© 2011 cloud security alliance, inc. all rights reserved

Thanks to Class Sponsors 2 Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance

2011 Cloud Security Alliance, Inc. All rights reserved. About the Cloud Security Alliance Global, not-for-profit organization Building best practices and a trusted cloud ecosystem Comprehensive research and tools Certificate of Cloud Security Knowledge (CCSK) www.cloudsecurityalliance.org 3

2011 Cloud Security Alliance, Inc. All rights reserved. About the Class Learn/refresh knowledge about PCI DSS Learn/refresh knowledge about cloud computing Understand how to assess PCI compliance in cloud environments Understand how to implement PCI DSS controls in cloud environments Gain useful tools for planning/doing this 4

Show of hands please 1. QSA 2. Merchant a) L1 b) L2-4 3. Service provider 4. Security tool vendor 5. Security consultant 6. Other 6 6

2011 Cloud Security Alliance, Inc. All rights reserved. Full Class Outline Introduction What this class is about, prerequisites, how to benefit PCI DSS reminder Cloud basics Where cloud interacts with PCI DSS Key cloud PCI controls Core PCI DSS + cloud scenarios Conclusions and action items 8

How to benefit? If you are a merchant Learn how to stay compliant in the cloud, what to ask of CSPs, what to show to QSAs If you are a QSA Figure how to assess merchants and CSPs If you are a cloud service provider Learn how to keep you and merchants compliant If you are a security vendor Learn about the new problems you can solve If you are a consultant around PCI and cloud Learn the pain points around PCI DSS and cloud 10

2011 Cloud Security Alliance, Inc. All rights reserved. Why is PCI Here? 19 Criminals need money Credit cards = MONEY Where are the most cards? In computers. Data theft grows and reaches HUGE volume. Some organizations still dont care especially if the loss is not theirs PAYMENT CARD BRANDS ENFORCE DSS!

2011 Cloud Security Alliance, Inc. All rights reserved. Laggards vs. Leaders 20 Issue: many merchants dont even want to grow up to the floor of security Result: breaches, loss of card data, lawsuits, unhappy consumers, threat of regulation Action: PCI DSS mandate!

2011 Cloud Security Alliance, Inc. All rights reserved. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard = 21

2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS Domain Coverage In no particular order: Security policy and procedures Network security Malware protection Application security (and web) Vulnerability scanning and remediation Logging and monitoring Security awareness 23

2011 Cloud Security Alliance, Inc. All rights reserved. PCI DSS 2.0 is Here! Select items changing for PCI 2.0 Scoping clarification Data storage Virtualization (!!) DMZ clarification Vulnerability remediation Remote data access 24

2011 Cloud Security Alliance, Inc. All rights reserved. Does it Apply to Me? PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data. 25

2011 Cloud Security Alliance, Inc. All rights reserved. PCI Regime vs DSS Guidance The PCI Council publishes PCI DSS Outlined the minimum data security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesnt fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime) 27

2011 Cloud Security Alliance, Inc. All rights reserved. PCI Security Standards Council Founded by: American Express Discover Financial Services JCB MasterCard Worldwide Visa International Publishes PCI DSS, PA-DSS and PTS Releases additional security guidance Approves security vendors Approved Scanning Vendors (ASV) Quarterly Scans Qualified Security Assessor (QSA) On-Site Assessments 28

2011 Cloud Security Alliance, Inc. All rights reserved. Sidenote// FLAT NET to FLAT CLOUD REALITY: Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. (PCI DSS 2.0) DREAM: Without adequate network segmentation the entire CLOUD is in scope of the PCI DSS assessment. 31

2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Compliance vs Validation Q: What to do after your QSA leaves? A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted. Use what you built for PCI to reduce risk Own PCI DSS; make it the basis for your policies 32

2011 Cloud Security Alliance, Inc. All rights reserved. Key Concept// Stay Compliant Ongoing compliance with PCI DSS tasks: 33 TASKFREQUENCY Risk assessment, security awareness, key changes, review off-site backups, QSA assessment, etc Annual ASV and internal scans, wireless scansQuarterly File integrity checkingWeekly Log and alerts review, other operational procedures Daily

