PCI in the Cloud ?2nd InfoCom Security Conference5 April 2012Konstantinos Papadatos

Commercial Director & Co-founderMSc InfoSec, CISSP, ISO 27001 LA, ISSMP, PMI, MBCI

Moving to a PCI-compliant cloud provider can be a great help towards achieving PCI-DSS compliance but it is not always a panacea. Organizations must be very careful when selecting a PCI-compliant cloud provider and must understand that they still need to obtain their own compliance. The presentation will examine what does PCI DSS compliance by a cloud services provider actually mean and what value does this provide to an enterprise.

1Presentation AgendaCloud Security & CompliancePCI-DSS is here to stay ConclusionsCloud is here to stay

2What is the Cloud computing service ?

Physical Servers & Storage

Networks / Directories

Infrastructure SW /Databases

Hosted Applications

Operating Systems

Virtualization

Data Center Physical,Mechanical & Electrical

Infrastructure (IaaS)Platform (PaaS)Software Applications (SaaS)

Infrastructure as a Service (IaaS)In this most basic cloud service model, cloud providers offer computers as physical or more often as virtual machines , raw (block) storage, firewalls, load balancers, and networks. IaaS providers supply these resources on demand from their large pools installed in data centers. Local area networks including IP addresses are part of the offer. For the wide area connectivity, the Internet can be used or - in carrier clouds - dedicated virtual private networks can be configured.To deploy their applications, cloud users then install operating system images on the machines as well as their application software. In this model, it is the cloud user who is responsible for patching and maintaining the operating systems and application software. Cloud providers typically bill IaaS services on a utility computing basis, that is, cost will reflect the amount of resources allocated and consumed.Platform as a Service (PaaS)In the PaaS model, cloud providers deliver a computing platform and/or solution stack typically including operating system, programming language execution environment, database, and web server. Application developers can develop and run their software solutions on a cloud platform without the cost and complexity of buying and managing the underlying hardware and software layers. With some PaaS offers, the underlying compute and storage resources scale automatically to match application demand such that the cloud user does not have to allocate resources manually.Software as a Service (SaaS)In this model, cloud providers install and operate application software in the cloud and cloud users access the software from cloud clients. The cloud users do not manage the cloud infrastructure and platform on which the application is running. This eliminates the need to install and run the application on the cloud user's own computers simplifying maintenance and support. What makes a cloud application different from other applications is its elasticity. This can be achieved by cloning tasks onto multiple virtual machines at run-time to meet the changing work demand. Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user who sees only a single access point. To accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine serves more than one cloud user organization. It is common to refer to special types of cloud based application software with a similar naming convention: desktop as a service, business process as a service, Test Environment as a Service, communication as a service.The pricing model for SaaS applications is typically a monthly or yearly flat fee per user.

3Public cloud Applications, storage, and other resources are made available to the general public by a service provider. Public cloud services may be free or offered on a pay-per-usage model.Private cloud (Internal or Hosted)Private cloud is cloud infrastructure operated solely for a single organization.Community cloudShares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally.Hybrid cloudA composition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models.Cloud deployment modelsPublicPrivateCommunityHybridAllows IT to Shift Focus With the quick availability of Cloud services, it frees an organization to leverage and focus their time and resources in bringing innovations in applications and solutionsUtility Service Utility service model pay per use / pay per go subscription based model. Availability of ready to go cloud offerings with limited time for implementation and customization (if provided)Dynamic scaling - Scales up and down of services based on the application usage, best for the applications where there are significantly spikes and troughs on the usage of infrastructures Investment Cap More beneficial for companies with limited capital to invest in hardware and infrastructureReduces TCO (Total Cost of Ownership) Changes the cost from Capital expense (Capex) to Opex (Operational expense) for an enterprise. No need to buy an asset to use that asset and reduces other related costs of maintenance and supportMetered Service Cloud usage is metered and priced on the basis of units (or instances) consumed. Pay for what you use and when you useFlexible offering - Access infrastructure from anywhere, any location on any device

If provided properly: Better Security & ComplianceCloud Top Benefits5Cloud key concerns

Source: Gartner (March 2011)

Cloud trends for the Western European Public SectorIDC CEMA ICT MARKETS ALERT - MARCH 2012

46% of respondents expressed that concerns about security are holding back the adoption of cloud computingby governments

6Cloud Adoption is on Rise (despite Security concerns)October 2010 Q&A: Demystifying Cloud Security

IT decision-makers and influencers say that cloud is a critical or high priority.The business need is such that security will not have the power to veto for long7The Cloud is here to stay

Presentation AgendaCloud Security & CompliancePCI-DSS is here to stay ConclusionsCloud is here to stay

9Who is Who in PCI?Merchant BanksxMerchantsQSAs& ASVsCard AssociationsPCI SSCEnforce PCI DSSPromote its adoption (i.e. Punishments, Rewards)Communicate with and educate merchantsReport merchant compliance to Card AssociationsAttain compliance with PCI DSSSecure cardholder data Use PCI certified service providers- Maintain PCI DSS- Certify QSAs & ASVsVerify compliance through on-site audits & quarterly vulnerability scansRender opinions to merchant bank on compensating controlsService ProvidersSecure cardholder dataAttain compliance with PCI DSS10Install & maintain a firewall configuration to protect cardholder data1Overview of PCI DSS Requirements(Six Goals Twelve Requirements)2Do not use vendor-supplied defaults for system passwords & other security parameters3Protect stored cardholder data4Encrypt transmission of cardholder data across open, public networks5Use and regularly update anti-virus software or programs6Develop & maintain secure systems and applications7Restrict access to cardholder data by business need-to-know8Assign a unique ID to each person with computer access9Restrict physical access to cardholder dataTrack and monitor all access to network resources and cardholder data10Regularly test security systems and processes11Maintain a policy that addresses information security for employees and contractors1211Network Segmentation (Firewalls, NAC, ACLs )IDS & IPSWireless SecuritySystem Security (File Integrity Monitoring, AV, Patch Management )Application Security (WAF, Code Review )Storage & DB Encryption (or DB Firewalling or Tokenization )Log ManagementPassword ManagementVulnerability & Patch ManagementPhysical Security

