PCI DSS Compliance and the Cloud Daniel Farr, Managing Consultant

CyberSecurity Consulting | PCI & Compliance Services | DF&IR | Risk Reduction Solutions www.foregenix.com

Foregenix born

A Brief History of Foregenix

Obtains PCI QSA status for EMEA (staff 3)

Obtains Full PCI PFI status for EMEA (staff 6)

Obtains P2PE Assessor Status Opens South Africa office in

Johannesburg (staff 20)

Opens South American office in Montevideo, Uruguay (staff 39) Foregenix opens office in USA

(staff 50)

Global Leader in P2PE Acceleration of FGX Solutions (staff 59)

Foregenix opens German office

Our Purpose

Offices

Foregenix was founded with the following principles and purpose:

• To deliver a valuable, cost-effective service to our clients

• To maintain a personable, flexible approach to our client needs

• To work passionately towards improving the security of our clients

• To create a dynamic work environment, with a team dedicated to delivering high quality services

We aim to build lasting relationships with our clients, and our commitment to service reflects this approach.

We offer a Global delivery, with offices in: • United Kingdom (HQ) • North America • Latin America • South Africa • Germany

Our Partners

Confidential

Agenda

• Responsibilities and Accountabilities in the Cloud

• Configuration Management in the Cloud

• Security Incident Identification and Response in the

Cloud

• Encryption Management in the Cloud

• Data Migration in and out of the cloud

• Education and Training for the cloud

Responsibilities and Accountabilities

• PCI Terminology

• Data Owner: Merchant/Service Provider

• Data Processor: Third-party service provider (TPSP)

• Cloud Terminology

• Infrastructure as a Service (IaaS)

• Platform as a Service (PaaS)

• Software as a Service (SaaS)

Responsibilities and Accountabilities

• PCI Card Scheme or Acquirer Guidance

• Approved partners or services

• Set the expectation upfront

• Service Level agreement: Responsibilities matrix

• What additional services does the cloud provider give

• Who owns internal controls?

• Are the services and responsibilities defined in the contract?

• Have you addressed liability?

• QSAs are called many things…

Responsibilities and Accountabilities

• What processes are being migrated?

• What data is involved in the processes?

• Cardholder Data

• Personal Identifiable Information

• Business related data

• What is your compliance landscape?

• Understand all your security requirements and

responsibilities

• Due diligence

The Cloud Attestation of Compliance

• What services are covered in the Attestation of Compliance

• Services, process, scope can all be clearly identified

• A valid countersigned Attestation of Compliance

• There is no such thing as a compliance certificate!

Your Report on Compliance

• A full Report on Compliance

• To be or not to be in place

• Assessment scope

• Built upon responsibilities matrix

• TPSP PCI DSS assessed controls

• TPSP controls within your assessment

• Merchant/Service Provider validated controls

• Evidence validation of requirements do not change

• Engage a QSA

Configuration in the cloud

• Terminology

• Understand the technologies in the environment

• Microsoft Azure vs Amazon Web Services

• The cloud provider lays great foundations

• IaaS/PaaS/SaaS

• Best practice guidance

• Basic security principles

• Good security testing

Best Practice guidance

• Vendor guidance

• Internal documents

• External resources

• NIST 800-53/CIS (AWS and Azure Benchmarks)

• Solution guidance

• PaaS/IaaS/SaaS

• Secure architecture fundamentals

• Network architecture

• Security tools for the cloud

Basic Security Principles

• Access Controls

• Role based access controls

• Vulnerability Management

• What platforms/systems are within the environment

• Vulnerability assessment responsibilities

• Remediation responsibilities

• Protection against malware/malicious code

• Change control monitoring

• Network time protocol

• Secure remote access

• Secure administration interfaces

Good security testing

• Penetration Testing

• Internal

• External

• Application

• Vulnerability Scanning

• Internal

• External

• Application code review

• Automated tools

• Static code analysis

Security Incident Identification and Response in the Cloud

Timelines of Attack

Business As Usual

(BAU)

Point of

Compromise

Investigation

Incident

Detection

Remediation BAU

Containment Investigation

Concludes

Security Incident Identification and Response in the Cloud

• Have you defined an incident?

• Incident Management Plans

• Incident Testing

• Incident Management Stages

• Level of incident

• Identification

• Containing and investigating

• Remediation

• Restoration of service

Audit Logging in the Cloud

• What types of logs are available

• IaaS/PaaS/SaaS

• Who is monitoring the logs?

• Is logging a defined service

• Migration requirement

• What do you want to know?

• Access to logging platforms and systems

• What level of logs can you monitor?

• Event correlation

• Access to cardholder data logs

Security Incident Identification and Response in the Cloud

• Threat landscape has changed

• Update your incident response plans

• Educate the incident response team

• Service Provider Communications

• Release of information

• Communication planning

• Self Reporting

• Cloud Forensics

• Still a requirement if you are breached

Encryption Management in the Cloud

• Hardware Security Modules

• Transmission of encrypted data

• Encryption = Compliance

• Secure storage of encryption keys

• If there is a breach this is what they NEED!!!

• What encryption is available:

• Transport encryption

• Data encryption

• Key management documentation

Transport Encryption

• A lot depends on the service provided and provider

• IaaS/PaaS/SaaS

• Internal secure transmissions

• SSL and early TLS is in the CLOUD

• Risk migration and mitigation plan

• Certificate and cipher management

• Configuration of termination points

• Open public networks

• Risk appetite

Data Encryption

• A lot depends on the service provided and provider

• IaaS/PaaS/SaaS

• Strong cryptography

• Azure Storage Service Encryption (SSE)

• Amazon Elastic Block Storage (EBS) Encryption

• Defaults are not secure

• Encryption and performance

• Where to apply encryption in the cloud?

• Permitted data storage locations

Data Migration into the cloud

• Analysis and Planning

• Capturing security and compliance requirements

• Validating business requirements (RPO vs RTO)

• Proof of Concept and Validation

• Functionality testing

• Security testing

• Build phase

• Validation of security controls

• Validation of compliance

• Validation of continuity arrangements

• Migration to the cloud

Data Migration into the cloud

• Its storage like we’ve never seen before

• Back up tapes are so 90s

• Distributed synchronised backups

• Migration considerations:

• Data at rest

• Configuration/parameter data

• Applications

• Cardholder data must be transmitted securely over

open public networks

Education and Training for the cloud

• What functions do you need to cover?

• Where to get good guidance

• Vendors

• PCI Security Standard Council

• CLOUDSEC

• Security Education

• ISC Certified Cloud Security Professional (CCSP)

• Cloud Security Alliance Certificate of Cloud

Security Knowledge (CCSK)

Questions?

• Stay safe and informed…

Daniel Farr

Dfarr@Foregenix.com

www.Foregenix.com

Connect with us

United Kingdom Foregenix Ltd First Floor, 8-9 High Street, Marlborough, Wiltshire SN8 1AA United Kingdom T: +44 845 309 6232

South Africa Foregenix (Pty) Ltd Gishen House, 58 Peter Place, Sandton, 2060 Gauteng, South Africa T: +27 860 44 4461

Latin America Foregenix S.R.L. 11500 Montevideo, Montevideo Uruguay T: +54 934 2502 5130

Social Networks Connect with us through Linkedin, Google+ and Twitter to stay informed of the latest information security news and updates Simply search for ‘Foregenix’

North America Foregenix Inc 60 State Street, Boston, MA, 02109 USA T: +1 508 644 1504

E: info@foregenix.com