2011 Cloud Security Alliance, Inc. All rights reserved. Two BIG Approaches to PCI DSS Compliance SECURE the data: Encrypt, access control, monitor, block attempts, authenticate, authorized, etc 35 These apply to PCI in the cloud as well! DELETE the data: Organize your business to avoid dealing with the data

2011 Cloud Security Alliance, Inc. All rights reserved. NIST Definition of Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. 38

2011 Cloud Security Alliance, Inc. All rights reserved. 5 Essential Cloud Characteristics 1. On-demand self-service 2. Broad network access 3. Resource pooling Location independence 4. Rapid elasticity 5. Measured service 39

2011 Cloud Security Alliance, Inc. All rights reserved. 3 Cloud Service Models 1. Cloud Software as a Service (SaaS) Use providers applications over a network 2. Cloud Platform as a Service (PaaS) Deploy customer-created applications to a cloud 3. Cloud Infrastructure as a Service (IaaS) Rent processing, storage, network capacity, and other fundamental computing resources To be considered cloud they must be deployed on top of cloud infrastructure that has the essential characteristics 40

2011 Cloud Security Alliance, Inc. All rights reserved. Decision Time If PaaS CSP is NOT PCI-OK (Force.com, Azure) THEN the only way to PCI is complete 3 rd party payment takeover ->Scenario 4 166 If PaaS CSP IS PCI-OK THEN build the control matrix -> Scenario 3

2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? On-prem: as usual Cloud PaaS environment: PaaS systems are in scope: systems, applications, network, devices, hypervisor Two tiered scoping (PCI 2.0 artifact) Systems WITH data vs systems that touch/manage systems with data Think outsourced IT- 167

2011 Cloud Security Alliance, Inc. All rights reserved. How to Get Compliant? One Approach!! 1. Review which controls the PaaS CSP will handle for you 2. Check which PCI DSS controls they cannot ever handle Example: your security policy, awareness training for your employees (BTW, they should for theirs) 3. Create the matrix and verify with the CSP Request additional information from them as needed 4. Deploy additional controls where needed and where prudent 168

2011 Cloud Security Alliance, Inc. All rights reserved. For Example Project: replace marketing analytics application that uses PAN with PaaS- deployed application PCI controls: all on the application, most on management servers, etc Web application scanning => Merchant All others =>CSP Decision: move the payment data off CSP and off PCI you go 169

2011 Cloud Security Alliance, Inc. All rights reserved. Compliance Evidence What to show to QSA? Evidence of ALL controls yours and CSPs MUST DO: obtained detailed PCI evidence from CSP for controls that apply to your environment! 171

2011 Cloud Security Alliance, Inc. All rights reserved. Responsibility SPLIT// PaaS PCI PROVIDER Application platform security Physical Network Encryption Key management System security MERCHANT Application security Scoping Monitoring (unless extra $ to CSP) 172

2011 Cloud Security Alliance, Inc. All rights reserved. 173 Example Scenario 5// Control Matrix PCI DSS RequirementMerchant: PaaS userCloud provider: PaaS Secure application development: R6 YesYes (for platform) Update OS: RXXNoYes Log management: R10Yes application logsYes everything else (or data provided to merchant!) Render PANs unreadable: R3.4 YesYes where touches their environment Physical access control: R9 NoYes Vulnerability scanning: R11.2 NoYes Penetration tests: R11.3Yes application levelYes for physical, network, application, etc Security policy: R12Yes - applicableYes for the rest Wireless security: R11.1NoYes

2011 Cloud Security Alliance, Inc. All rights reserved. Notable PCI DSS Requirements to Watch Requirement 1 Firewall architecture (cloud networks are flat) Requirement 4.1 Use strong cryptography and security protocols Intra-CSP traffic may be seen as public Requirement 6.1 patch management is Joint; and need to be done by both Requirement 12.8 covers service providers and the matrix 174

