32
PCI Compliance in the Cloud How to keep sensitive data secure as you move to the cloud

PCI Compliance in the Cloud

Embed Size (px)

Citation preview

Page 1: PCI Compliance in the Cloud

PCI Compliance in the CloudHow to keep sensitive data secureas you move to the cloud

Page 2: PCI Compliance in the Cloud

Agenda

• About the Cloud

› Evolving Landscape

› What is the Cloud

› Key Compliance Differences

• About PCI DSS

• PCI DSS in the Cloud

2 / 32

Page 3: PCI Compliance in the Cloud

About the Cloud

Page 4: PCI Compliance in the Cloud

Evolving Payment Landscape

• Mobile Payments

• “Cloud Based” Payment Providers

• Point to Point Encryption

4 / 32

Page 5: PCI Compliance in the Cloud

What is the Cloud

• Hosting Provider Private Cloud› NCR› IBM/ATT› Rackspace

• Amazon Cloud› EC2

• Internal Cloud› Virtualization within internal datacenter

5 / 32

Page 6: PCI Compliance in the Cloud

Key Compliance Differences

• Private vs. Public network

• Physical vs. Logical Access

• Known Physical Boundaries vs. Unknown

• Known Access vs. Unknown

6 / 32

Page 7: PCI Compliance in the Cloud

PCI Compliance in the Cloud

Page 8: PCI Compliance in the Cloud

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers• Maintained by the PCI Security Standards Council

(PCI SSC)

8 / 32

Page 9: PCI Compliance in the Cloud

How Does PCI DSS Apply to the Cloud?

9 / 32

Page 10: PCI Compliance in the Cloud

It’s a Wild West Out There…

10 / 32

Page 11: PCI Compliance in the Cloud

Our Topic: PCI Compliance in the Cloud

11 / 32

Page 12: PCI Compliance in the Cloud

How Does the Compliant Cloud Work?

Minimum Requirements: (2) Servers, (1) “DMZ” and (1) Internal

12 / 32

Page 13: PCI Compliance in the Cloud

PCI DSS RequirementsControl Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

13 / 32

Page 14: PCI Compliance in the Cloud

Requirement 1: Firewalls

• Cloud Provider› Must provide ability for DMZ to be created in the cloud

environment; OR› Must have multiple clouds for DMZ and internal network

• You (The customer)› Must ensure DMZ has been implemented consistent with

PCI requirements

14 / 32

Page 15: PCI Compliance in the Cloud

Requirement 2: Configuration Standards

• Cloud provider› Must prove that secure configurations are implemented

for the base platform hosting the VMs.

• You (the customer)› Must ensure secure configuration exists within the cloud

images of the operating systems.

15 / 32

Page 16: PCI Compliance in the Cloud

Requirement 3: Protect Stored Cardholder Data

You must ensure stored data is encrypted and protected.

16 / 32

Page 17: PCI Compliance in the Cloud

Requirement 4: Protect Cardholder Data in Transmission

You must ensure data being transmitted is encrypted.

17 / 32

Page 18: PCI Compliance in the Cloud

Requirement 5: Antimalware

• Cloud provider› Must prove that base platform/hypervisors have

appropriate antimalware measures

• You (the customer)› You must ensure all cloud images of operating systems

have antimalware measures

18 / 32

Page 19: PCI Compliance in the Cloud

Requirement 6: Secure Applications

You must ensure all applications are developed securely and without vulnerabilities.

19 / 32

Page 20: PCI Compliance in the Cloud

Requirements 7 & 8: Access Control and User IDs

• Cloud Provider› Must prove that access control/user IDs have been

implemented for the base platform/hypervisor hosting the VMs.

• You (the customer)› Are responsible for access control within your cloud

images of your operating systems.

20 / 32

Page 21: PCI Compliance in the Cloud

Requirement 9: Physical Security

• Cloud provider› The cloud provider must prove that physical security

controls are in place where the base platform hosting the virtual machines is physically located.

• You (the customer)› Must ensure you are hosting the cloud that has physical

security enabled.

21 / 32

Page 22: PCI Compliance in the Cloud

Requirement 10: Logging and Monitoring

• Cloud Provider› Must prove that logging is appropriately implemented for

base platform/hypervisors hosting the VMs.› Must prove that logging is appropriately implemented for

network and security devices within the environment.

• You (the customer)› Are responsible for logging within the cloud images of the

operating systems.

22 / 32

Page 23: PCI Compliance in the Cloud

Requirement 11: Vulnerability Management

• Cloud Provider› Must prove that vulnerabilities are assessed and removed

appropriately for the base platform/hypervisors hosting the VMs.

› Must prove that vulnerabilities are assessed and removed appropriately for network and security devices within the environment

• You (the customer)› Are responsible for assessing the internal, external and

application vulnerabilities within the cloud images of the operating systems.

23 / 32

Page 24: PCI Compliance in the Cloud

Requirement 12: Policies and Procedures

• Cloud Provider› Must prove that policies exist appropriately for the base

platform/hypervisors hosting the VMs.

• You (the customer)› Must ensure that policies address the security aspects

specific to the applications being deployed in the VM.

24 / 32

Page 25: PCI Compliance in the Cloud

PCI DSS Requirements

25 / 32

Control Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

Page 26: PCI Compliance in the Cloud

Key Takeaways as you Make Cloud Decisions

• Ensure Cloud Provider is PCI DSS Certified› Not in the context of them taking credit cards as a

merchant, rather as an infrastructure provider

• Ensure through report on compliance (RoC) or service provider compliance matrix that all requirements are covered in scope EXCEPT› Requirement 3 (Encrypt cardholder data)› Requirement 4 (Encrypt cardholder transmission)› Requirement 6 (Application security)

26 / 32

Page 27: PCI Compliance in the Cloud

ControlCase Compliant Cloud

Page 28: PCI Compliance in the Cloud

How ControlCase Keeps You Compliant

28 / 32

Complianceas a Service

(CaaS)

Page 29: PCI Compliance in the Cloud

The ControlCase Compliant Cloud

29 / 32

Page 30: PCI Compliance in the Cloud

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly growing

• Certified Resources

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› HITUST

› SOC1, SOC2, SOC3, SSAE16

› Certified ASV vendor

30 / 32

Page 31: PCI Compliance in the Cloud

To Learn More About PCI Compliance…

• Visit www.controlcase.com

• Call +1.703.483.6383 (US)

• Call +91.9820293399 (India)

31 / 32

Page 32: PCI Compliance in the Cloud

Thank You for Your Time