You are on page 1of 193

2011 Cloud Security Alliance, Inc. All rights reserved.

Thanks to Class Sponsors

Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance

2011 Cloud Security Alliance, Inc. All rights reserved.

About the Cloud Security Alliance


Global, not-for-profit organization
Building best practices and a trusted cloud ecosystem

Comprehensive research and tools


Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org

2011 Cloud Security Alliance, Inc. All rights reserved.

About the Class


Learn/refresh knowledge about PCI DSS Learn/refresh knowledge about cloud computing Understand how to assess PCI compliance in cloud environments Understand how to implement PCI DSS controls in cloud environments Gain useful tools for planning/doing this
2011 Cloud Security Alliance, Inc. All rights reserved.

2011 Cloud Security Alliance, Inc. All rights reserved.

66

Show of hands please


1. QSA 2. Merchant a) L1 b) L2-4 3. Service provider 4. Security tool vendor 5. Security consultant 6. Other

2011 Cloud Security Alliance, Inc. All rights reserved.

Prerequisites
Know how to spell P-C-I D-S-S
Have heard about The Cloud Possess basic information security knowledge, IT management

2011 Cloud Security Alliance, Inc. All rights reserved.

Full Class Outline


Introduction
What this class is about, prerequisites, how to benefit

PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items
2011 Cloud Security Alliance, Inc. All rights reserved.

2011 Cloud Security Alliance, Inc. All rights reserved.

10

How to benefit?
If you are a merchant
Learn how to stay compliant in the cloud, what to ask of CSPs, what to show to QSAs

If you are a QSA


Figure how to assess merchants and CSPs

If you are a cloud service provider


Learn how to keep you and merchants compliant

If you are a security vendor


Learn about the new problems you can solve

If you are a consultant around PCI and cloud


Learn the pain points around PCI DSS and cloud

2011 Cloud Security Alliance, Inc. All rights reserved.

11

PCI in the Cloud... In the Media


.bla bla . bla bla .. PCI DSS. .. The Cloud cloud..blacloud .bla bla compliant ..cloud. cloud..bla blapossible . cloud.. bla blacloud .. as long as no cardholder data is in the cloud bla bla..

2011 Cloud Security Alliance, Inc. All rights reserved.

12

2011 Cloud Security Alliance, Inc. All rights reserved.

13

Quick Reality Check

2011 Cloud Security Alliance, Inc. All rights reserved.

14

Cloud?

2011 Cloud Security Alliance, Inc. All rights reserved.

15

PCI DSS?

2011 Cloud Security Alliance, Inc. All rights reserved.

16

Together?

2011 Cloud Security Alliance, Inc. All rights reserved.

17

DISCUSSION!

2011 Cloud Security Alliance, Inc. All rights reserved.

18

2011 Cloud Security Alliance, Inc. All rights reserved.

19

Why is PCI Here?


Criminals need money Where are the most cards? In computers. Some organizations still dont care especially if the loss is not theirs

Credit cards = MONEY

Data theft grows and reaches HUGE volume.

PAYMENT CARD BRANDS ENFORCE DSS!

2011 Cloud Security Alliance, Inc. All rights reserved.

20

Laggards vs. Leaders


Issue: many merchants dont even want to grow up to the floor of security Result: breaches, loss of card data, lawsuits, unhappy consumers, threat of regulation Action: PCI DSS mandate!
2011 Cloud Security Alliance, Inc. All rights reserved.

21

What is PCI DSS or PCI?


Payment Card Industry Data Security Standard

Payment Card = Payment Card Industry =


Data Security = Data Security Standard =
2011 Cloud Security Alliance, Inc. All rights reserved.

PCI DSS: Basic Security Practices!


Build and Maintain a Secure Network Protect Cardholder Data

22

Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program


Implement Strong Access Control Measures Regularly Monitor and Test Networks

Use and regularly update anti-virus software Develop and maintain secure systems and applications
Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security

Maintain an Information Security Policy

2011 Cloud Security Alliance, Inc. All rights reserved.

23

PCI DSS Domain Coverage


In no particular order:
Security policy and procedures Network security Malware protection Application security (and web) Vulnerability scanning and remediation Logging and monitoring Security awareness

2011 Cloud Security Alliance, Inc. All rights reserved.

24

PCI DSS 2.0 is Here!


Select items changing for PCI 2.0
Scoping clarification Data storage Virtualization (!!) DMZ clarification Vulnerability remediation Remote data access

2011 Cloud Security Alliance, Inc. All rights reserved.

25

Does it Apply to Me?


PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.

2011 Cloud Security Alliance, Inc. All rights reserved.

26

PCI Game: The Players

PCI Security Standards Council


2011 Cloud Security Alliance, Inc. All rights reserved.

27

PCI Regime vs DSS Guidance


The PCI Council publishes PCI DSS
Outlined the minimum data security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesnt fine anybody!)

Key point: PCI DSS (document) vs PCI (validation regime)


2011 Cloud Security Alliance, Inc. All rights reserved.

29

My Data Their Risk!?


*I* GIVE *YOU* DATA

*YOU* LOSE IT
*ANOTHER* SUFFERS!

2011 Cloud Security Alliance, Inc. All rights reserved.

Key Concept//

30

Scoping

2011 Cloud Security Alliance, Inc. All rights reserved.

Sidenote//

31

FLAT NET to FLAT CLOUD


REALITY: Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. (PCI DSS 2.0)
DREAM: Without adequate network segmentation the entire CLOUD is in scope of the PCI DSS assessment.
2011 Cloud Security Alliance, Inc. All rights reserved.

