PCI Compliance in a Virtualized World
|
|
- Corey Lucas
- 8 years ago
- Views:
Transcription
1 PCI Compliance in a Virtualized World Security Technology Infrastructure Security Integration 24x7 Support MSS Training Information Assurance Staff Augmentation
2 Presenters John Clark QSA, PMP, CISA, CISSP Security Consultant, FishNet Security Over 13 years in technology and security Trusted security expert in legal, financial, utilities, and banking Expert in customer centric solutions & remediation strategies Eric Fisher QSA, MCSE, MCP, CEH Security Consultant, FishNet Security More than 20 years in virtualized security planning and design Held membership in PCI Council special interest group Current member of Cloud Security Alliance National speaker on PCI Compliance in virtual environments
3 Agenda Basic definitions History & Trending PCI Compliance in virtualized environments Impact on Compliance Scoping Guidance Security Control Considerations SSC Recommendations FishNet Security s Take Dealing with The Cloud Key points [Top Advice / Recommended Best Practices] In Summary Links Questions
4 Definitions Virtualization is the usage of a logical simulation to create independent versions of something, such as an operating system, server hardware, storage, memory, networking, data or other resources from those resources. Host is the actual component on which virtualization occurs Guest is the virtualized entity Hardware Virtualization Full / Partial / Paravirtualization (Hypervisors, vpar, npar, LPAR) Software Virtualization Application / Workspace (XenApp / App-V / ThinApp / Wine) Operating System level (Containers / VEs / VPSs / Jails / Zones) Desktop / Session (VDI / Remote Desktop Services / Citrix / Virtual Linux Desktop / Virtual Terminal )
5 History Has been around since mainframes decades ago. May not be obvious but most everyone uses the core technology in some way. Advancement, formalization and marketing Virtualization The Cloud
6 PCI Compliance in Virtualized Environments
7 Some Statistics Gartner Reports In 2010 it was estimated that 18 million virtual servers will be deployed in 2011 The penetration of server virtualization in midsize companies with between 100 and 1,000 employees will exceed the Global 500 It is not uncommon for organizations to halt their virtualization deployments Cost overruns and process issues Found that these issues were avoidable, with good upfront planning. Gartner report G : Six Misconceptions about Server Virtualization
8
9 PCI DSS Virtualization Guidelines What happened SSC Published guidelines in June 6 sections Introduction Virtualization Overview Risks for Virtualized Environments Recommendations Conclusion Virtualization Considerations for PCI DSS No new requirements for the DSS Provided clarity in how to address virtualized components in an assessment
10 PCI Compliance Any virtual environment can be compliant Virtual Machines of different security levels (Mixed- Mode) can be hosted on the same hypervisor or physical host, but do you want to do that? Security Considerations Complexity Cost Consideration
11 Impact on Compliance Four principles to keep in mind 1. PCI DSS requirements apply to the virtualization technologies and components used in the storage, processing or transmittal of cardholder data. 2. Virtualization technology introduces new risks that may not be relevant to other technologies, and those risks must be assessed. 3. Implementations of virtual technologies can vary greatly. 4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements.
12 Scope Guidance Virtual devices should be treated no differently than their physical counterparts Segmentation Physical Security Defense in Depth Least Privilege Access Hardening Standards Single Primary Purpose PCI scope must include all devices required to facilitate the virtual environment
13 Scope Guidance PCI DSS Virtualization Guidelines Section 2.2 includes Scope Guidance for key areas of virtualization If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope (2.2.1) An entire VM will be in scope if it stores, processes or transmits cardholder data, or if it connects to or provides an entry point into the CDE. If a VM is in scope, both the underlying host system and the hypervisor would also be considered in scope, as they are directly connected to and have a fundamental impact on the functionality and security of the VM (2.2.2)
14 Scope Guidance Virtual Appliances used to connect or provide services to inscope system components or networks would be considered in-scope. Any Virtual Security Appliance that could impact the security of the CDE would also be considered in scope (2.2.3) Networks provisioned on a hypervisor-based virtual switch will be in scope if provisioned with an in-scope component or if they provide services or connect to an in-scope component. Physical devices hosting virtual switches or routers would be considered in scope if any of the hosted components connects to an in-scope network (2.2.4)
15 Scope Guidance Virtual applications and desktops will be in scope if they are involved in the processing, storage, or transmission of cardholder data, or provide access to the CDE. If a virtual application or desktop is provisioned on the same physical host or hypervisor as an in-scope component, the virtual application/desktop will also be in scope unless adequate segmentation is in place that isolates all in-scope components from the out-of-scope components (2.2.5)
16 Security Control Considerations
17 SSC Recommendations Recommendations are very similar to what is already required by the PCI-DSS Risk Assessment Physical Access Least privilege Hardening
18 SSC Recommendations There are some new considerations If any components running on a single hypervisor are in scope, it is recommended that all components on that hypervisor be considered in-scope Isolate security functions from the virtual devices (including the host) they are protecting Example: Do not run a virtual firewall on the same logical host as the card data it is configured to protect.
