Transcript PCI in the Cloud

2nd InfoCom Security Conference
5 April 2012
Konstantinos Papadatos
Commercial Director & Co-founder
MSc InfoSec, CISSP, ISO 27001 LA, ISSMP, PMI, MBCI
Cloud is here to stay…
PCI-DSS is here to stay …
Cloud Security & Compliance
Conclusions
Virtualization
Physical Servers
& Storage
Networks / Directories
Data Center Physical,
Mechanical & Electrical
Infrastructure (IaaS)
Operating Systems
Platform (PaaS)
Infrastructure SW /
Databases
Software Applications (SaaS)
Hosted Applications
Public
Private

Public cloud

Private cloud (Internal or Hosted)

Community cloud

Hybrid cloud
Community
Hybrid
◦ Applications, storage, and other resources are made available to the
general public by a service provider. Public cloud services may be free or
offered on a pay-per-usage model.
◦ Private cloud is cloud infrastructure operated solely for a single
organization.
◦ Shares infrastructure between several organizations from a specific
community with common concerns (security, compliance, jurisdiction,
etc.), whether managed internally or by a third-party and hosted internally
or externally.
◦ A composition of two or more clouds (private, community or public) that
remain unique entities but are bound together, offering the benefits of
multiple deployment models.

Allows IT to Shift Focus – With the quick availability of Cloud services, it frees an
organization to leverage and focus their time and resources in bringing innovations in
applications and solutions
Utility Service – Utility service model – pay per use / pay per go subscription based
model. Availability of ready to go cloud offerings with limited time for implementation
and customization (if provided)
Dynamic scaling - Scales up and down of services based on the application usage, best
for the applications where there are significantly spikes and troughs on the usage of
infrastructures
Investment Cap – More beneficial for companies with limited capital to invest in
hardware and infrastructure
Reduces TCO (Total Cost of Ownership) – Changes the cost from Capital expense
(Capex) to Opex (Operational expense) for an enterprise. No need to buy an asset to use
that asset and reduces other related costs of maintenance and support
Metered Service – Cloud usage is metered and priced on the basis of units (or instances)
consumed. Pay for what you use and when you use
Flexible offering - Access infrastructure from anywhere, any location on any device
…

… If provided properly: Better Security & Compliance







Cloud trends for the Western
European Public Sector
IDC CEMA ICT MARKETS ALERT - MARCH 2012
“46% of respondents expressed that
concerns about security are holding
back the adoption of cloud
computing
by governments”
Source: Gartner (March 2011)
• IT decision-makers and influencers say that cloud is a critical or
high priority.
• The business need is such that security will not have the power
to veto for long…
October 2010 “Q&A: Demystifying Cloud Security”
Cloud is here to stay…
PCI-DSS is here to stay …
Cloud Security & Compliance
Conclusions
- Attain compliance with
PCI DSS
- Secure cardholder data
- Use PCI certified
service providers
- Communicate with and educate
merchants
- Report merchant compliance to
Card Associations
- Enforce PCI DSS
- Promote its adoption
(i.e. Punishments,
Rewards)
Merchant
Banks
- Secure cardholder data
- Attain compliance with PCI
DSS
- Maintain PCI DSS
- Certify QSA’s & ASV’s
- Verify compliance through on-site
audits & quarterly vulnerability
scans
- Render opinions to merchant bank
on compensating controls
Maintain an
Information
Security Policy
Regularly
Monitor & Test
Networks
Implement
Strong Access
Control
Measures
Build & Maintain
a Secure
Network
Protect
Cardholder Data
Maintain a
Vulnerability
Management
Program
1
Install & maintain a firewall configuration to protect cardholder
data
2
Do not use vendor-supplied defaults for system passwords &
other security parameters
3
Protect stored cardholder data
4
Encrypt transmission of cardholder data across open, public
networks
5
Use and regularly update anti-virus software or programs
6
Develop & maintain secure systems and applications
7
Restrict access to cardholder data by business need-to-know
8
Assign a unique ID to each person with computer access
9
Restrict physical access to cardholder data
10
Track and monitor all access to network resources and cardholder
data
11
Regularly test security systems and processes
12
Maintain a policy that addresses information security for employees
and contractors
Network Segmentation (Firewalls, NAC, ACLs …)
IDS & IPS
Wireless Security
System Security (File Integrity Monitoring, AV, Patch Management …)
Application Security (WAF, Code Review …)
Storage & DB Encryption (or DB Firewalling or Tokenization …)
Log Management
Password Management
Vulnerability & Patch Management
Physical Security
Business as Usual:
•
$5,000 – $25,000 per month for non-compliance
In the event of a breach :
•
Any fines from Payment Brands (Up to $100,000
•
•
•
•
•
per incident)
Cost to notify victims
Cost to replace cards (about $10/card)
Cost for any fraudulent transactions
Forensics from a QDSC
Level 1 certification from a QSA
Cloud is here to stay…
PCI-DSS is here to stay …
Cloud Security & Compliance
Conclusions
Web Users
Web Applications
Mobile Access …
IT
Services
& Data
Back office Access Interfaces
3rd-parties
Business Users
IT Users
CSP IT Users
Partners, etc.
IPSec or
Other VPN
•
•
•
•
Web Application
Other Cloud Customers
Web Services
Cloud Related Threats
DB Access
System Access …