Key Concept//

32

Compliance vs Validation
Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted.
Use what you built for PCI to reduce risk Own PCI DSS; make it the basis for your policies

2011 Cloud Security Alliance, Inc. All rights reserved.

Key Concept//

33

Stay Compliant
Ongoing compliance with PCI DSS tasks:
TASK Risk assessment, security awareness, key changes, review off-site backups, QSA assessment, etc ASV and internal scans, wireless scans File integrity checking Log and alerts review, other operational procedures FREQUENCY

Annual
Quarterly Weekly Daily

2011 Cloud Security Alliance, Inc. All rights reserved.

34

Failing That
Classic example from my PCI book, co-author Branden Williams

2011 Cloud Security Alliance, Inc. All rights reserved.

Two BIG Approaches to PCI DSS Compliance


SECURE the data: Encrypt, access control, monitor, block attempts, authenticate, authorized, etc DELETE the data: Organize your business to avoid dealing with the data

35

These apply to PCI in the cloud as well!


2011 Cloud Security Alliance, Inc. All rights reserved.

36

2011 Cloud Security Alliance, Inc. All rights reserved.

37

2011 Cloud Security Alliance, Inc. All rights reserved.

38

NIST Definition of Cloud Computing


Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
2011 Cloud Security Alliance, Inc. All rights reserved.

5 Essential Cloud Characteristics


1. On-demand self-service 2. Broad network access 3. Resource pooling Location independence 4. Rapid elasticity 5. Measured service

39 39

2011 Cloud Security Alliance, Inc. All rights reserved.

40

3 Cloud Service Models


1. Cloud Software as a Service (SaaS)
Use providers applications over a network

2. Cloud Platform as a Service (PaaS)


Deploy customer-created applications to a cloud

3. Cloud Infrastructure as a Service (IaaS)


Rent processing, storage, network capacity, and other fundamental computing resources

To be considered cloud they must be deployed on top of cloud infrastructure that has the essential characteristics
2011 Cloud Security Alliance, Inc. All rights reserved.

41 41

4 Cloud Deployment Models


Private cloud
Enterprise owned or leased

Community cloud
Shared infrastructure for specific community

Public cloud <- our focus in this class!


Sold to the public, mega-scale infrastructure

Hybrid cloud
Composition of two or more clouds
2011 Cloud Security Alliance, Inc. All rights reserved.

7 Common Cloud Characteristics


1. 2. 3. 4. 5. 6. 7. Massive scale Homogeneity Virtualization Resilient computing Low cost software Geographic distribution Service orientation
2011 Cloud Security Alliance, Inc. All rights reserved.

42

All of this TOGETHER: The Cloud


Hybrid Clouds
Deployment Models Service Models Private Cloud Software as a Service (SaaS) Community Cloud Platform as a Service (PaaS) On Demand Self-Service Essential Characteristics Broad Network Access Rapid Elasticity Public Cloud

43 43

Infrastructure as a Service (IaaS)

Resource Pooling
Massive Scale Common Characteristics Homogeneity

Measured Service
Resilient Computing Geographic Distribution

Virtualization
Low Cost Software

Service Orientation
Advanced Security

2011 Cloud Security Alliance, Inc. All rights reserved.

Example IaaS//

44 44

Amazon Cloud
Amazon cloud components
Elastic Compute Cloud (EC2)
Run your own or Amazons OS instances

Simple Storage Service (S3) SimpleDB Other services

2011 Cloud Security Alliance, Inc. All rights reserved.

Example PaaS//

45

Google App Engine


Create, deploy and run applications NO control (or, in fact, even visibility) of OS Use SDK to develop the applications Run natively in the cloud
2011 Cloud Security Alliance, Inc. All rights reserved.

Example SaaS//

46 46

Salesforce
Well-known SaaS CRM application Cloud CRM + a lot more applications

2011 Cloud Security Alliance, Inc. All rights reserved.

Example P/IaaS //

47 47

Azure

Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das


2011 Cloud Security Alliance, Inc. All rights reserved.

48 48

Service Model Architectures


Cloud Infrastructure Cloud Infrastructure PaaS SaaS SaaS Cloud Infrastructure IaaS PaaS SaaS

Software as a Service (SaaS) Architectures

Cloud Infrastructure PaaS

Cloud Infrastructure IaaS PaaS

Platform as a Service (PaaS) Architectures

Cloud Infrastructure IaaS

Infrastructure as a Service (IaaS) Architectures

2011 Cloud Security Alliance, Inc. All rights reserved.

50

Security?

Are there mmm cloud security issues?

2011 Cloud Security Alliance, Inc. All rights reserved.

Security: Barrier to Adoption?

51

2011 Cloud Security Alliance, Inc. All rights reserved.

What is Different about Cloud?

52

2011 Cloud Security Alliance, Inc. All rights reserved.

Security Relevant Cloud Components


Cloud Provisioning Services

53 53

Cloud Data Storage Services


Cloud Processing Infrastructure

Cloud Support Services


Cloud Network and Perimeter Security

Elastic Elements: Storage, Processing, and Virtual Networks


2011 Cloud Security Alliance, Inc. All rights reserved.

What is Different about Cloud?


SERVICE OWNER

54

SaaS

PaaS

IaaS

Data Application Compute Storage

Joint Joint Provider Provider

Tenant Joint Joint Provider

Tenant Tenant Tenant Joint

Network
Physical

Provider
Provider

Provider
Provider

Joint
Provider

2011 Cloud Security Alliance, Inc. All rights reserved.

What is Different about Cloud?