19 Segmentation is Possible 4.2 In order for in-scope and out-of-scope VMs to coexist on the same host or hypervisor, the VMs must be isolated from each other such that they can effectively be regarded as separate hardware on different network segments with no connectivity to each other. Proper segmentation for in-scope and out-of-scope systems on the same host must be equivalent to a level of isolation achievable in the physical world Beware of out of band communication resulting from shared resources (processors, volatile and non-volatile memory, device drivers, etc)
20 Segmentation is Possible If it is not feasible for a particular implementation to enforce isolation of in-scope components from out-of-scope components via shared resources or other out-of-band channels, all components accessing the shared resource or out-ofband channel should be considered in scope, as they are effectively connected to the in-scope component. Proper Segmentation is Difficult
21 Control Considerations Requirement 1: Install and maintain a firewall configuration to protect cardholder data Inbound and outbound traffic to/from the CDE could include VM-to-VM interactions that never traverse the physical network. Boundaries between trusted and untrusted networks may be dynamic and difficult to define Recommendation Do not locate untrusted systems or networks on the same host or hypervisor as systems included in the CDE.
22 Security Control Considerations Requirement 3: Protect stored cardholder data CHD, sensitive data and cryptographic keys could exist in archived, off-line or dormant VM images and snapshots Privileged accounts or processes running on the host or hypervisor could inadvertently be granted access to cryptographic keys from within a hosted component Recommendation Do not house virtual components that perform keymanagement functions or store keys on the same hypervisor or host as components that store or access data protected by those keys.
23 Control Considerations Requirement 6: Develop and maintain secure systems and applications Development/test systems and data could be inadvertently moved to production environments, or vice versa, via virtual replication, imaging, or snapshot mechanisms. Testing of changes to virtualized components may need to consider multiple levels of potential impact. Recommendation Do not locate development/test systems or networks on the same host or hypervisor as production systems or networks.
24 FishNet Security s Take
25 Scoping The Cloud Defining The Cloud? The Cloud refers to complete services delivered over the Internet typically using self-service end user portals with no visibility to the underlying technologies that enable these services and can incorporate hardware, software and services into a single revenue stream. A cloud can be private, public or a combination. A public cloud sells services to anyone on the Internet. A private cloud is a proprietary network or a data center that supplies hosted services to users behind a firewall.
26 Scoping The Cloud What type of cloud Cloud services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS).
27 Scoping The Cloud
28 Scoping The Cloud Cloud Considerations Compliance is not focused on SLAs, but control, ownership and acceptance of such. The cloud ultimately means a partial loss of control Cloud providers are still service providers Loss of control to a service provider means requirements in 12.8 must be fulfilled Tracking Due diligence Contractual ownership of cardholder data in possession PCI Compliance tracking at least annually
29 Key actions Carefully plan the security for a virtualization solution before installing, configuring and deploying it Deliver network security and segmentation Address platform hardening Harden and secure both the host and the virtualization application itself Ensure that only required capabilities are installed or active. Assure that all elements of a virtualization solution; Are secured to a principle of least privilege Provide a separation of duties where applicable Restrict, protect, account and log administrative access Maintain their security
30 Key actions Extend configuration and change management principles to the virtual components Monitor logs from the virtual infrastructure alongside those of physical assets Implement VM-specific security mechanisms, where available, to monitor and detect information opaque to traditional network security controls Track all instances from cradle to grave and assure proper destruction Validate any VM image or template before implementation Monitor for unplanned or unauthorized virtualization usage across enterprise Perform due diligence on service providers engaged in cloud services.
