Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
PCI DSS Compliance and the Cloud Daniel Farr, Managing Consultant
CyberSecurity Consulting | PCI & Compliance Services | DF&IR | Risk Reduction Solutions www.foregenix.com
Foregenix born
A Brief History of Foregenix
Obtains PCI QSA status for EMEA (staff 3)
Obtains Full PCI PFI status for EMEA (staff 6)
Obtains P2PE Assessor Status Opens South Africa office in
Johannesburg (staff 20)
Opens South American office in Montevideo, Uruguay (staff 39) Foregenix opens office in USA
(staff 50)
Global Leader in P2PE Acceleration of FGX Solutions (staff 59)
Foregenix opens German office
Our Purpose
Offices
Foregenix was founded with the following principles and purpose:
• To deliver a valuable, cost-effective service to our clients
• To maintain a personable, flexible approach to our client needs
• To work passionately towards improving the security of our clients
• To create a dynamic work environment, with a team dedicated to delivering high quality services
We aim to build lasting relationships with our clients, and our commitment to service reflects this approach.
We offer a Global delivery, with offices in: • United Kingdom (HQ) • North America • Latin America • South Africa • Germany
Our Partners
Confidential
Agenda
• Responsibilities and Accountabilities in the Cloud
• Configuration Management in the Cloud
• Security Incident Identification and Response in the
Cloud
• Encryption Management in the Cloud
• Data Migration in and out of the cloud
• Education and Training for the cloud
Responsibilities and Accountabilities
• PCI Terminology
• Data Owner: Merchant/Service Provider
• Data Processor: Third-party service provider (TPSP)
• Cloud Terminology
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
Responsibilities and Accountabilities
• PCI Card Scheme or Acquirer Guidance
• Approved partners or services
• Set the expectation upfront
• Service Level agreement: Responsibilities matrix
• What additional services does the cloud provider give
• Who owns internal controls?
• Are the services and responsibilities defined in the contract?
• Have you addressed liability?
• QSAs are called many things…
Responsibilities and Accountabilities
• What processes are being migrated?
• What data is involved in the processes?
• Cardholder Data
• Personal Identifiable Information
• Business related data
• What is your compliance landscape?
• Understand all your security requirements and
responsibilities
• Due diligence
The Cloud Attestation of Compliance
• What services are covered in the Attestation of Compliance
• Services, process, scope can all be clearly identified
• A valid countersigned Attestation of Compliance
• There is no such thing as a compliance certificate!
Your Report on Compliance
• A full Report on Compliance
• To be or not to be in place
• Assessment scope
• Built upon responsibilities matrix
• TPSP PCI DSS assessed controls
• TPSP controls within your assessment
• Merchant/Service Provider validated controls
• Evidence validation of requirements do not change
• Engage a QSA
Configuration in the cloud
• Terminology
• Understand the technologies in the environment
• Microsoft Azure vs Amazon Web Services
• The cloud provider lays great foundations
• IaaS/PaaS/SaaS
• Best practice guidance
• Basic security principles
• Good security testing
Best Practice guidance
• Vendor guidance
• Internal documents
• External resources
• NIST 800-53/CIS (AWS and Azure Benchmarks)
• Solution guidance
• PaaS/IaaS/SaaS
• Secure architecture fundamentals
• Network architecture
• Security tools for the cloud
Basic Security Principles
• Access Controls
• Role based access controls
• Vulnerability Management
• What platforms/systems are within the environment
• Vulnerability assessment responsibilities
• Remediation responsibilities
• Protection against malware/malicious code
• Change control monitoring
• Network time protocol
• Secure remote access
• Secure administration interfaces
Good security testing
• Penetration Testing
• Internal
• External
• Application
• Vulnerability Scanning
• Internal
• External
• Application code review
• Automated tools
• Static code analysis
Security Incident Identification and Response in the Cloud
Timelines of Attack
Business As Usual
(BAU)
Point of
Compromise
Investigation
Incident
Detection
Remediation BAU
Containment Investigation
Concludes
Security Incident Identification and Response in the Cloud
• Have you defined an incident?
• Incident Management Plans
• Incident Testing
• Incident Management Stages
• Level of incident
• Identification
• Containing and investigating
• Remediation
• Restoration of service
Audit Logging in the Cloud
• What types of logs are available
• IaaS/PaaS/SaaS
• Who is monitoring the logs?
• Is logging a defined service
• Migration requirement
• What do you want to know?
• Access to logging platforms and systems
• What level of logs can you monitor?
• Event correlation
• Access to cardholder data logs
Security Incident Identification and Response in the Cloud
• Threat landscape has changed
• Update your incident response plans
• Educate the incident response team
• Service Provider Communications
• Release of information
• Communication planning
• Self Reporting
• Cloud Forensics
• Still a requirement if you are breached
Encryption Management in the Cloud
• Hardware Security Modules
• Transmission of encrypted data
• Encryption = Compliance
• Secure storage of encryption keys
• If there is a breach this is what they NEED!!!
• What encryption is available:
• Transport encryption
• Data encryption
• Key management documentation
Transport Encryption
• A lot depends on the service provided and provider
• IaaS/PaaS/SaaS
• Internal secure transmissions
• SSL and early TLS is in the CLOUD
• Risk migration and mitigation plan
• Certificate and cipher management
• Configuration of termination points
• Open public networks
• Risk appetite
Data Encryption
• A lot depends on the service provided and provider
• IaaS/PaaS/SaaS
• Strong cryptography
• Azure Storage Service Encryption (SSE)
• Amazon Elastic Block Storage (EBS) Encryption
• Defaults are not secure
• Encryption and performance
• Where to apply encryption in the cloud?
• Permitted data storage locations
Data Migration into the cloud
• Analysis and Planning
• Capturing security and compliance requirements
• Validating business requirements (RPO vs RTO)
• Proof of Concept and Validation
• Functionality testing
• Security testing
• Build phase
• Validation of security controls
• Validation of compliance
• Validation of continuity arrangements
• Migration to the cloud
Data Migration into the cloud
• Its storage like we’ve never seen before
• Back up tapes are so 90s
• Distributed synchronised backups
• Migration considerations:
• Data at rest
• Configuration/parameter data
• Applications
• Cardholder data must be transmitted securely over
open public networks
Education and Training for the cloud
• What functions do you need to cover?
• Where to get good guidance
• Vendors
• PCI Security Standard Council
• CLOUDSEC
• Security Education
• ISC Certified Cloud Security Professional (CCSP)
• Cloud Security Alliance Certificate of Cloud
Security Knowledge (CCSK)
Questions?
• Stay safe and informed…
Daniel Farr
www.Foregenix.com
Connect with us
United Kingdom Foregenix Ltd First Floor, 8-9 High Street, Marlborough, Wiltshire SN8 1AA United Kingdom T: +44 845 309 6232
South Africa Foregenix (Pty) Ltd Gishen House, 58 Peter Place, Sandton, 2060 Gauteng, South Africa T: +27 860 44 4461
Latin America Foregenix S.R.L. 11500 Montevideo, Montevideo Uruguay T: +54 934 2502 5130
Social Networks Connect with us through Linkedin, Google+ and Twitter to stay informed of the latest information security news and updates Simply search for ‘Foregenix’
North America Foregenix Inc 60 State Street, Boston, MA, 02109 USA T: +1 508 644 1504