55

2011 Cloud Security Alliance, Inc. All rights reserved.

What is Different about Cloud?

56

2011 Cloud Security Alliance, Inc. All rights reserved.

57

CSA Cloud Threats


1. 2. 3. 4. 5. 6. 7. Abuse & Nefarious Use of Cloud Computing Insecure Interfaces & APIs Malicious Insiders Shared Technology Issues Data Loss or Leakage Account or Service Hijacking Unknown Risk Profile
2011 Cloud Security Alliance, Inc. All rights reserved.

58

ENISA Cloud Risks


1. 2. 3. 4. 5. 6. 7. 8. Loss of governance Lock-in Isolation failure Compliance risks Management interface compromise Data protection Insecure or incomplete data deletion Malicious insider
2011 Cloud Security Alliance, Inc. All rights reserved.

iSEC Realistic Cloud Threats


1. Authentication abuse 2. Operations breakdown 3. Misuse of cloud-specific technology

59

2011 Cloud Security Alliance, Inc. All rights reserved.

60

FBI Takes Cloud Away

2011 Cloud Security Alliance, Inc. All rights reserved.

61

Discussion

What do YOU think are actual, relevant, TRUE threats to cloud computing?

2011 Cloud Security Alliance, Inc. All rights reserved.

62

While we are in the cloud

Here are some additional CSA/cloud security resources

2011 Cloud Security Alliance, Inc. All rights reserved.

63

CSA GRC Stack


Bringing it all together to peel back the layers of control ownership and address concerns for trusted Cloud adoption.

Private, Community & Public Clouds

Control Requirements

Provider Assertions

2011 Cloud Security Alliance, Inc. All rights reserved.

64

CSA CloudAudit
Open standard and API to automate provider audit assertions Change audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providers Uses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring

2011 Cloud Security Alliance, Inc. All rights reserved.

65

CSA Cloud Controls Matrix


Controls derived from guidance Mapped to familiar frameworks: ISO 27001, COBIT, PCI, HIPAA Rated as applicable to SaaS/PaaS/IaaS Customer vs Provider role Help bridge the cloud gap https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/ for IT & IT auditors
2011 Cloud Security Alliance, Inc. All rights reserved.

66

Next?

2011 Cloud Security Alliance, Inc. All rights reserved.

67

Do We See A Cloud in There?


Requirement 12.8 If cardholder data is shared with service providers, maintain and implement policies and manage service providers procedures to Requirement A.1: Shared hosting providers must protect the cardholder data environment
2011 Cloud Security Alliance, Inc. All rights reserved.

68

Magic of Requirement 12.8


Q: Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data? A: PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. .. however
2011 Cloud Security Alliance, Inc. All rights reserved.

69

Magic of 12.8 Revealed


If the merchant shares cardholder data with a service provider, the merchant must ensure that there is an agreement with that service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the provider's compliance with PCI DSS via other means, such as via a letter of attestation.
2011 Cloud Security Alliance, Inc. All rights reserved.

Requirement 9//

70

Amazon Example
Q: Do QSAs for Level 1 merchants require a physical walkthrough of a service providers data center? A: No. A merchant can obtain certification without a physical walkthrough of a service providers data center if the service provider is a Level 1 validated service provider (such as AWS). A merchants QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.
2011 Cloud Security Alliance, Inc. All rights reserved.

June 2011//

71

PCI SSC Virtualization Guidance


Key Cloud Items:
CSP should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud providers PCI DSS compliance program.

2011 Cloud Security Alliance, Inc. All rights reserved.

72

PCI SSC on Cloud Challenges


The distributed architectures of cloud environments add layers of technology and complexity to the environment. Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet. The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid. The hosted entity has limited or no visibility into the underlying infrastructure and related security controls. The hosted entity has limited or no oversight or control over cardholder data storage. The hosted entity has no knowledge of who they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment
2011 Cloud Security Alliance, Inc. All rights reserved.

73

And now

a brainteaser

2011 Cloud Security Alliance, Inc. All rights reserved.

Requirement 11.3//

74

Pentesting
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification 11.3.1 Network-layer penetration tests

11.3.2 Application-layer penetration tests

Cloudify this for me, please!

2011 Cloud Security Alliance, Inc. All rights reserved.

75

Audience Poll
Q: How should we address it?
A: Only pentest applications with narrow rules B: Go full blast and own providers datacenter C: Trust that they do it D: Hide under our desks and squeal
2011 Cloud Security Alliance, Inc. All rights reserved.

Detailed Example//

76

Amazon PCI
Happy now?

Amazon is PCI OK Huh?

2011 Cloud Security Alliance, Inc. All rights reserved.

77

Say What.
Q: What does this mean to me as a PCI merchant or service provider? A: Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to AWS can simplify your own PCI compliance by relying on our validated service provider status.
2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

78

Amazon view of this

2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

79

Amazon Guidance

2011 Cloud Security Alliance, Inc. All rights reserved.

Sidenote//

Compliant Provider of What?

80

2011 Cloud Security Alliance, Inc. All rights reserved.

81

2011 Cloud Security Alliance, Inc. All rights reserved.

82

Scenarios Introduction
In scope for discussion:
Public IaaS, PaaS, SaaS Chained or multiple CSPs

NOT in scope:
Traditional hosting providers Outsourced data center or call center Private cloud and virtualization on-prem Virtual private cloud (sort of)

2011 Cloud Security Alliance, Inc. All rights reserved.

83

Learn Using Scenarios


Description How to assess this scenarios / Assessment tips How to scope this scenario / Scoping tips How to get compliant How to stay compliant What to show to QSA / compliance evidence Notable PCI requirements to watch Responsibility split Pitfalls, Risks and Tips
2011 Cloud Security Alliance, Inc. All rights reserved.

