PCI in the Sky (or Running Secure Workloads in the Public Cloud) ISACA Controls & Compliance 2017 May 9, 2017

Transcription

1 PCI in the Sky (or Running Secure Workloads in the Public Cloud) ISACA Controls & Compliance 2017 May 9, 2017

2 DREAM BUILD SOAR SECURITY CLOUD DEVELOPMENT WEB DESIGN COMPLIANCE COMMUNICATIONS 2

3 Our Mission The most distinguishing feature a company can possess is worldclass customer service. Our mission is to deliver exceptional services tailored to the specific needs of every client. 3

4 Contact Info Committed Team We offer many services, but we serve people first, and through that we produce quality work Focused Process Industry-leading practices ensure the highest quality for our customers Cutting-Edge Technology We re first to leverage new systems, software, and ideas to provide smart solutions that fit your needs 4

5 Your Host JIM RAUB 30 Years experience in IT, Security, Governance, Cloud, Infrastructure CISA, CISSP, CRISC, ITIL, AWS, others Career spans four continents, private and public companies, startup to Fortune 500 Currently CISO, VP of Enterprise Infrastructure, vciso (for several clients) Married, with four children; love to play piano and swim 5

6 Scott McNealy Founder, SUN Microsystems, Serial Entrepreneur The utility model of computing computing resources delivered over the network in much the same way that electricity or telephone service reaches our homes and offices today. 6

7 Scott Adams Cartoonist, Creator of Dilbert 7

8 Nailing Down Some Terminology According to NIST , Cloud Computing is [a] ubiquitous, convenient, on-demand network access shared pool of computing resources minimal management effort Typically, one of three deployment models Public Cloud Access across Internet; Systems in one or more datacenters; Varying degrees of privacy Private Cloud Modeled after Public Cloud, but built and managed internally; Network & storage within enterprise Hybrid Cloud A mix of vendor Public Cloud and either Private cloud or classic infrastructure New model, Community Cloud is emerging 8

9 There Are More Terms!? ISO speaks of Information Security in terms of protecting against risk to a system s confidentiality, integrity and availability Further defined as Confidentiality Information is not made available or disclosed to unauthorized individuals, entities or processes Integrity Maintaining and assuring the accuracy and completeness of information Availability Ensuring that information is accessible and usable when an authorized entity demands access 9

10 You Manage You Manage You Manage Cloud Computing Service Models On Premise (Classical) Application Infrastructure (as a Service) Application Platform (as a Service) Application Software (as a Service) Application Data Data Data Data Runtime Runtime Runtime Runtime Middleware O/S Virtualization Servers Storage Networking Middleware O/S Virtualization Servers Storage Networking Vendor Manages Middleware O/S Virtualization Servers Storage Networking Vendor Manages Middleware O/S Virtualization Servers Storage Networking Vendor Manages 10

11 You Manage You Manage You Manage Cloud Computing Service Models On Premise (Classical) Application Infrastructure (as a Service) Application Platform (as a Service) Application Software (as a Service) Application Data Data Data Data Runtime Runtime Runtime Runtime Middleware O/S Virtualization Servers Storage Networking Middleware O/S Virtualization Servers Storage Networking Vendor Manages Middleware O/S Virtualization Servers Storage Networking Vendor Manages Middleware O/S Virtualization Servers Storage Networking Vendor Manages 11

12 Chris Huff Founder, Cloud Security Alliance SVP, Cybersecurity, Bank of America Merrill Lynch If your security sucks now, you ll be pleasantly surprised by the lack of change when you move to the Cloud. 12

13 Cloud Network Security In a recent NetworkWorld survey, 60% cybersecurity professionals said: Current security team can t keep up with cloud self service / DevOps Organization still learning how to apply security policies to cloud It s difficult to get same level of visibility in cloud as on premise All cloud resources are an abstraction Networking ~ SDN Network-security cloud-provider controls available to designer: Virtual Private Network (VPC / VN) Subnets and Route Table Rules Firewall Rules (Security Groups / Network Security Groups) Access Control Lists (NACLs / Endpoint ACLs) Detailed Audit Logs (CloudTrail, Activity Logs) 13

