html5-img
1 / 24

PCI in the Cloud ?

PCI in the Cloud ?. Konstantinos Papadatos Commercial Director & Co-founder MSc InfoSec , CISSP, ISO 27001 LA, ISSMP, PMI, MBCI. 2 nd InfoCom Security Conference 5 April 2012. Presentation Agenda. Cloud is here to stay…. PCI-DSS is here to stay …. Cloud Security & Compliance.

jesse
Download Presentation

PCI in the Cloud ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI in the Cloud ? Konstantinos Papadatos • Commercial Director & Co-founder • MScInfoSec, CISSP, ISO 27001 LA, ISSMP, PMI, MBCI 2ndInfoCom Security Conference 5 April 2012

  2. Presentation Agenda Cloud is here to stay… PCI-DSS is here to stay … CloudSecurity & Compliance Conclusions

  3. What is the Cloud computing service ? Infrastructure SW / Databases Data Center Physical, Mechanical & Electrical Hosted Applications Software Applications (SaaS) Operating Systems Platform (PaaS) Virtualization Physical Servers & Storage Infrastructure (IaaS) Networks / Directories

  4. Cloud deployment models • Public cloud • Applications, storage, and other resources are made available to the general public by a service provider. Public cloud services may be free or offered on a pay-per-usage model. • Private cloud (Internal or Hosted) • Private cloud is cloud infrastructure operated solely for a single organization. • Community cloud • Shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. • Hybrid cloud • Acomposition of two or more clouds (private, community or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models. Public Private Community Hybrid

  5. Cloud Top Benefits • Allows IT to Shift Focus – With the quick availability of Cloud services, it frees an organization to leverage and focus their time and resources in bringing innovations in applications and solutions • Utility Service – Utility service model – pay per use / pay per go subscription based model. Availability of ready to go cloud offerings with limited time for implementation and customization (if provided) • Dynamic scaling - Scales up and down of services based on the application usage, best for the applications where there are significantly spikes and troughs on the usage of infrastructures • Investment Cap – More beneficial for companies with limited capital to invest in hardware and infrastructure • Reduces TCO (Total Cost of Ownership) – Changes the cost from Capital expense (Capex) to Opex (Operational expense) for an enterprise. No need to buy an asset to use that asset and reduces other related costs of maintenance and support • Metered Service – Cloud usage is metered and priced on the basis of units (or instances) consumed. Pay for what you use and when you use • Flexible offering - Access infrastructure from anywhere, any location on any device • … • … If provided properly: Better Security & Compliance

  6. Cloud key concerns Cloud trends for the Western European Public Sector IDC CEMA ICT MARKETS ALERT - MARCH 2012 “46% of respondents expressed that concerns about security are holding back the adoption of cloud computing by governments” Source: Gartner (March 2011)

  7. Cloud Adoption is on Rise (…despite Security concerns) • IT decision-makers and influencers say that cloud is a critical or high priority. • The business need is such that security will not have the power to veto for long… October 2010 “Q&A: Demystifying Cloud Security”

  8. The Cloud is here to stay …

  9. Presentation Agenda Cloud is here to stay… PCI-DSS is here to stay … Cloud Security & Compliance Conclusions

  10. Who is Who in PCI? • QSA’s • & ASV’s • Attain compliance with PCI DSS • Secure cardholder data • Use PCI certified service providers • Communicate with and educate merchants • Report merchant compliance to Card Associations • Merchants • Service Providers • Merchant Banks • PCI SSC x • Card Associations • EnforcePCI DSS • Promote its adoption (i.e.Punishments, Rewards) • Secure cardholder data • Attain compliance with PCI DSS • - MaintainPCI DSS • - CertifyQSA’s & ASV’s • Verify compliance through on-site audits & quarterly vulnerability scans • Render opinions to merchant bank on compensating controls

  11. Overview of PCI DSS Requirements (Six Goals – Twelve Requirements) 1 Install & maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords & other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software or programs 6 Develop & maintain secure systems and applications 7 Restrict access to cardholder data by business need-to-know Track and monitor all access to network resources and cardholder data 10 11 Regularly test security systems and processes 8 9 Maintain a policy that addresses information security for employees and contractors 12 Assign a unique ID to each person with computer access Restrict physical access to cardholder data

  12. Core technologies required … Network Segmentation (Firewalls, NAC, ACLs …) IDS & IPS Wireless Security System Security (File Integrity Monitoring, AV, Patch Management …) Application Security (WAF, Code Review …) Storage & DB Encryption (or DB Firewalling or Tokenization …) Log Management Password Management Vulnerability & Patch Management Physical Security