84

Key Goal
DO build a framework for assessing/complying, based on the scenarios DO NOT memorize the scenarios, yours might be different or be a combination of these

2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 1//

85

Clean Cloud
Merchant ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Cloud environment segmented from CDE NO PANs in any cloud environment or so they think

2011 Cloud Security Alliance, Inc. All rights reserved.

86

Description
Sells books online Level 1 merchant Uses cloud provider(s) for testing, training, etc Cloud provider NOT PCI-OK NO payment data stored in the cloud NO payment data processed in the cloud NO payment data passed through cloud
2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 1//

87

Visual

2011 Cloud Security Alliance, Inc. All rights reserved.

88

Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes B: No

C: Cannot tell

2011 Cloud Security Alliance, Inc. All rights reserved.

89

How to Assess?
Key: Are they right?

Test that PANs didnt escape to Amazon

2011 Cloud Security Alliance, Inc. All rights reserved.

90

How to Scope?
On-prem: as usual Cloud environment:
IaaS: run a discovery tool Example: DLP tool, open source data discovery, dedicated PAN discovery tool, custom script to look for unencrypted PANs Q: What about encrypted PANs?

2011 Cloud Security Alliance, Inc. All rights reserved.

91

How to Get / Stay Compliant?


Easy huh:
Keep the PANs out of the cloud Recheck (via discovery tools) that cloud systems are not contaminated by the PANs Look for old PANs, test PANs, etc.

2011 Cloud Security Alliance, Inc. All rights reserved.

92

Compliance Evidence
What to show to QSA?
Discovery scan results Other data that confirms that PCI data does not get to the cloud systems Policies and procedures BANNING card data in the cloud; evidence of people actually following them.

2011 Cloud Security Alliance, Inc. All rights reserved.

93

Responsibility SPLIT
MERCHANT All PCI controls Scoping Keeping cloud systems out of scope PROVIDER Nothing (not even being PCI compliant)

2011 Cloud Security Alliance, Inc. All rights reserved.

94

Contract SLA Tips

Requirement 12.8 does NOT play No SLA in regards to cardholder data

2011 Cloud Security Alliance, Inc. All rights reserved.

Common Pitfalls and Key Risks

95

Failing to assure that PANs dont leak to the cloud Failing to maintain no PANs in the cloud status Rogue PANs theft is still CHD theft Tip: run a discovery tool on cloud systems Tip: assure segmentation (no data flow from CDE to YOUR cloud)
2011 Cloud Security Alliance, Inc. All rights reserved.

96

Common PAN Leakage


Excel spreadsheet on cloud systems
Excel spreadsheet on Google Documents

Application screenshots Finance and HR documents with PANs Other Office formats with PAN information Text dumps from poorly-written/legacy applications

2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 2//

97

Storage in the Cloud

Merchant ecommerce or stores Use public cloud (SaaS, PaaS, IaaS) Stores PANs in public cloud environment!

2011 Cloud Security Alliance, Inc. All rights reserved.

98

Description
A chain of stores across the US West Level 2 merchant Uses cloud provider(s) for testing, training, backup systems, data storage, etc Cloud provider MAY BE PCI-OK PAN data stored in the cloud PAN data transmitted through cloud NO payment data processed in the cloud
2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 2//

99

Visual

2011 Cloud Security Alliance, Inc. All rights reserved.

100

Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes

B: No
C: Cannot tell
What about their service provider(s)? Must they be PCI-OK for merchant to be PCI-OK? Bonus question: What about their CSPs CSP?

2011 Cloud Security Alliance, Inc. All rights reserved.

101

How to Assess?
Key: Encryption AND/OR Provider PCI Status
Case #1: Unencrypted PANs at CSP => no PCI compliance possible Case #2: Encrypted with provider having the key => provider must be PCI-OK Case #3: Encrypted with provider NOT having the key => presumably, provider may be NOT PCI-OK
2011 Cloud Security Alliance, Inc. All rights reserved.

102

Huh? What does it mean?


IaaS (e.g. VMs in the cloud, EC2 instances, etc) = likely case #3
Merchant deals with PCI DSS, provider may not know anything about it No unencrypted data possible in/across the cloud NO WAY for CSP to decrypt the data

Reminder: scan for unintended cloud PANs


2011 Cloud Security Alliance, Inc. All rights reserved.

Huh? What does it mean? Part II


SaaS or PaaS (e.g SalesForce, etc) = likely case #2

103

Provider MUST be PCI-OK Merchant and CSP share PCI responsibilities CSP encrypts the data AND/OR can decrypt it

2011 Cloud Security Alliance, Inc. All rights reserved.

104

How to Scope?
On-prem: as usual Cloud environment:
IaaS (case #2)
Cloud environment can be claimed to be out of scope (if CSP has NO key!!!) Merchant is responsible for all controls Look for unintentional PANs

SaaS and maybe PaaS (case #3)


Cloud environment IS in scope Controls shared between CSP and Merchant
2011 Cloud Security Alliance, Inc. All rights reserved.

105

PCI Council Says


For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware. In an alternative scenario, a SaaS service offering may encompass management of all hardware and software, including virtual components and hypervisor configurations. In this scenario, the entity may only be responsible for protecting their data, and all other security requirements would be implemented and managed by the service provider.
2011 Cloud Security Alliance, Inc. All rights reserved.

