Embed Size (px)
Citation preview
PCI Compliance and the Cloud
By: Jim Bibles, Qualys Inc.
NYM ISSA – PCI and Beyond New York, NY April 21, 2010
Agenda
What is the Cloud? How is the Cloud the Same? How is the Cloud Different? Vetting Solutions PCI Challenges Potential Payment Solutions One Security Program, Many Applications Q& A
2
What is the Cloud?
3
Definition:
“The cloud is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”
– NIST Information Technology Laboratory
What is the Cloud?
4
Five Essential Characteristics:1. On-demand, self-service – Ability to unilaterally provision
computing capabilities
2. Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms
3. Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence)
4. Rapid elasticity – capabilities can be rapidly and elastically provisioned
5. Measured service – Resource usage can be monitored, controlled and reported
What is the Cloud?
Thee Service Models
1. Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor
2. Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer.
3. Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer.
5
Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
What is the Cloud?
Four Deployment Models
1. Public: Made available to the general public or large industry group and is owned by an organization selling cloud services.
2. Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise.
3. Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise.
4. Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds).
6
What is the Cloud?
7
How is the Cloud the Same?
You still need to do the basics:
1. Map Network
Include data flows
2. Classify Information Assets (data and systems) Public Internal Confidential (PCI Data) Top Secret
3. Secure Data Based on Classification
4. Be Able to Demonstrate Compliance with PCI DSS ROC/ SAQ ASV Scan
8
How is the Cloud Different?
9
1. Shifts many day-to-day security activities to the cloud vendors (depending on service model):
– SaaS – PaaS– IaaS
2. Requires a more robust vendor management program:– Enforcement of Service Level Agreements– Regular Reporting on Security Posture – Site Inspections/Audits
Vetting the Cloud Solutions
10
Vetting the Cloud Solutions
11
1
2
PCI Challenges
Audit / investigations
Need for isolation management
Multi-tenancy
Logging challenges
Data ownership issues
Quality of service guarantees
Enforcement of data classification, retention, and destruction
policies
12
Potential Payment Solutions
13
1. Fully Hosted Payment Solution Must use HTTP redirect instead of transmitting data via API
2. Virtual Terminal Low Cost Significantly reduces scope and risk
3. Tokenization Reduces risk, does not eliminate it
4. End-To-End Encryption Significantly reduces scope and risk
One Security Program, Many Applications
Based on Globally Accepted Security Standards:ISO 27001ISO 27002
Meets Multiple Compliance Frameworks:PCI DSSHIPPAGLBA SOX
14
Remember
“You can delegate authority, but you can never delegate responsibility for delegating a task to someone else. If you picked the right man, fine, but if you picked the wrong man, the responsibility is yours -- not his.”
Richard E Krafve
15
Q&A
Thank You
16