  13. PCI-DSS is here to stay … • Business as Usual: • $5,000 – $25,000 per month for non-compliance • In the event of a breach : • Any fines from Payment Brands (Up to $100,000 per incident) • Cost to notify victims • Cost to replace cards (about $10/card) • Cost for any fraudulent transactions • Forensics from a QDSC • Level 1 certification from a QSA

  14. Presentation Agenda Cloud is here to stay… PCI-DSS is here to stay … Cloud Security & Compliance Conclusions

  15. Current Attack Paths & the Cloud 3rd-parties Web Users e-Services Web Applications Mobile Access … IT Services & Data Business Users Back office Access Interfaces IT Users VPN Cloud Related Threats CSP IT Users Partners, etc. • Web Application • Web Services • DB Access • System Access … IPSec or Other VPN Other Cloud Customers

  16. Cloud Security Architecture Objectives • Data Center Physical Security • Availability/Accessibility • Network • DR/BCP • Isolation • At the application level (multitenant app SaaS) • At the network/System level (Virtual Machines) • Data Privacy & Regulatory Compliance • Security Infrastructure as a Service • Protection from External Threats • Protection from Internal Threats & Misuse (customer’s internal environment) • Protection from Service Provider Access Misuse • Protection from Other Customers Access Misuse

  17. Cloud Security Security of the Cloud Data Center /CSP • Risk Assessments • Penetration Tests • … SecIaaS: Security Infrastructure as a Service

  18. Cloud Logical Security SecIaaS: Secure & PCI Compliant Cloud CDC/CSP Security System Security (Hypervisor Protection, CCM/FIM, AV/HIPS, Hardening, PIM/PUPM) ApplicationSecurity (WAF, optional Anti-DDoS) Secure Access (Dedicated VDI/TS, Strong Authentication, Workflows) Identity & Access Management (Automation, Delegation, Governance) Log Management & Archiving (Collection from all systems, applications and security controls) Vulnerability & Patch Management (Automation, Streamlining, Integration) 24x7 Real Time Threat Management (Advanced Reporting & Response) Compliance Management (Dashboards, Integration with: CCM, VM/PM, IAM…) Data Security (Storage & DB Encryption, DBFW, Tokenisation) System Security Network Security (FW & DMZs, IDS/IPS, VPNs, Virtual FW) Application Security Secure Access IAM Log Management & Archiving Vulnerability Assessment 24x7 RTTM Compliance Management Network Security Customer Portal(s) & Provisioning Data Security

  19. Presentation Agenda Cloud is here to stay… PCI-DSS is here to stay … Cloud Security & Compliance Conclusions

  20. PCI compliant CSPs is a major step but not PCI panacea Move Major Operations to Cloud Implement PCI controls to remaining Infrastructure Attestation of Compliance

  21. Ease of compliance Assuming that all CSP services comply With PCI-DSS requirements! IaaS PaaS SaaS Required Effort for PCI Compliance PCI compliant Applications SecIaaS: Security Infrastructure as a Service PCI Compliant CSP Offerings

  22. Issues to consider when moving to a CSP • Data dispersal and international privacy laws • EU Data Protection Directive • Exposure of data to foreign government • Data retention issues • Look for CSP with strong security certifications / proof of compliance. • ISO/IEC 27001-2005 • Implementation of the standard for the cloud • Scope: Cloud Service Provider own IT systems • Cloud Security Alliance • Enhancement of the ISMS & security controls with CSA guidelines • PCI DSS • Enhancement of the ISMS & security controls with PCI DSS guidelines • If CSP is NOT Compliant, consider using a Hosted Private Cloud • Ability to impose stringent security and privacy policies. • Ability to have the infrastructure certified by auditors. • The organization itself is still responsible for full compliance of the CDE (cardholder data environment) and only a part of that CDE might intersect a CSP. • Cloud security is shifting from inhibitor to enabler.

  23. Simplify your PCI compliance through our … Cloud! • Security Architecture: • Network Infrastructure Security • File Integrity Monitoring • AV/HIPS • Security Hardening • Web Application & DB Firewalls • DB & Storage Encryption • Tokenisation • Password Management • Security Event Management • Identity & Access Management • Patch Management • Enterprise Information Protection • Security Strategy: • Risk Assessment & Management • Security Policies & Procedures Development • PCI-DSS Scoping & GAP analysis • Security Awareness Programs • PCI-DSS Certification (QSA) PCI DSS Compliance SecIaaS PCI ready Hosting • Security Assurance: • Infrastructure Pentest • Web Application Pentest • Internal Pentest • Code Review • Wireless Security Assessments Digital Forensics • Vulnerability Assessment • Authorized ASV • Managed Security Services: • Real Time Threat Management • Managed Security Infrastructure • Brand Protection & Intelligence • Incident Handling & Support • Managed Vulnerability Assessments

  24. www.encodegroup.com _

More Related