106

How to Get Compliant?


1. Realize what scenario you are in, then either
a) Ensure CSP cooperation and PCI-OK status (see matrix), or (PCI in cloud, SaaS/PaaS) b) Encrypt all PANs and prevent the provider from having the key (no PCI in cloud, IaaS)

2. In case a), build the control matrix and test it

2011 Cloud Security Alliance, Inc. All rights reserved.

107

How to Stay Compliant?


Either Keep testing the CSP PCI-OK status and check the matrix for missing controls Keep encrypting, preventing the provider from seeing the key and testing for rogue PANs

2011 Cloud Security Alliance, Inc. All rights reserved.

108

Compliance Evidence
What to show to QSA? By case CSP PCI status and additional evidence of how they do PCI DSS Proof of your scoping decision to exclude the cloud due to encryption
+ evidence of all other PCI controls, of course

2011 Cloud Security Alliance, Inc. All rights reserved.

Responsibility SPLIT//

109

IaaS/No Cloud PCI/Encryption


MERCHANT
All PCI controls
Encryption + key management

PROVIDER
Nothing (may not even be PCI compliant)

Scoping Keeping cloud systems out of scope

2011 Cloud Security Alliance, Inc. All rights reserved.

Responsibility SPLIT//

110

SaaS/Cloud PCI provider


MERCHANT
Security policy Application security Scoping Monitoring (unless extra $ to CSP)

PROVIDER
Security policy Physical Network Encryption Key management System security Parts of application security

2011 Cloud Security Alliance, Inc. All rights reserved.

Example Scenario 2//

111

Control Matrix
PCI DSS Requirement Secure application development: R6 Update OS: R6 Log management: R10 Render PANs unreadable: R3.4 Physical access control: R9 Vulnerability scanning: R11.2 Penetration tests: R11.3 Merchant IaaS, PaaS IaaS (joint) IaaS (joint), PaaS (joint) IaaS, Maybe: PaaS None IaaS (joint per system), PaaS (joint) Cloud provider SaaS IaaS (joint), PaaS, SaaS IaaS (joint), PaaS (joint), SaaS SaaS, Maybe: PaaS IaaS, PaaS, SaaS IaaS (joint), PaaS (joint), SaaS

IaaS (joint), PaaS IaaS (joint), PaaS (joint), (joint), SaaS (joint) SaaS (joint) degree varies degree varies Security policy: R12 IaaS, PaaS, SaaS (all IaaS, PaaS, SaaS (all joint) joint) 2011 Cloud Security Alliance, Inc. All rights reserved. Wireless security: R11.1 None IaaS, PaaS, SaaS

112

Ooops!
Merchant uses IaaS, manages the systems, encrypts the data
(so far, case No Cloud PCI)

but SHARES THE KEY WITH CSP!

What now?

2011 Cloud Security Alliance, Inc. All rights reserved.

Notable PCI DSS Requirements to Watch

113

Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers

2011 Cloud Security Alliance, Inc. All rights reserved.

114

Contract SLA Tips


Case SaaS/PCI in the cloud
Clear acceptance of responsibility for their controls Verification of provider controls Incident response support for data breaches

2011 Cloud Security Alliance, Inc. All rights reserved.

115

PCI Council Says


The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud providers PCI DSS compliance program. Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity to manage and assess. The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.

2011 Cloud Security Alliance, Inc. All rights reserved.

Common Pitfalls and Key Risks


For IaaS/No PCI in cloud/encryption case, assurance of provider not being able to decrypt the data For SaaS/PCI in cloud, failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation Finger pointing
2011 Cloud Security Alliance, Inc. All rights reserved.

116

Scenario 3//

117

IaaS PCI

Merchant ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud

2011 Cloud Security Alliance, Inc. All rights reserved.

118

Description
Global airline with physical and online purchases Uses CSP for a broad spectrum of payment tasks Cloud provider MUST be PCI-OK PAN data stored in the cloud PAN data passed through cloud PAN data processed in the cloud at the same provider!

2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 3//

119

Visual

2011 Cloud Security Alliance, Inc. All rights reserved.

120

Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes

B: No
C: Cannot tell
Who is doing what for the merchant to be PCI-OK? Bonus question: What about their SPs SPs SP?

2011 Cloud Security Alliance, Inc. All rights reserved.

121

How to Assess?
Key: The Matrix Must Have No Holes

ALL PCI DSS controls are in place for all layers of the cloud environment and somebody must pay for it

2011 Cloud Security Alliance, Inc. All rights reserved.

122

Secret to PCI In the Cloud

2011 Cloud Security Alliance, Inc. All rights reserved.

123

Huh? The Matrix?


Two basic FACTS: 1. Merchant CANNOT do PCI DSS without the CSP! 2. CSP CANNOT make merchant compliant! The only way is a clear delineation of duties aka The Control Matrix

2011 Cloud Security Alliance, Inc. All rights reserved.

124

PCI Council Says


For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware.

2011 Cloud Security Alliance, Inc. All rights reserved.

125

How to Scope?
On-prem: as usual Cloud IaaS environment:
IaaS systems are in scope: systems, applications, network, devices, hypervisor Two tiered scoping (PCI 2.0 artifact)
Systems WITH data vs systems that touch/manage systems with data

Think outsourced datacenter+


2011 Cloud Security Alliance, Inc. All rights reserved.

How to Get Compliant?