2011 Cloud Security Alliance, Inc. All rights reserved. Contract SLA Tips Clear acceptance of responsibility for their controls Verification of provider controls Incident response support for data breaches 175

2011 Cloud Security Alliance, Inc. All rights reserved. Common Pitfalls and Key Risks Failure to test the provider on the ongoing basis SLA failures: no escalation, evidence sharing, incident response cooperation 176

2011 Cloud Security Alliance, Inc. All rights reserved. Scenario 6// Tiered PCI 177 Merchant ecommerce or stores Use public cloud PaaS or SaaS provider who uses public IaaS provider Processes cards and possibly stores them somewhere

2011 Cloud Security Alliance, Inc. All rights reserved. Description A major ecommerce website Uses CSP for a broad spectrum of tasks, including payments Their provider uses another cloud provider Some cloud providers MAY BE PCI-OK PAN data stored/passed in the cloud PAN data processed in the cloud 178

2011 Cloud Security Alliance, Inc. All rights reserved. Q: Can they be PCI DSS compliant? 180 Audience Poll A: Yes C: Cannot tell B: No Must the provider be PCI-OK? Must their providers provider be PCI-OK? Can the merchant be PCI-OK if some CSPs are not?

2011 Cloud Security Alliance, Inc. All rights reserved. Tiered Merchant Example 181 Merchant uses CSP (SaaS) that uses Amazon EC2 (IaaS) A public Amazon case study http://aws.amazon.com/solution s/case-studies/36boutiques/

2011 Cloud Security Alliance, Inc. All rights reserved. How to Scope? Worst case: FORGET IT! We can never figure it out . reality Best case: payment chain is isolated from ALL the CSPs (zero scope for you, all scope is with payment provider) 184

2011 Cloud Security Alliance, Inc. All rights reserved. Business: ecommerce Setup: uses CSP for web hosting and all application hosting, accepts payment cards, sells to consumers Challenge: we are a QSA they hired to get them compliant Next steps? 186 Exercise// How to Comply/Assess?

2011 Cloud Security Alliance, Inc. All rights reserved. What do the scenarios teach us about PCI and cloud? 1. Kill the scope works in the cloud as well 2. It is better to have the payment processor handle more and merchant/CSP handle less of the PCI burden 3. CSP may do it, but MERCHANT is responsible and need to validate it 4. Finally, we CAN have PCI in the cloud! 187

2011 Cloud Security Alliance, Inc. All rights reserved. Final Recommendations Follow the scenarios as templates for your projects Learn to scope in the cloud Make a matrix of shared responsibility (and keep it with you at all times ) Remember: MERCHANT is on the hook, even if CSP does it (as per PCI DSS) Requirement 12.8 is NOT a punt 188

2011 Cloud Security Alliance, Inc. All rights reserved. Additional Tips from Past Class Discussions Use PCI + cloud security thinking for other sensitive data: SSN, PHI, financials, etc Involve legal in SLA and other discussions about regulated data in the cloud (!) Scan for YOUR sensitive data being put in the cloud by business partners in THEIR clouds Trust but verify principle MUST be applied to your CSP 189

2011 Cloud Security Alliance, Inc. All rights reserved. Thanks for Your Review! Courseware author Dr. Anton Chuvakin would like to thank the following people for their thoughtful review of class materials: Walt Conway @ 403 Labs Martin McKeay @ Verizon Mike Dahn @ PWC Doug Barbin @ BrightLine Jason Chan @ Netflix 193

2011 Cloud Security Alliance, Inc. All rights reserved. Additional Materials In the notes, there are links to various useful reading, in addition to CSA and other sites mentioned in the class. Go to www.cloudsecurityalliance.org for the latest information on our educational resourceswww.cloudsecurityalliance.org 194

© 2011 cloud security alliance, inc. all rights reserved

Documents

cloud security alliance

cloud security alliance

cloud environments

cloud computing

security vendor

security consultant

cloud service provider

pci dss reminder cloud