pci: building compliant applications in the public cloud - rightscale compute 2013

34
#rightscale Is Achievable PCI Compliance in Public Cloud

Upload: rightscale

Post on 20-Aug-2015

274 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

#rightscale

Is Achievable

PCI Compliance in Public Cloud

Page 2: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 2

#rightscale

RightScale Story• We accept credit cards for payment: a Merchant, and must be

meet PCI DSS compliance as part of our contract

• We only use public cloud services: We are “All-In” cloud so to speak

• Thus we needed to design, implement, and maintain a PCI environment in the public cloud

Page 3: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

#rightscale

My Core Message for Today:

PCI compliance in public cloud is achievable

Page 4: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 4

#rightscale

Agenda• Your selection of partners matter

• Application design and system deployment are key

• Walkthrough of PCI DSS

Page 5: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 5

#rightscale

Partners Matter• Your choice of:

• Cloud Service Provider• Assessor: Qualified Security Assessor (QSA) or Internal Resource

• Will have a significant impact on your ability to achieve compliance

Page 6: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 6

#rightscale

Cloud Service Provider• Partnership has an implicit “shared responsibility” model

• CSP has to be doing their part• IaaS – Everything up to and including the hypervisor (or equivalent)• PaaS – IaaS + underlying OS and supporting applications• SaaS – PaaS + data protection

Page 7: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 7

#rightscale

What to look for in a CSP• Is on “Approved Service Providers” list (i.e., completed level 1) *OR*

has done a Level 2 assessment and can show you their validation results (essence of Requirement 2.4)• Many providers go through the rigor of ensuring compliance internally, but not

the cost of hiring an external QSA• Do not dismiss a potential partner because they are not on the list. If you are

going to dismiss them, do it because they are not transparent.

• Will sign a contract that states they must protect CHD in accordance with PCI DSS to the extent it applies to them (Requirement 12.8.2)

Page 8: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 8

#rightscale

Assessor• This will be the authority who signs off on your compliance

• If they don’t understand the technology or application, the chances of sign-off are small

• There are A LOT of charlatans out there. Be wise with your $ spend

Page 9: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 9

#rightscale

What to look for in an Assessor• They must understand cloud technology, and in ideally the cloud

technology you are using

• A good default choice for an external Assessor is the one who did the assessment for your chosen CSP (assuming there was one)

• If you don’t want/need to use an external auditor, then …determine if you have the knowledge internally

• The caveat: Internal assessor may know the tech, but they need to just as versed in the PCI DSS

Page 10: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

#rightscale

As a reminder:

PCI compliance in public cloud is achievable

Page 11: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 11

#rightscale

Application Design• Your ability to achieve PCI compliance in the public cloud is primarily

based on how much forethought you gave to the application in its design

• Most providers, and all cloud-based operating systems can be PCI compliant. The same cannot be said for all applications

• Ask the following questions:• What data am I storing? Why? Can I get away without it?• Do I know the communication flow of the application? Can I restrict

communications to specific system roles?• Am I using well-known, public vetted cryptography standards?

Page 12: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 12

#rightscale

Application Guidelines• Here are guidelines I have used to ensure an application is

“securable” from a PCI perspective:

1. Do not store the Primary Account Number (PAN) if you do not need it.• Many payment processors have mechanisms for recurring billing or credits.

Depending on your situation, it is highly likely that you do not need to store the PAN, thus making your life significantly easier from a PCI DSS compliance standpoint.

2. If you are going to store PAN, then the design of crypto mechanism and, more importantly, the key management of data in the DB, is critical• This is really not a “cloud” thing, and is dealt with in any PCI application that

stores CHD.

Page 13: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 13

#rightscale

Application Guidelines (cont.)3. Terminate SSL/TLS at the load balancer and run all other traffic over

the private interface/network• This assumes that the “private” interfaces have been designed to meet the

definition of “non-public” as far as PCI DSS• This is the case with Amazon Web Services. Traffic between the private IP

addresses can be considered a private network and not require encryption. This does not mean that you can’t or shouldn’t do it, just that you do not have to in order to meet PCI DSS requirements.

4. Validate all user input• While this is not a “cloud” issue, it is THE main intrusion vector

Yep, that’s pretty much it: Protect it in transit/at rest (if needed) & Test for bad code

• It is not rocket science, but most folks don’t do these right

Page 14: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 14

#rightscale

Harden the Systems• Protect the system

• Firewalls (remember ingress and egress)• Change defaults• Install patches• Watch the system for odd behavior or changes

• Shout out to CloudPassage• Manage the firewall rules and separation of duty that PCI DSS requires, and will

make achieving compliance much easier.

• I recommend using a public cloud management solution. Trying to do this by hand is error-prone.

