the scope to nothing in the cloud Minimize rogue PANs
149
Example//
150
PayPal API
With Website Payments Standard, Email Payments, and Payflow Link*, PayPal handles the payment card information for you. So you dont have to worry about your buyers payment card security or about compliance with PCI DSS for your business. Will they really sign such agreement?
2011 Cloud Security Alliance, Inc. All rights reserved.
Example//
151
Amazon FPS
Perfect cloud shield: As a part of Amazon Payments' services you [=merchant!] may not have access to certain information associated with Cards being processed, including without limitation account number, expiration date, and the card verification value (CVV2/CVC2) (collectively, Cardholder Data).
Example//
152
153
154
Keep testing the CSP PCI-OK status and check the matrix for missing controls
155
Compliance Evidence
Responsibility SPLIT//
156
IaaS PCI
MERCHANT
Application security (maybe) Provider management Others as deployed
CSP H
Nothing
CSP P
All PCI Controls
157
158
Possibly none
if no merchant ID and no relationship with acquirer
159
PAN leakage, temporary files and other artifacts of bad coding of payment provider APIs Web application attacks that redirect the PAN flow to the attacker Crash dumps with PANs
Scenario 5//
160
PaaS PCI
Merchant ecommerce or stores Use public cloud PaaS provider Processes cards and possibly stores them as well in the cloud
161
162
Description
A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Cloud provider MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud Merchant does NOT control the OS/VMs at the CSP
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 5//
163
Visual
164
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Must the provider be PCI-OK? Can the merchant be PCI-OK if the CSP is not? What must merchant do because the provider cannot do it?
165
How to Assess?
166
Decision Time
If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the only way to PCI is complete 3rd party payment takeover ->Scenario 4 If PaaS CSP IS PCI-OK THEN build the control matrix -> Scenario 3
167
How to Scope?
On-prem: as usual Cloud PaaS environment:
PaaS systems are in scope: systems, applications, network, devices, hypervisor Two tiered scoping (PCI 2.0 artifact)
Systems WITH data vs systems that touch/manage systems with data
168
1. Review which controls the PaaS CSP will handle for you 2. Check which PCI DSS controls they cannot ever handle
Example: your security policy, awareness training for your employees (BTW, they should for theirs)
169
For Example
Project: replace marketing analytics application that uses PAN with PaaSdeployed application PCI controls: all on the application, most on management servers, etc
Web application scanning => Merchant All others =>CSP
Decision: move the payment data off CSP and off PCI you go
2011 Cloud Security Alliance, Inc. All rights reserved.
170
Keep testing the CSP PCI-OK status and check the matrix for missing controls
171
Compliance Evidence
What to show to QSA?
Evidence of ALL controls yours and CSPs
MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment!
Responsibility SPLIT//
172
PaaS PCI
MERCHANT
Application security Scoping Monitoring (unless extra $ to CSP)
PROVIDER
Application platform security Physical Network Encryption Key management System security
173
Control Matrix
PCI DSS Requirement Secure application development: R6 Update OS: RXX Log management: R10 Render PANs unreadable: R3.4 Physical access control: R9 Vulnerability scanning: R11.2 Penetration tests: R11.3 Merchant: PaaS user Yes No Yes application logs Yes No No Yes application level Cloud provider: PaaS Yes (for platform) Yes Yes everything else (or data provided to merchant!) Yes where touches their environment Yes Yes Yes for physical, network, application, etc Yes for the rest
Yes - applicable No
Yes
174
Requirement 6.1 patch management is Joint; and need to be done by both Requirement 12.8 covers service providers and the matrix
2011 Cloud Security Alliance, Inc. All rights reserved.
175
Clear acceptance of responsibility for their controls Verification of provider controls Incident response support for data breaches
176
Failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation
Scenario 6//
177
Tiered PCI
Merchant ecommerce or stores Use public cloud PaaS or SaaS provider who uses public IaaS provider Processes cards and possibly stores them somewhere
178
Description
A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Their provider uses another cloud provider Some cloud providers MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud
2011 Cloud Security Alliance, Inc. All rights reserved.
Scenario 6//
179
Visual
180
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Must the provider be PCI-OK? Must their providers provider be PCI-OK? Can the merchant be PCI-OK if some CSPs are not?
181
182
How to Assess?
Key: The Matrix Must Have No Holes, Again
183
184
How to Scope?
Worst case: FORGET IT! We can never figure it out . reality Best case: payment chain is isolated from ALL the CSPs (zero scope for you, all scope is with payment provider)
2011 Cloud Security Alliance, Inc. All rights reserved.
185
Ahhhhhh
Exercise//
186
How to Comply/Assess?
Business: ecommerce Setup: uses CSP for web hosting and all application hosting, accepts payment cards, sells to consumers Challenge: we are a QSA they hired to get them compliant
Next steps?
2011 Cloud Security Alliance, Inc. All rights reserved.
187
1. Kill the scope works in the cloud as well 2. It is better to have the payment processor handle more and merchant/CSP handle less of the PCI burden 3. CSP may do it, but MERCHANT is responsible and need to validate it 4. Finally, we CAN have PCI in the cloud!
2011 Cloud Security Alliance, Inc. All rights reserved.
188
Final Recommendations
Follow the scenarios as templates for your projects Learn to scope in the cloud Make a matrix of shared responsibility (and keep it with you at all times ) Remember: MERCHANT is on the hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT a punt
2011 Cloud Security Alliance, Inc. All rights reserved.
189
190
191
A one-liner version?
If you can get rid of the PANs in the cloud, DO IT!
192
Questions?
193
194
Additional Materials
In the notes, there are links to various useful reading, in addition to CSA and other sites mentioned in the class.
195