14 Virtual Private Network Concepts x.x/16 VPN Connection VPN Gateway Internet Gateway AWS Direct Connect Endpoints 14

15 Virtual Private Network Concepts x.x/16 Private Public VPN Connection Route Table Route Table VPC NAT Gateway VPN Gateway Internet Gateway AWS Direct Connect Endpoints Route 53 Hosted Zone 15

16 Virtual Private Network Concepts x.x/16 Private Public Server 1 VPN Connection Security Group 1 Subnet 1 Route Table Route Table VPC NAT Gateway VPN Gateway NACL Internet Gateway AWS Direct Connect Endpoints Server 2 Security Group 2 Subnet 2 Route 53 Hosted Zone 16

17 Bruce Schneier Security Expert, Cryptographer, Fellow at Harvard Law School Regarding Cloud Data Security You have no way of knowing. You can't trust anybody. Everybody is lying to you. 17

18 Cloud Storage Security Cloud providers offer several methods of data storage Block may be optimized for specific functions (EBS / File Storage) Object unstructured data (S3, Glacier / Blob) Use strong encryption to secure data-at-rest Available transparently from cloud providers, with KMS* Also available through third-party marketplace offerings Optionally use your own Hardware Storage Module (HSM) Achieve data high-availability via replication Different racks, different availability zones, different regions Contractual reliance: geo-fencing, durability, SLAs, ownership, return *free in AWS 18

19 Cloud Server & O/S Security Instances or VMs require rigorous adherence to security disciplines O/S version Current or (at least) fully supported Hardening Services, accounts, policy configurations Patching Over 90% exploited had released fix > 6-months Server-to-Server Encryption SSL/TLS for everything; lo $ certs ok Secure or Zero Remote Access SSH or RDP (TLS 1.2), Bastion Host-Based Security Services Firewall, IDS, Anti-Malware, other Multi-Factor Authentication Minimally, for administrators Efficiency and Sustainability through Automation and Orchestration Emerging Serverless Computing (FaaS) {Node.js, Python, Java, C#} 19

20 Cloud Application Security Similar principles apply no matter which layer (middle, runtime, app) Application Version Current or (at least) fully supported Patching Over 90% exploited had released fix > 6-months Embrace DevOps Continuous integration, automated deployment Cloud Services APIs to rich catalog of public and private services DynamoDB CodeCommit Cognito Chime Mobile Analytics CloudWatch CodePipeline Lambda Simple Workflow Inspector SimpleQueue X-Ray Bake-In Security Code review, inspection tools, education, OWASP 20

21 Vivek Kundra EVP Salesforce.com, First CIO U.S.A. Cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cyber-security personnel of a higher quality than many governmental agencies. 21

22 Cloud Security Fundamentals Trusted Identity has never been more important Identity Access Management (IAM) Role-Based Authorization Users, Servers, Services Granular Permissions Secure Tokens Federation With corporate AD, Internet identities, Azure AD Trusted Code & Communications are important, also Signing Not just for code, anymore API requests Certificate Services Digital certs are foundation of secure comm. Trust But Verify [Continual] Vulnerability Scanning & Penetration Testing Monitor, Correlate (threat intelligence?), CASB (extend policies) 22

23 Cloud Compliance Know the standards against which you are being measured Adopt IT governance best practices Capture detailed audit trail events and be prepared to provide report(s) Clearly define audit scope Tactfully educate parties who may be less familiar with cloud Must understand and articulate the service model(s) being used Below the appropriate level, rely on cloud provider s attestations 23

24 Final Recommendation This is not what you want 24

25 Final Recommendation This is not what you want From your architect 25

26 Final Recommendation Invest time with a Cloud Architect Brainstorm Design Validation Troubleshooting Migration 26

27 David Fletcher Popular Cartoonist from New Zealand 27

28 Contact Info Thank you! Any Questions? EagleDream.com Contact Us EAGLEDREAM Eagledream.com Headquarters Rochester, NY 300 Trolley Blvd Rochester, NY New England Boston, MA 300 Baker Avenue, Suite 300 Concord, MA Primary Contact(s): Jim Raub CISO, VP of Enterprise Infrastructure Phone: Jon Providence VP of Enterprise Business Services Phone: