PCI DSS Compliance and the Cloud

Transcription

1 PCI DSS Compliance and the Cloud Daniel Farr, Managing Consultant CyberSecurity Consulting PCI & Compliance Services DF&IR Risk Reduction Solutions

2 A Brief History of Foregenix Foregenix born Obtains PCI QSA status for EMEA (staff 3) Obtains Full PCI PFI status for EMEA (staff 6) Opens South Africa office in Johannesburg (staff 20) Foregenix opens office in USA (staff 50) Obtains P2PE Assessor Status Opens South American office in Montevideo, Uruguay (staff 39) Foregenix opens German office Global Leader in P2PE Acceleration of FGX Solutions (staff 59)

3 Our Purpose Foregenix was founded with the following principles and purpose: To deliver a valuable, cost-effective service to our clients To maintain a personable, flexible approach to our client needs To work passionately towards improving the security of our clients To create a dynamic work environment, with a team dedicated to delivering high quality services We aim to build lasting relationships with our clients, and our commitment to service reflects this approach. Offices We offer a Global delivery, with offices in: United Kingdom (HQ) North America Latin America South Africa Germany

4 Our Partners Confidential

5 Agenda Responsibilities and Accountabilities in the Cloud Configuration Management in the Cloud Security Incident Identification and Response in the Cloud Encryption Management in the Cloud Data Migration in and out of the cloud Education and Training for the cloud

6 Responsibilities and Accountabilities PCI Terminology Data Owner: Merchant/Service Provider Data Processor: Third-party service provider (TPSP) Cloud Terminology Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)

7 Responsibilities and Accountabilities PCI Card Scheme or Acquirer Guidance Approved partners or services Set the expectation upfront Service Level agreement: Responsibilities matrix What additional services does the cloud provider give Who owns internal controls? Are the services and responsibilities defined in the contract? Have you addressed liability? QSAs are called many things

8 Responsibilities and Accountabilities What processes are being migrated? What data is involved in the processes? Cardholder Data Personal Identifiable Information Business related data What is your compliance landscape? Understand all your security requirements and responsibilities Due diligence

9 The Cloud Attestation of Compliance What services are covered in the Attestation of Compliance Services, process, scope can all be clearly identified A valid countersigned Attestation of Compliance There is no such thing as a compliance certificate!

10 Your Report on Compliance A full Report on Compliance To be or not to be in place Assessment scope Built upon responsibilities matrix TPSP PCI DSS assessed controls TPSP controls within your assessment Merchant/Service Provider validated controls Evidence validation of requirements do not change Engage a QSA

11 Configuration in the cloud Terminology Understand the technologies in the environment Microsoft Azure vs Amazon Web Services The cloud provider lays great foundations IaaS/PaaS/SaaS Best practice guidance Basic security principles Good security testing

12 Best Practice guidance Vendor guidance Internal documents External resources NIST /CIS (AWS and Azure Benchmarks) Solution guidance PaaS/IaaS/SaaS Secure architecture fundamentals Network architecture Security tools for the cloud

13 Basic Security Principles Access Controls Role based access controls Vulnerability Management What platforms/systems are within the environment Vulnerability assessment responsibilities Remediation responsibilities Protection against malware/malicious code Change control monitoring Network time protocol Secure remote access Secure administration interfaces

14 Good security testing Penetration Testing Internal External Application Vulnerability Scanning Internal External Application code review Automated tools Static code analysis

15 Security Incident Identification and Response in the Cloud Timelines of Attack Point of Compromise Incident Detection Containment Investigation Concludes Business As Usual (BAU) Investigation Remediation BAU

16 Security Incident Identification and Response in the Cloud Have you defined an incident? Incident Management Plans Incident Testing Incident Management Stages Level of incident Identification Containing and investigating Remediation Restoration of service

17 Audit Logging in the Cloud What types of logs are available IaaS/PaaS/SaaS Who is monitoring the logs? Is logging a defined service Migration requirement What do you want to know? Access to logging platforms and systems What level of logs can you monitor? Event correlation Access to cardholder data logs

18 Security Incident Identification and Response in the Cloud Threat landscape has changed Update your incident response plans Educate the incident response team Service Provider Communications Release of information Communication planning Self Reporting Cloud Forensics Still a requirement if you are breached

19 Encryption Management in the Cloud Hardware Security Modules Transmission of encrypted data Encryption = Compliance Secure storage of encryption keys If there is a breach this is what they NEED!!! What encryption is available: Transport encryption Data encryption Key management documentation

20 Transport Encryption A lot depends on the service provided and provider IaaS/PaaS/SaaS Internal secure transmissions SSL and early TLS is in the CLOUD Risk migration and mitigation plan Certificate and cipher management Configuration of termination points Open public networks Risk appetite

21 Data Encryption A lot depends on the service provided and provider IaaS/PaaS/SaaS Strong cryptography Azure Storage Service Encryption (SSE) Amazon Elastic Block Storage (EBS) Encryption Defaults are not secure Encryption and performance Where to apply encryption in the cloud? Permitted data storage locations

22 Data Migration into the cloud Analysis and Planning Capturing security and compliance requirements Validating business requirements (RPO vs RTO) Proof of Concept and Validation Functionality testing Security testing Build phase Validation of security controls Validation of compliance Validation of continuity arrangements Migration to the cloud

23 Data Migration into the cloud Its storage like we ve never seen before Back up tapes are so 90s Distributed synchronised backups Migration considerations: Data at rest Configuration/parameter data Applications Cardholder data must be transmitted securely over open public networks

24 Education and Training for the cloud What functions do you need to cover? Where to get good guidance Vendors PCI Security Standard Council CLOUDSEC Security Education ISC Certified Cloud Security Professional (CCSP) Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK)

25 Questions? Stay safe and informed Daniel Farr

26 Connect with us United Kingdom South Africa Latin America North America Foregenix Ltd First Floor, 8-9 High Street, Marlborough, Wiltshire SN8 1AA United Kingdom Foregenix (Pty) Ltd Gishen House, 58 Peter Place, Sandton, 2060 Gauteng, South Africa Foregenix S.R.L Montevideo, Montevideo Uruguay Foregenix Inc 60 State Street, Boston, MA, USA T: T: T: T: E: Social Networks Connect with us through Linkedin, Google+ and Twitter to stay informed of the latest information security news and updates