Data Center Physical Security

Availability/Accessibility

Isolation

Data Privacy & Regulatory Compliance

Security Infrastructure as a Service

Protection from Service Provider Access Misuse

Protection from Other Customers Access Misuse
◦ Network
◦ DR/BCP
◦ At the application level (multitenant app SaaS)
◦ At the network/System level (Virtual Machines)
◦ Protection from External Threats
◦ Protection from Internal Threats & Misuse (customer’s internal environment)
Security
of the
Cloud Data
Center /CSP
•
•
•
SecIaaS:
Security Infrastructure as a Service
Risk Assessments
Penetration Tests
…
SecIaaS: Secure & PCI Compliant Cloud
Customer Portal(s) & Provisioning
CDC/CSP
Security
Compliance Management (Dashboards, Integration with: CCM, VM/PM, IAM…)
Compliance
Management
24x7 Real Time Threat Management (Advanced Reporting & Response)
24x7 RTTM
Vulnerability & Patch Management (Automation, Streamlining, Integration)
Log Management & Archiving
(Collection from all systems, applications and security controls)
Vulnerability
Assessment
Log Management
& Archiving
Identity & Access Management (Automation, Delegation, Governance)
IAM
Secure Access (Dedicated VDI/TS, Strong Authentication, Workflows)
Secure Access
Data Security (Storage & DB Encryption, DBFW, Tokenisation)
Data Security
Application Security (WAF, optional Anti-DDoS)
Application
Security
System Security (Hypervisor Protection, CCM/FIM, AV/HIPS, Hardening, PIM/PUPM)
System Security
Network Security (FW & DMZs, IDS/IPS, VPNs, Virtual FW)
Network Security
Cloud is here to stay…
PCI-DSS is here to stay …
Cloud Security & Compliance
Conclusions
Move Major Operations to Cloud
Implement PCI
controls to
remaining
Infrastructure
Attestation of Compliance
Required Effort for PCI Compliance
IaaS
Assuming that all CSP services comply
With PCI-DSS requirements!
PaaS
SaaS
PCI compliant Applications
SecIaaS: Security Infrastructure as a Service
PCI Compliant CSP Offerings

Data dispersal and international privacy laws
◦
◦
◦

Look for CSP with strong security certifications / proof of compliance.
◦
◦
◦


ISO/IEC 27001-2005
 Implementation of the standard for the cloud
 Scope: Cloud Service Provider own IT systems
Cloud Security Alliance
 Enhancement of the ISMS & security controls with CSA guidelines
PCI DSS
 Enhancement of the ISMS & security controls with PCI DSS guidelines
If CSP is NOT Compliant, consider using a Hosted Private Cloud
◦
◦

EU Data Protection Directive
Exposure of data to foreign government
Data retention issues
Ability to impose stringent security and privacy policies.
Ability to have the infrastructure certified by auditors.
The organization itself is still responsible for full compliance of the CDE (cardholder data
environment) and only a part of that CDE might intersect a CSP.
Cloud security is shifting from inhibitor to enabler.
Security Architecture:












Security Strategy:





Risk Assessment & Management
Security Policies & Procedures
Development
PCI-DSS Scoping & GAP analysis
Security Awareness Programs
PCI-DSS Certification (QSA)
Network Infrastructure Security
File Integrity Monitoring
AV/HIPS
Security Hardening
Web Application & DB Firewalls
DB & Storage Encryption
Tokenisation
Password Management
Security Event Management
Identity & Access Management
Patch Management
Enterprise Information Protection
PCI DSS
Compliance
SecIaaS
PCI ready Hosting
Security Assurance:







Infrastructure Pentest
Web Application Pentest
Internal Pentest
Code Review
Wireless Security Assessments
Digital Forensics
Vulnerability Assessment
Authorized ASV
Managed Security Services:





Real Time Threat Management
Managed Security Infrastructure
Brand Protection & Intelligence
Incident Handling & Support
Managed Vulnerability Assessments
www.encodegroup.com_