1 / 16

PCI Compliance and the Cloud

PCI Compliance and the Cloud. By: Jim Bibles, Qualys Inc. NYM ISSA – PCI and Beyond New York, NY April 21, 2010. Agenda. What is the Cloud? How is the Cloud the Same? How is the Cloud Different? Vetting Solutions PCI Challenges Potential Payment Solutions

scornett
Download Presentation

PCI Compliance and the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI Compliance and the Cloud By: Jim Bibles, Qualys Inc. NYM ISSA – PCI and Beyond New York, NY April 21, 2010

  2. Agenda • What is the Cloud? • How is the Cloud the Same? • How is the Cloud Different? • Vetting Solutions • PCI Challenges • Potential Payment Solutions • One Security Program, Many Applications • Q& A 2

  3. What is the Cloud? Definition: “The cloud is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” – NIST Information Technology Laboratory 3

  4. What is the Cloud? • Five Essential Characteristics: • On-demand, self-service – Ability to unilaterally provision computing capabilities • Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms • Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence) • Rapid elasticity – capabilities can be rapidly and elastically provisioned • Measured service – Resource usage can be monitored, controlled and reported 4

  5. What is the Cloud? • Thee Service Models • Software As A Service (SaaS) – Managed application/service where customers consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor • Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer. • Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer. • Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for. 5

  6. What is the Cloud? • Four Deployment Models • Public:Made available to the general public or large industry group and is owned by an organization selling cloud services. • Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise. • Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise. • Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds). 6

  7. What is the Cloud? 7

  8. How is the Cloud the Same? • You still need to do the basics: • Map Network • Include data flows • Classify Information Assets (data and systems) • Public • Internal • Confidential (PCI Data) • Top Secret • Secure Data Based on Classification • Be Able to Demonstrate Compliance with PCI DSS • ROC/ SAQ • ASV Scan 8

  9. How is the Cloud Different? • Shifts many day-to-day security activities to the cloud vendors (depending on service model): • SaaS • PaaS • IaaS • Requires a more robust vendor management program: • Enforcement of Service Level Agreements • Regular Reporting on Security Posture • Site Inspections/Audits 9

  10. Vetting the Cloud Solutions 10

  11. Vetting the Cloud Solutions 11

  12. PCI Challenges • Audit / investigations • Need for isolation management • Multi-tenancy • Logging challenges • Data ownership issues • Quality of service guarantees • Enforcement of data classification, retention, and destruction policies 12

  13. Potential Payment Solutions • Fully Hosted Payment Solution • Must use HTTP redirect instead of transmitting data via API • Virtual Terminal • Low Cost • Significantly reduces scope and risk • Tokenization • Reduces risk, does not eliminate it • End-To-End Encryption • Significantly reduces scope and risk 13

  14. One Security Program, Many Applications • Based on Globally Accepted Security Standards: • ISO 27001 • ISO 27002 • Meets Multiple Compliance Frameworks: • PCI DSS • HIPPA • GLBA • SOX 14

  15. Remember “You can delegate authority, but you can never delegate responsibility for delegating a task to someone else. If you picked the right man, fine, but if you picked the wrong man, the responsibility is yours -- not his.”   Richard E Krafve 15

  16. Q&A Thank You 16

More Related