31 In Summary
32
33 Make Compliance Easier All PCI-DSS requirements apply to a virtualized environment. Do not mix non Card Data Environments with Card Data Environments on the same host Document all connections and data flows into the virtual environment and within the virtual environment If 1 virtual component is deemed in scope, consider all physical and virtual devices on the same host as in scope for a PCI-DSS assessment and treat them in the same manner as the physical counterpart
34 Links PCI SSC Virtualization Supplement Document National Institute of Standards and Technology VMware Compliance Center Microsoft Virtualized Server Security Security.pdf The Cloud Security Alliance Consensus Assessments Initiative Center for Internet Security Virtual Machine Security Guidelines
35 Questions
PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
More informationPICO Compliance Audit - A Quick Guide to Virtualization
WHITE PAPER August 2011 Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security HYTRUST AND TREND MICRO DEEP SECURITY TOC Contents Virtualization
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationVMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3
VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE
More informationAutomating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0
WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationmanaging the risks of virtualization
managing the risks of virtualization Chris Wraight CA Technologies 28 February 2011 Session Number 8951 abstract Virtualization opens the door to a world of opportunities and well managed virtualization
More informationVCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard
March 2013 Solution Guide for Payment Card Industry (PCI) Partner Addendum VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard VCE Vblock Systems The findings and recommendations
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationPreparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.
Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines
More informationMaking Data Security The Foundation Of Your Virtualization Infrastructure
Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges
More informationVirtualization Technologies. Embrace the new world of healthcare
Virtualization Technologies Embrace the new world of healthcare Overview Introduction and Virtualization Basics Core Virtualization Technologies Enterprise Server Virtualization Solutions End User and
More informationPCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
More informationCyberSource Payment Security. with PCI DSS Tokenization Guidelines
CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance
More informationArchitecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationCloudControl Support for PCI DSS 3.0
HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization
More informationDesktop Virtualization Technologies and Implementation
ISSN : 2250-3021 Desktop Virtualization Technologies and Implementation Pranit Patil 1, Shakti Shekar 2 1 ( Mumbai, India) 2 (Mumbai, India) ABSTRACT Desktop virtualization is new desktop delivery method
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationMitigating Information Security Risks of Virtualization Technologies
Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved Agenda Virtualization Overview Key Components of Secure Virtualization
More informationUsing Trend Micro s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
More informationCan PCI DSS Compliance Be Achieved in a Cloud Environment?
royal holloway Can Compliance Be Achieved in a Cloud Environment? Organisations are considering whether to run -based systems in a cloud environment. The security controls in the cloud may be sufficient
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationT2 IaaSand PCI Compliance. Robert Zigweid, IOActive
T2 IaaSand PCI Compliance Robert Zigweid, IOActive Introduction Robert M. Zigweid Principal Compliance Consultant at IOActive, Inc. PCI QSA, PCI PA-QSA QSA for Amazon Web Services 2 Creating a PCI Compliant
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationPCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.
PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationProtecting the Irreplacable. November 2013 Athens Ian Whiteside, F-Secure Ian.Whiteside@f-secure.com
Protecting the Irreplacable November Athens Ian Whiteside, F-Secure Ian.Whiteside@f-secure.com PC Sales continue to fall. Lack of innovation and no excitement Windows 8 doesn t seem to have excited the
More informationVirtualization and Cloud Computing
Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing
More informationProactively Secure Your Cloud Computing Platform
Proactively Secure Your Cloud Computing Platform Dr. Krutartha Patel Security Engineer 2010 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals Agenda 1 Cloud
More informationHow To Protect Your Cloud From Attack
A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g Virtualization: Architectural Considerations and Implementation Options Virtualization Virtualization is the
More informationProtecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems
Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published
More informationIntegrating NComputing Virtual Desktops with VMware and Citrix
Click to edit Master title style Integrating NComputing Virtual Desktops with VMware and Citrix Karen Gaines Director of Southern Europe, NComputing, Inc. September, 2010 1 Click Topicsto edit Master title
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationUNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE
UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed
More informationRealities of Private Cloud Security
SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationHow Virtualization Affects PCI DSS
How Virtualization Affects PCI DSS Part 1: Mapping PCI Requirements and Virtualization Authors: William Hau Vice President Professional Services Foundstone Professional Services Rudolph Araujo Director
More informationBusiness Values of Network and Security Virtualization
Business Values of Network and Security Virtualization VMware NSX in the context of the Software Defined Data Center Klaus Jansen Virtual Networks Sales Specialist VMware NSBU 2014 VMware Inc. All rights
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationSample Statement of Work
Sample Statement of Work Customer name Brad Miller brad@solidborder.com Fishnet Security Sample Statement of Work: Customer Name Scope of Work Engagement Objectives Customer, TX ( Customer or Client )
More informationYour success is our mission. Your success is our mission
PARTNER WITH WITH VEEAM VEEAM Your success is our mission. Your success is our mission Veeam Cloud Provider Licensing Options EMEA January, 2015 01142015 Contents LINK INDEX... 4 CONTACTING VEEAM... 4
More informationHow To Build A Software Defined Data Center
Delivering the Software Defined Data Center Georgina Schäfer Sr. Product Marketing Manager VMware Calvin Rowland, VP, Business Development F5 Networks 2014 VMware Inc. All rights reserved. F5 & Vmware
More information9/26/2011. What is Virtualization? What are the different types of virtualization.
CSE 501 Monday, September 26, 2011 Kevin Cleary kpcleary@buffalo.edu What is Virtualization? What are the different types of virtualization. Practical Uses Popular virtualization products Demo Question,
More informationPCI v2.0 Compliance for Wireless LAN
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
More informationPCI DSS Compliance Validation of Different Levels of Merchants in a Multi-tenant Private Cloud
PCI DSS Compliance Validation of Different Levels of Merchants in a Multi-tenant Private Cloud Peter Olajide, Pavol Zavarsky, Ron Ruhl, Dale Lindskog Information Systems Security Department Concordia University
More informationThe Top 8 Questions to ask about Virtualization in a PCI Environment
A COALFIRE WHITE PAPER The Top 8 Questions to ask about Virtualization in a PCI Environment DALLAS DENVER LOS ANGELES NEW YORK SEATTLE 877.224.8077 info@coalfire.com www.coalfire.com This paper provides
More informationCHAPTER 2 THEORETICAL FOUNDATION
CHAPTER 2 THEORETICAL FOUNDATION 2.1 Theoretical Foundation Cloud computing has become the recent trends in nowadays computing technology world. In order to understand the concept of cloud, people should
More informationSecuring the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation
Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationWhat are your firm s plans to adopt x86 server virtualization? Not interested
The benefits of server virtualization are widely accepted and the majority of organizations have deployed virtualization technologies. Organizations are virtualizing mission-critical workloads but must
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationFour Keys to Preparing for a PCI DSS 3.0 Assessment
A division of Sikich LLP Four Keys to Preparing for a PCI DSS 3.0 Assessment Jeff Tucker, QSA jtucker@sikich.com September 16, 2014 NEbraskaCERT Cyber Security Forum About 403 Labs 403 Labs, a division
More informationSecuring the Physical, Virtual, Cloud Continuum
Securing the Physical, Virtual, Cloud Continuum By Ted Ritter, CISSP Senior Research Analyst Executive Summary The data center is undergoing a radical shift, from virtualization towards internal cloud
More informationServer Virtualization: The Essentials
Server Virtualization: The Essentials Part 1 of 4 Jim Smith TeamQuest TeamQuest and the TeamQuest logo are registered trademarks in the US, EU and elsewhere. All other trademarks and service marks are
More informationINDUSTRY OUTLOOK. The Virtual Office: The Next-Generation Workplace
INDUSTRY OUTLOOK M AY 2 0 1 2 The Virtual Office: The Next-Generation Workplace INDUSTRY OUTLOOK 2012: THE VIRTUAL OFFICE Enabling mobile access to corporate applications drives workforce productivity,
More informationHybrid PA-DSS Report on Validation
Hybrid PA-DSS Report on Validation For Applications that Store, Process, or Transmit Payment Card Data but are Not Part of Authorization or Settlement Application Vendor: KomBea Corporation 3400 N. Ashton
More informationObservations from the Trenches
Observations from the Trenches CSO Breakfast Club Retail and PCI Security Forum May 2010 Olivia Rose Jenkins, CISSP, QSA Sr. Security Consultant Agenda Conversations with CXO s PCI and Your Security Program
More informationSession 1: Managing Software Licenses in Virtual Environments. Paul Baguley, Principal, Advisory Services KPMG
Session 1: Managing Software Licenses in Virtual Environments Paul Baguley, Principal, Advisory Services KPMG Managing Software Licenses in Virtual Environments June 2015 Paul Baguley Principal KPMG LLP
More informationOracle Solaris 11 and PCI DSS Meeting PCI DSS Compliance with Oracle Solaris 11
A COALFIRE WHITE PAPER Oracle Solaris 11 and PCI DSS Meeting PCI DSS Compliance with Oracle Solaris 11 April 4, 2013 Matt Getzelman PCI Practice Director, Coalfire 2013 Coalfire Systems, Inc. All Rights
More informationHow to Turn the Promise of the Cloud into an Operational Reality
TecTakes Value Insight How to Turn the Promise of the Cloud into an Operational Reality By David Talbott The Lure of the Cloud In recent years, there has been a great deal of discussion about cloud computing
More informationVirtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC
Paper 347-2009 Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC ABSTRACT SAS groups virtualization into four categories: Hardware Virtualization,
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationIn addition to their professional experience, students who attend this training should have technical knowledge in the following areas.