One Approach!! 1. Pretend all IaaS infrastructure is YOUR ON-PREMISE network 2. Plan PCI DSS controls for it 3. Realize which controls you CANNOT do since it is really NOT an on-prem network and you dont control some domains (e.g. physical) Then have a talk with a provider on whether THEY a) CAN and b) WILL cover that 4. Realize which controls DONT APPLY verbatim to the cloud environment Then and figure how to compensate!!
2011 Cloud Security Alliance, Inc. All rights reserved.

126

127

For Example
Project: replace branch servers with IaaSdeployed servers PCI controls: all on branch server replacement, most on management servers, etc
Physical? => CSP Firewall management => CSP Monitoring? => CSP MSSP service ($) Web application scanning => Ooops!
2011 Cloud Security Alliance, Inc. All rights reserved.

128

How to Stay Compliant?

Keep testing the CSP PCI-OK status and check the matrix for missing controls

2011 Cloud Security Alliance, Inc. All rights reserved.

129

PAN Flow

2011 Cloud Security Alliance, Inc. All rights reserved.

130

Compliance Evidence
What to show to QSA? Evidence of ALL controls yours and CSPs Evidence of ongoing compliance: logging, testing, etc MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment!
2011 Cloud Security Alliance, Inc. All rights reserved.

Responsibility SPLIT//

131

IaaS PCI
MERCHANT
Application security Scoping Monitoring (unless extra $ to CSP)

PROVIDER
Physical Network Encryption Key management System security Parts of application security

2011 Cloud Security Alliance, Inc. All rights reserved.

Example Scenario 3//

132

Control Matrix
PCI DSS Requirement Secure application development: R6 Update OS: RXX Log management: R10 Render PANs unreadable: R3.4 Physical access control: R9 Vulnerability scanning: R11.2 Penetration tests: R11.3 Merchant: IaaS Yes Yes for guest OS Yes for guess OS, applications, etc Yes None Yes for guest OS Yes for guest OS, applications Yes for PARTS None Cloud provider: IaaS No Yes for host OS Yes for host OS, management systems, etc No (!) Yes Yes for host OS, management systems, etc Yes for physical, host OS, etc Yes for ALL OTHER PARTS Yes

Security policy: R12


Wireless security: R11.1

2011 Cloud Security Alliance, Inc. All rights reserved.

Sidenote//

133

Owner vs Manager
Setting: IaaS provider (EC2 or other) PCI Requirement: Req 1 firewall management
CSP OWNS the firewall appliance Merchant, CSP, CSP MSSP or 3rd party MANAGES the firewall settings Who is left holding the PCI bag?

2011 Cloud Security Alliance, Inc. All rights reserved.

134

PCI Council Says

you go figure it out!


2011 Cloud Security Alliance, Inc. All rights reserved.

135

Full SAMPLE Matrix Review


This matrix is JUST A SAMPLE Used here AS AN EXAMPLE This is NOT YOUR REAL THING EXAMPLE means here is what CAN be EXAMPLE SAMPLE ILLUSTRATION! Did I mention it is just an example?
2011 Cloud Security Alliance, Inc. All rights reserved.

How to use the shared PCI control matrix?


The class addendum, EXAMPLE PCI DSS shared control matrix can be used as follows: To review one possible control sharing methodology between CSP and merchant To validate ones own control sharing For security discussion with CSPs As a foundation for ones control sharing
with caution!
2011 Cloud Security Alliance, Inc. All rights reserved.

136

Notable PCI DSS Requirements to Watch

137

Requirement 3.4 covers the encryption of stored data. Requirement 12.8 covers service providers and the matrix Requirement A cover shared hosting providers

2011 Cloud Security Alliance, Inc. All rights reserved.

138

Contract SLA Tips


Case SaaS/PCI in the cloud
Clear acceptance of responsibility for their controls Verification of provider controls Incident response support for data breaches

2011 Cloud Security Alliance, Inc. All rights reserved.

Common Pitfalls and Key Risks


Failure to test the provider on the ongoing basis Trusting the provider without evidence SLA failures: no escalation, evidence sharing, incident response cooperation Tip: make SLA as detailed as possible involve both information security AND legal
2011 Cloud Security Alliance, Inc. All rights reserved.

139

Scenario 4//

140

Twice-Cloudy PCI
Merchant ecommerce or stores Use public cloud IaaS provider Processes cards and possibly stores them as well in the cloud Uses a dedicated CSP for payment processing (P), NOT hosting CSP (H)

2011 Cloud Security Alliance, Inc. All rights reserved.

141

Description
An ecommerce company with seasonal highly sales Uses CSP H, but with payment processing handled by CSP P Cloud provider P MUST be PCI-OK Cloud provider H SHOULD be PCI-OK (?) PAN data processed and stored in the cloud by CSP P
2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 4//

142

Visual

2011 Cloud Security Alliance, Inc. All rights reserved.

143

Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes

B: No
C: Cannot tell
Should CSP H be PCI compliant? Can merchant be PCI compliant if CSP H is NOT?

2011 Cloud Security Alliance, Inc. All rights reserved.

144

This is VERY COMMON

but there is A LOT OF DEVIL in the details

2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

145

Cloud Sites by Rackspace

2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

146

Microsoft Azure

Official Azure FAQ (2011)


Q: Can you host PCI (e.g. credit card) data [on Azure]?
A: Microsoft makes no claim regarding these standards for 3rd party hosting. There are ways to develop cloud based applications to use 3rd party PCI data processers that may keep the cloud application itself out of scope.

Bonus question: where does here point?