Core technologies required

12PCI-DSS is here to stay

In the event of a breach :Any fines from Payment Brands (Up to $100,000 per incident)Cost to notify victimsCost to replace cards (about $10/card)Cost for any fraudulent transactionsForensics from a QDSCLevel 1 certification from a QSABusiness as Usual:$5,000 $25,000 per month for non-compliance

Presentation AgendaCloud Security & CompliancePCI-DSS is here to stay ConclusionsCloud is here to stay

14Cloud Related ThreatsCurrent Attack Paths & the Cloude-ServicesVPNBack office Access InterfacesITServices & Data

3rd-parties

Business UsersIT Users

Web Users

Partners, etc.

Web ApplicationsMobile Access IPSec or Other VPNWeb ApplicationWeb ServicesDB Access System Access

CSP IT Users

Other Cloud CustomersData Center Physical Security

Availability/Accessibility Network DR/BCP

IsolationAt the application level (multitenant app SaaS)At the network/System level (Virtual Machines)

Data Privacy & Regulatory Compliance

Security Infrastructure as a ServiceProtection from External ThreatsProtection from Internal Threats & Misuse (customers internal environment)

Protection from Service Provider Access Misuse

Protection from Other Customers Access Misuse

Cloud Security Architecture Objectives

Cloud Security

SecIaaS: Security Infrastructure as a ServiceSecurity of the Cloud Data Center /CSP

Risk AssessmentsPenetration Tests

17SecIaaS: Secure & PCI Compliant CloudCloud Logical SecurityCDC/CSP SecuritySystem Security (Hypervisor Protection, CCM/FIM, AV/HIPS, Hardening, PIM/PUPM)Application Security (WAF, optional Anti-DDoS)Secure Access (Dedicated VDI/TS, Strong Authentication, Workflows)Identity & Access Management (Automation, Delegation, Governance)Log Management & Archiving (Collection from all systems, applications and security controls)Vulnerability & Patch Management (Automation, Streamlining, Integration)24x7 Real Time Threat Management (Advanced Reporting & Response)Compliance Management (Dashboards, Integration with: CCM, VM/PM, IAM)Customer Portal(s) & ProvisioningNetwork Security (FW & DMZs, IDS/IPS, VPNs, Virtual FW)System SecurityApplication SecuritySecure AccessIAMLog Management & ArchivingVulnerability Assessment24x7 RTTMCompliance ManagementNetwork Security

Data Security (Storage & DB Encryption, DBFW, Tokenisation)Data Security18Presentation AgendaCloud Security & CompliancePCI-DSS is here to stay ConclusionsCloud is here to stay

19

PCI compliant CSPs is a major step but not PCI panacea

Move Major Operations to CloudImplement PCI controls to remaining InfrastructureAttestation of Compliance

Ease of complianceIaaSPaaSSaaSRequired Effort for PCI CompliancePCI Compliant CSP OfferingsAssuming that all CSP services comply With PCI-DSS requirements!SecIaaS: Security Infrastructure as a ServicePCI compliant Applications

Data dispersal and international privacy lawsEU Data Protection DirectiveExposure of data to foreign governmentData retention issues

Look for CSP with strong security certifications / proof of compliance.ISO/IEC 27001-2005Implementation of the standard for the cloud Scope: Cloud Service Provider own IT systems Cloud Security AllianceEnhancement of the ISMS & security controls with CSA guidelinesPCI DSSEnhancement of the ISMS & security controls with PCI DSS guidelines

If CSP is NOT Compliant, consider using a Hosted Private CloudAbility to impose stringent security and privacy policies.Ability to have the infrastructure certified by auditors.

The organization itself is still responsible for full compliance of the CDE (cardholder data environment) and only a part of that CDE might intersect a CSP.

Cloud security is shifting from inhibitor to enabler.

Issues to consider when moving to a CSP

22Simplify your PCI compliance through our Cloud!Security Strategy:Risk Assessment & ManagementSecurity Policies & Procedures DevelopmentPCI-DSS Scoping & GAP analysisSecurity Awareness ProgramsPCI-DSS Certification (QSA)

Security Architecture:Network Infrastructure SecurityFile Integrity MonitoringAV/HIPSSecurity Hardening Web Application & DB FirewallsDB & Storage EncryptionTokenisationPassword ManagementSecurity Event ManagementIdentity & Access ManagementPatch ManagementEnterprise Information Protection

Security Assurance:Infrastructure PentestWeb Application PentestInternal PentestCode ReviewWireless Security Assessments Digital ForensicsVulnerability AssessmentAuthorized ASV

Managed Security Services:Real Time Threat ManagementManaged Security InfrastructureBrand Protection & IntelligenceIncident Handling & Support Managed Vulnerability Assessments

PCI DSS Compliance

SecIaaSPCI ready Hosting

23

www.encodegroup.com_24