pci and the cloud
DESCRIPTION
PCI and the Cloud. Paul Court - Technical Operations Director - Claranet UK. Payment and Fraud Conference - 11th February 2010. Who are we?. A Managed Services Provider. A technically astute partner offering Networks, Hosting and Managed Applications Services. - PowerPoint PPT PresentationTRANSCRIPT
PCI and the CloudPaul Court - Technical Operations Director - Claranet UK
Payment and FraudConference - 11th February 2010
A technically astute partner offering Networks, Hosting and Managed Applications Services
An experienced company with 36,000 business customers
550 employees spread across 7 countries
A Managed Services Provider
Who are we?
Hosting, Challenges for a new eraPCI and the Cloud
“Cloud Will save you Money”
“Virtualise your estate and Save!”
“Cloud is the future of Services Computing”
“Unrestricted Cloud Computing – All you Can Eat”
“The future is Virtualisation!!!”
The Hype
Overview of the Differing SystemsPCI and the Cloud
The Standard Server Model
Virtualising a Server
OptimiseConsolidate
Traditional server can only support a single Operating System and Application
A server running a Hypervisor can support multiple Operating Systems, each supporting a different application
Fault Tolerance
The Virtualised Server Model
The Cloud Services Model
What are the Risks ?PCI and the Cloud
Data Security Risk Assessment
Virtualisation Model
Standard Model
Cloud Model
LOWRISK
HIGHRISK
Compliance vs PCI StandardPCI Requirment
Standard Virtual Cloud
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
Key:- Compliance Very Diffi cult / impossibleCompliance Requires ThoughtCompliance Possible
Compliance Level
What do the QSA’s Say ?PCI and the Cloud
QSA’s Interviewed on Cloud
“it’s so left field we would have to charge a consultancy to even give an opinion on it”
QSA’s Interviewed on Virtualisation
“There is some debate on the Virtualisation in the PCI arena, however, in our opinion, it is an acceptable solution if done correctly. These Virtual servers will be treated as any other servers and will follow the required guidelines as they are in the PCI DSS standard. “
Is it possible to run Virtual services?PCI and the Cloud
Going Forward
• There is talk about including some requirements for Virtual servers in later releases of the PCI DSS standard.
• The PCI sub-committee is yet to return any guidance on Virtual services.
• “The one thing that is not acceptable from a PCI stand point in a virtualised environment are virtualised firewalls”
• “At this point, Cloud is not deemed acceptable in any shape or form”
Our Solution
Private CloudDatabase
Virtual Servers
Physical Firewall
Physical Firewall
What do I need to know / ask ?PCI and the Cloud
Have a Published Technology Strategy
• You need an opinion as your peers will want to know your strategy – not addressing cloud and virtualisation head-on is dangerous.
• Publish a strategy and enforce it internally
• Make sure all stake holders know the risks as well as the rewards.
Lookout for Shadow IT
• Shadow IT is a term often used to describe IT systems and IT solutions built and used inside organisations without organisational approval or without organisational understanding of the risks.
• See previous point..
Ask your vendors
• If your vendors can’t give you their opinion or strategy in relation to virtualisation, PCI and Fraud Prevention, should they be your vendors ?
ConclusionsPCI and the Cloud
Conclusions
• Cloud computing is very good for sites that don’t require regulatory approval (although DPA should be considered)
• Virtualisation Can be used but under strict guidelines and with PCI in mind from the design phase.
• Not one of the QSA’s interviewed would certify a system based on a Cloud computing platform
• Virtualisation is PCI compliant as long as it’s not a generic “V service” but is part of a managed solution
Cloud Overview
Any questions?