2011 Cloud Security Alliance, Inc. All rights reserved.

147

How to Assess?
Key: Contain Toxic (=PCI) Data In Special Clouds, Dont Taint Your IaaS!

The logic here is to offload all (if possible) operations with PANs to a payment provider
2011 Cloud Security Alliance, Inc. All rights reserved.

148

How to Scope?
On-prem: as usual Dont SCOPE - KILL the scope to nothing in the cloud Minimize rogue PANs

2011 Cloud Security Alliance, Inc. All rights reserved.

149

Huh? Toxic What?


Three basic FACTS: 1. If neither Merchant nor CSP can see payment data, there is tiny scope of PCI for them (*) 2. If CSP cannot see the data, but Merchant can, then this is a traditional on-prem PCI environment 3. The more payment provider takes on, the better: PCI stays in their cloud
2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

150

PayPal API
With Website Payments Standard, Email Payments, and Payflow Link*, PayPal handles the payment card information for you. So you dont have to worry about your buyers payment card security or about compliance with PCI DSS for your business. Will they really sign such agreement?
2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

151

Amazon FPS
Perfect cloud shield: As a part of Amazon Payments' services you [=merchant!] may not have access to certain information associated with Cards being processed, including without limitation account number, expiration date, and the card verification value (CVV2/CVC2) (collectively, Cardholder Data).

2011 Cloud Security Alliance, Inc. All rights reserved.

Example//

152

Rackspace Compliant Cloud

2011 Cloud Security Alliance, Inc. All rights reserved.

How to Get and Stay Compliant?


1. Avoid PANs 2. Engineer the payment chain to avoid having PANs in CSP H and your own environment 3. Verify CSP P compliant status (duh!)

153

2011 Cloud Security Alliance, Inc. All rights reserved.

154

How to Stay Compliant?

Keep testing the CSP PCI-OK status and check the matrix for missing controls

2011 Cloud Security Alliance, Inc. All rights reserved.

155

Compliance Evidence

What to show to QSA?


Evidence of zero scope
Data flow, system architecture, etc

Evidence of CSP P PCI compliance

2011 Cloud Security Alliance, Inc. All rights reserved.

Responsibility SPLIT//

156

IaaS PCI
MERCHANT
Application security (maybe) Provider management Others as deployed

CSP H
Nothing

CSP P
All PCI Controls

2011 Cloud Security Alliance, Inc. All rights reserved.

157

PCI Council Says

you go figure it out!


2011 Cloud Security Alliance, Inc. All rights reserved.

Notable PCI DSS Requirements to Watch

158

Possibly none
if no merchant ID and no relationship with acquirer

Requirement 12.8 covers service providers

2011 Cloud Security Alliance, Inc. All rights reserved.

Common Pitfalls, Risks and SLA Tips

159

PAN leakage, temporary files and other artifacts of bad coding of payment provider APIs Web application attacks that redirect the PAN flow to the attacker Crash dumps with PANs

2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 5//

160

PaaS PCI

Merchant ecommerce or stores Use public cloud PaaS provider Processes cards and possibly stores them as well in the cloud

2011 Cloud Security Alliance, Inc. All rights reserved.

161

PaaS Come Again?


PaaS is EXACTLY between IaaS and SaaS IaaS: OS, VM, networks, etc SaaS: application Whats in between? An environment for application development PaaS
2011 Cloud Security Alliance, Inc. All rights reserved.

162

Description
A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Cloud provider MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud Merchant does NOT control the OS/VMs at the CSP
2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 5//

163

Visual

2011 Cloud Security Alliance, Inc. All rights reserved.

164

Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes

B: No
C: Cannot tell
Must the provider be PCI-OK? Can the merchant be PCI-OK if the CSP is not? What must merchant do because the provider cannot do it?

2011 Cloud Security Alliance, Inc. All rights reserved.

165

How to Assess?

Key: Need to Understand Your CSP Really Well

2011 Cloud Security Alliance, Inc. All rights reserved.

166

Decision Time
If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the only way to PCI is complete 3rd party payment takeover ->Scenario 4 If PaaS CSP IS PCI-OK THEN build the control matrix -> Scenario 3

2011 Cloud Security Alliance, Inc. All rights reserved.

167

How to Scope?
On-prem: as usual Cloud PaaS environment:
PaaS systems are in scope: systems, applications, network, devices, hypervisor Two tiered scoping (PCI 2.0 artifact)
Systems WITH data vs systems that touch/manage systems with data

Think outsourced IT-


2011 Cloud Security Alliance, Inc. All rights reserved.

How to Get Compliant?


One Approach!!

168

1. Review which controls the PaaS CSP will handle for you 2. Check which PCI DSS controls they cannot ever handle
Example: your security policy, awareness training for your employees (BTW, they should for theirs)

3. Create the matrix and verify with the CSP


Request additional information from them as needed

4. Deploy additional controls where needed and where prudent

2011 Cloud Security Alliance, Inc. All rights reserved.

169

For Example
Project: replace marketing analytics application that uses PAN with PaaSdeployed application PCI controls: all on the application, most on management servers, etc
Web application scanning => Merchant All others =>CSP

Decision: move the payment data off CSP and off PCI you go
2011 Cloud Security Alliance, Inc. All rights reserved.

170

How to Stay Compliant?

Keep testing the CSP PCI-OK status and check the matrix for missing controls

2011 Cloud Security Alliance, Inc. All rights reserved.

171

Compliance Evidence
What to show to QSA?
Evidence of ALL controls yours and CSPs

MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment!