6422A - Implementing and Managing Windows Server 2008 Hyper-V Course Number: 6422A Course Length: 3 Days Course Overview This three-day instructor-led course teaches students how to implement and manage
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationCloud Computing. Chapter 8 Virtualization
Cloud Computing Chapter 8 Virtualization Learning Objectives Define and describe virtualization. Discuss the history of virtualization. Describe various types of virtualization. List the pros and cons
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationUnmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems
Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may
More informationVirtualization & Cloud Computing Risks NASSCOM-DSCI Information Security Summit 2009 November 24, 2009
Virtualization & Cloud Computing Risks NASSCOM-DSCI Information Security Summit 2009 November 24, 2009 Felix Mohan CISO, Bharti Airtel Ltd Virtualization & Cloud Computing Strategic Technologies with Significant
More informationSecurity Compliance in a Virtual World
RSA Security Brief Security Compliance in a Virtual World Best Practices to Build a Solid Foundation Authors Bret Hartman, Chief Technology Officer, RSA, the Security Division of EMC Dr. Stephen Herrod,
More informationTechnical Brief: Virtualization
Technical Brief: Virtualization Technology Overview Tempered Networks automates connectivity and network security for distributed devices over trusted and untrusted network infrastructure. The Tempered
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationThoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director
Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines
More informationH Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments
H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service
More informationHow To Protect A Virtual Desktop From Attack
Endpoint Security: Become Aware of Virtual Desktop Infrastructures! An Ogren Group Special Report May 2011 Executive Summary Virtual desktops infrastructures, VDI, present IT with the unique opportunity
More informationCan You be HIPAA/HITECH Compliant in the Cloud?
Can You be HIPAA/HITECH Compliant in the Cloud? Background For the first 10 years of its existence, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a toothless tiger. Although
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationImplementing and Managing Microsoft Desktop Virtualization 10324 en
Implementing and Managing Microsoft Desktop Virtualization 10324 en Course Outline Module 1: Overview of Desktop Virtualization Scenarios Many organizations are exploring the use of virtualization to optimize
More informationThird Party Agent (TPA) Registration Program - TPA Types and Functional Descriptions
Third Party Agent (TPA) Registration Program - TPA Types and Functional Descriptions Independent Sales Organizations (ISO) ISO Merchant (ISO M) Conducts merchant account or transaction processing solicitation,
More informationYou Can Survive a PCI-DSS Assessment
WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the
More informationThe Importance of User Workspace Virtualization in Desktop Virtualization
res Software // Whitepaper The Importance of User Workspace Virtualization in Desktop Virtualization Whitepaper Transforming Desktops into Workspaces 2 Table of content: Abstract... 3 What is desktop virtualization?...4
More informationImplementing and Managing Windows Server 2008 Hyper-V
Course 6422A: Implementing and Managing Windows Server 2008 Hyper-V Length: 3 Days Language(s): English Audience(s): IT Professionals Level: 300 Technology: Windows Server 2008 Type: Course Delivery Method:
More informationVMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE
VMware Security Briefing Rob Randell, CISSP Senior Security Specialist SE Agenda Security Advantages of Virtualization Security Concepts in Virtualization Architecture Operational Security Issues with
More informationVirtualization System Security
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
More informationPayment Application Data Security Standard
Payment Card Industry (PCI) Payment Application Data Security Standard ROV Reporting Instructions for PA-DSS v2.0 March 2012 Changes Date March 2012 Version Description Pages 1.0 To introduce PA-DSS ROV
More informationSecurity Considerations
Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationCloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University
Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot
More informationWhat s New with VMware Virtual Infrastructure
What s New with VMware Virtual Infrastructure Virtualization: Industry-Standard Way of Computing Early Adoption Mainstreaming Standardization Test & Development Server Consolidation Infrastructure Management
More information