Page 15: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

#rightscale

Once again:

PCI compliance in public cloud is achievable

Page 16: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 16

#rightscale

PCI and Cloud Snapshot• Those that need special consideration because of cloud: 1, 3, 9, 10, 11, 12 (orange)• Those that are more about HOW than WHAT: 2, 4, 5, 6, 7, 8 (blue)

Page 17: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 17

#rightscale

Requirement 1: Firewalls• Design the application and communications flows so they can be

secured

• The state of networking features in cloud have an affect on how you provide isolation for scoping• e.g. AWS EC2 general Security Groups are NOT adequate: No egress filtering

• Review/audit regularly to make sure design and implementations have not changed• One nice aspect of the cloud is that since automation is part of the DNA,

automation of these reviews is easier

Page 18: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 18

#rightscale

Requirement 2: Defaults• Make sure to change the vendor supplied defaults

• RightScale ServerTemplates™ are a great way to enforce this, as well as provide version control of configurations

• The cloud actually helps you: Have to plan• There is not “throw in the CD, plug in the cable, and leave it”

• Cloud should give you a leg up in this area, as this is part of Cloud DNA so to speak

Page 19: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 19

#rightscale

Requirement 3: Protect CHD• Gets down to:

• Do not store what you don’t need• Good crypto selection• Proper key management

• For block/storage level encryption, use of a third party like TrendMicro SecureCloud (or similar) is a big help here

• Note: Cloud really is not an issue here, as you have many of the same concerns in a managed hosting environment. The main difference is between owned or third-party infrastructure.

Page 20: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 20

#rightscale

Stored PAN Tangent• Assume you store PAN in the DB

• Not tokenized, truncated, or hashed

• For most of us, you need to mask on display• Per Requirement 3 if you store CHD, then you must encrypt

• Does your DB support it? If not, then have to do in App• Use encrypted filesystem on block storage in addition• Inject keys at instance launch

• Management of encryption keys is the big issue• Rotation – You need to plan on how to do this!• Storage – In memory is best, restricted filesystem is next best

Page 21: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 21

#rightscale

Requirement 4: Encrypt transmission• No huge difference between cloud or hosted here

• Biggest item is determining private vs. public networks

• SSL/TLS is the defacto way to do this

Page 22: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 22

#rightscale

Requirement 5: AV and Malware• Not much specific to a “cloud” deployment

• Servers come and go more frequently, so you need to make sure the AV solution is operating correctly• If I had Windows systems for servers, I’d be using RightScale ServerTemplates to

make sure things were configured correctly

• Nice aspect of the cloud is that since automation is part of the DNA, automation of this should actually make it easier to meet the requirements

Page 23: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 23

#rightscale

Requirement 6: Development & System Admin• The “what” (securing systems) is not really a “cloud” specific problem,

but the “how” is

• Need to deploy hardened systems• RightScale ServerTemplates and built in versioning makes it easy and provides

change tracking. You can choose how you want to do it, just do it

• Nice aspect of the cloud is that since automation is part of the DNA, automation of these should actually make it easier to meet the requirements

Page 24: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 24

#rightscale

Requirements 7 & 8: Restrict Access & Users• Again, not the “What to do” that is the issue, but “How to do it”

• Make sure you enforce it on EVERY system• Role-Based Access Control (RBAC) and ServerTemplate features of RightScale and

a strict provisioning policy to get this done. You can choose any method that works

• I use a combination of RightScale, policies, and regular audits. You can choose any method that works

• Really no different than a hosted environment

Page 25: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 25

#rightscale

Requirement 9: Physical• You need to worry about user systems and any hard copy

• Really no different than a hosted environment

Page 26: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 26

#rightscale

Requirement 10: Logging & Tracking• Basically need host-based tools

• The lack of transparency into some of the devices you don’t have access to (e.g., hypervisor logs) needs to be taken into account

• I use RightScale to configure systems and send local system and application logs to central log server• You can choose any method that works for you

• Use of a 3rd party is a BIG WIN here

Page 27: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 27

#rightscale

Requirement 11: Testing• Coordination with the CSP when doing testing may be something that

is new and require modification of your process

• “Internal” testing becomes a bit tricky

• I recommend:• Automated tools - Continuous• Internal experts – Monthly or more• 3rd party testing – Annually

• While you can use a Web App Firewall (WAF), I prefer testing• Use both if you can

Page 28: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 28

#rightscale

Requirement 12: Governance• The policies need to exist with or without the cloud

• Must ensure appropriate language is included in contracts with partners

• Biggest issues I run into:• Ensure that if you share CHD with others, contracts state they must protect CHD

in accordance with PCI DSS

• Have an incident response plan and make sure it works!

Page 29: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 29

#rightscale

Summary• Your selection of partners matter

• Application design and system deployment are key

• Know how the PCI DSS applies to you

Page 30: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

#rightscale

One last time:

PCI compliance in public cloud is achievable

Page 31: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 31

#rightscale

Action Item• Investigate where you are at in the context of PCI and public

cloud compliance

Page 32: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

#rightscale

Questions???

Page 33: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 33

#rightscale

Wrap-Up• I have walked this path

• Contact me if you need help

Page 34: PCI: Building Compliant Applications in the Public Cloud - RightScale Compute 2013

# 34

#rightscale

My Contact Info• Email: [email protected]

• Twitter: sec_prof

• Google+: [email protected]