2011 Cloud Security Alliance, Inc. All rights reserved.

Responsibility SPLIT//

172

PaaS PCI
MERCHANT
Application security Scoping Monitoring (unless extra $ to CSP)

PROVIDER
Application platform security Physical Network Encryption Key management System security

2011 Cloud Security Alliance, Inc. All rights reserved.

Example Scenario 5//

173

Control Matrix
PCI DSS Requirement Secure application development: R6 Update OS: RXX Log management: R10 Render PANs unreadable: R3.4 Physical access control: R9 Vulnerability scanning: R11.2 Penetration tests: R11.3 Merchant: PaaS user Yes No Yes application logs Yes No No Yes application level Cloud provider: PaaS Yes (for platform) Yes Yes everything else (or data provided to merchant!) Yes where touches their environment Yes Yes Yes for physical, network, application, etc Yes for the rest

Security policy: R12 Wireless security: R11.1

Yes - applicable No

Yes

2011 Cloud Security Alliance, Inc. All rights reserved.

Notable PCI DSS Requirements to Watch


Requirement 1 Firewall architecture (cloud networks are flat) Requirement 4.1 Use strong cryptography and security protocols
Intra-CSP traffic may be seen as public

174

Requirement 6.1 patch management is Joint; and need to be done by both Requirement 12.8 covers service providers and the matrix
2011 Cloud Security Alliance, Inc. All rights reserved.

175

Contract SLA Tips

Clear acceptance of responsibility for their controls Verification of provider controls Incident response support for data breaches

2011 Cloud Security Alliance, Inc. All rights reserved.

Common Pitfalls and Key Risks

176

Failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation

2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 6//

177

Tiered PCI
Merchant ecommerce or stores Use public cloud PaaS or SaaS provider who uses public IaaS provider Processes cards and possibly stores them somewhere

2011 Cloud Security Alliance, Inc. All rights reserved.

178

Description
A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Their provider uses another cloud provider Some cloud providers MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud
2011 Cloud Security Alliance, Inc. All rights reserved.

Scenario 6//

179

Visual

2011 Cloud Security Alliance, Inc. All rights reserved.

180

Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes

B: No
C: Cannot tell
Must the provider be PCI-OK? Must their providers provider be PCI-OK? Can the merchant be PCI-OK if some CSPs are not?

2011 Cloud Security Alliance, Inc. All rights reserved.

181

Tiered Merchant Example


Merchant uses CSP (SaaS)

that uses Amazon EC2 (IaaS)


A public Amazon case study
http://aws.amazon.com/solution s/case-studies/36boutiques/

2011 Cloud Security Alliance, Inc. All rights reserved.

182

How to Assess?
Key: The Matrix Must Have No Holes, Again

but there are more dimensions now

2011 Cloud Security Alliance, Inc. All rights reserved.

Your CSPs CSP is NOT your CSP!


and that some controls are NOT implemented by your CSP and they simply trust their CSP assertions

183

2011 Cloud Security Alliance, Inc. All rights reserved.

184

How to Scope?
Worst case: FORGET IT! We can never figure it out . reality Best case: payment chain is isolated from ALL the CSPs (zero scope for you, all scope is with payment provider)
2011 Cloud Security Alliance, Inc. All rights reserved.

185

Ahhhhhh

We went through six PCI-in-thecloud scenarios!

2011 Cloud Security Alliance, Inc. All rights reserved.

Exercise//

186

How to Comply/Assess?
Business: ecommerce Setup: uses CSP for web hosting and all application hosting, accepts payment cards, sells to consumers Challenge: we are a QSA they hired to get them compliant

Next steps?
2011 Cloud Security Alliance, Inc. All rights reserved.

What do the scenarios teach us about PCI and cloud?

187

1. Kill the scope works in the cloud as well 2. It is better to have the payment processor handle more and merchant/CSP handle less of the PCI burden 3. CSP may do it, but MERCHANT is responsible and need to validate it 4. Finally, we CAN have PCI in the cloud!
2011 Cloud Security Alliance, Inc. All rights reserved.

188

Final Recommendations
Follow the scenarios as templates for your projects Learn to scope in the cloud Make a matrix of shared responsibility (and keep it with you at all times ) Remember: MERCHANT is on the hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT a punt
2011 Cloud Security Alliance, Inc. All rights reserved.

Additional Tips from Past Class Discussions


Use PCI + cloud security thinking for other sensitive data: SSN, PHI, financials, etc Involve legal in SLA and other discussions about regulated data in the cloud (!) Scan for YOUR sensitive data being put in the cloud by business partners in THEIR clouds Trust but verify principle MUST be applied to your CSP
2011 Cloud Security Alliance, Inc. All rights reserved.

189

Any Lessons from the Audience?

190

Anything juicy I missed to conclude?

2011 Cloud Security Alliance, Inc. All rights reserved.

191

A one-liner version?
If you can get rid of the PANs in the cloud, DO IT!

2011 Cloud Security Alliance, Inc. All rights reserved.

192

Questions?

2011 Cloud Security Alliance, Inc. All rights reserved.

193

Thanks for Your Review!


Courseware author Dr. Anton Chuvakin would like to thank the following people for their thoughtful review of class materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn @ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix
2011 Cloud Security Alliance, Inc. All rights reserved.

194

Additional Materials
In the notes, there are links to various useful reading, in addition to CSA and other sites mentioned in the class.

Go to www.cloudsecurityalliance.org for the latest information on our educational resources


2011 Cloud Security Alliance, Inc. All rights reserved.

195

2011 Cloud Security Alliance, Inc. All rights reserved.

You might also like