PCI Compliance in a Virtualized World

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PCI Compliance in a Virtualized World"

Transcription

1 PCI Compliance in a Virtualized World Security Technology Infrastructure Security Integration 24x7 Support MSS Training Information Assurance Staff Augmentation

2 Presenters John Clark QSA, PMP, CISA, CISSP Security Consultant, FishNet Security Over 13 years in technology and security Trusted security expert in legal, financial, utilities, and banking Expert in customer centric solutions & remediation strategies Eric Fisher QSA, MCSE, MCP, CEH Security Consultant, FishNet Security More than 20 years in virtualized security planning and design Held membership in PCI Council special interest group Current member of Cloud Security Alliance National speaker on PCI Compliance in virtual environments

3 Agenda Basic definitions History & Trending PCI Compliance in virtualized environments Impact on Compliance Scoping Guidance Security Control Considerations SSC Recommendations FishNet Security s Take Dealing with The Cloud Key points [Top Advice / Recommended Best Practices] In Summary Links Questions

4 Definitions Virtualization is the usage of a logical simulation to create independent versions of something, such as an operating system, server hardware, storage, memory, networking, data or other resources from those resources. Host is the actual component on which virtualization occurs Guest is the virtualized entity Hardware Virtualization Full / Partial / Paravirtualization (Hypervisors, vpar, npar, LPAR) Software Virtualization Application / Workspace (XenApp / App-V / ThinApp / Wine) Operating System level (Containers / VEs / VPSs / Jails / Zones) Desktop / Session (VDI / Remote Desktop Services / Citrix / Virtual Linux Desktop / Virtual Terminal )

5 History Has been around since mainframes decades ago. May not be obvious but most everyone uses the core technology in some way. Advancement, formalization and marketing Virtualization The Cloud

6 PCI Compliance in Virtualized Environments

7 Some Statistics Gartner Reports In 2010 it was estimated that 18 million virtual servers will be deployed in 2011 The penetration of server virtualization in midsize companies with between 100 and 1,000 employees will exceed the Global 500 It is not uncommon for organizations to halt their virtualization deployments Cost overruns and process issues Found that these issues were avoidable, with good upfront planning. Gartner report G : Six Misconceptions about Server Virtualization

8

9 PCI DSS Virtualization Guidelines What happened SSC Published guidelines in June 6 sections Introduction Virtualization Overview Risks for Virtualized Environments Recommendations Conclusion Virtualization Considerations for PCI DSS No new requirements for the DSS Provided clarity in how to address virtualized components in an assessment

10 PCI Compliance Any virtual environment can be compliant Virtual Machines of different security levels (Mixed- Mode) can be hosted on the same hypervisor or physical host, but do you want to do that? Security Considerations Complexity Cost Consideration

11 Impact on Compliance Four principles to keep in mind 1. PCI DSS requirements apply to the virtualization technologies and components used in the storage, processing or transmittal of cardholder data. 2. Virtualization technology introduces new risks that may not be relevant to other technologies, and those risks must be assessed. 3. Implementations of virtual technologies can vary greatly. 4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements.

12 Scope Guidance Virtual devices should be treated no differently than their physical counterparts Segmentation Physical Security Defense in Depth Least Privilege Access Hardening Standards Single Primary Purpose PCI scope must include all devices required to facilitate the virtual environment

13 Scope Guidance PCI DSS Virtualization Guidelines Section 2.2 includes Scope Guidance for key areas of virtualization If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope (2.2.1) An entire VM will be in scope if it stores, processes or transmits cardholder data, or if it connects to or provides an entry point into the CDE. If a VM is in scope, both the underlying host system and the hypervisor would also be considered in scope, as they are directly connected to and have a fundamental impact on the functionality and security of the VM (2.2.2)

14 Scope Guidance Virtual Appliances used to connect or provide services to inscope system components or networks would be considered in-scope. Any Virtual Security Appliance that could impact the security of the CDE would also be considered in scope (2.2.3) Networks provisioned on a hypervisor-based virtual switch will be in scope if provisioned with an in-scope component or if they provide services or connect to an in-scope component. Physical devices hosting virtual switches or routers would be considered in scope if any of the hosted components connects to an in-scope network (2.2.4)

15 Scope Guidance Virtual applications and desktops will be in scope if they are involved in the processing, storage, or transmission of cardholder data, or provide access to the CDE. If a virtual application or desktop is provisioned on the same physical host or hypervisor as an in-scope component, the virtual application/desktop will also be in scope unless adequate segmentation is in place that isolates all in-scope components from the out-of-scope components (2.2.5)

16 Security Control Considerations

17 SSC Recommendations Recommendations are very similar to what is already required by the PCI-DSS Risk Assessment Physical Access Least privilege Hardening

18 SSC Recommendations There are some new considerations If any components running on a single hypervisor are in scope, it is recommended that all components on that hypervisor be considered in-scope Isolate security functions from the virtual devices (including the host) they are protecting Example: Do not run a virtual firewall on the same logical host as the card data it is configured to protect.

19 Segmentation is Possible 4.2 In order for in-scope and out-of-scope VMs to coexist on the same host or hypervisor, the VMs must be isolated from each other such that they can effectively be regarded as separate hardware on different network segments with no connectivity to each other. Proper segmentation for in-scope and out-of-scope systems on the same host must be equivalent to a level of isolation achievable in the physical world Beware of out of band communication resulting from shared resources (processors, volatile and non-volatile memory, device drivers, etc)

20 Segmentation is Possible If it is not feasible for a particular implementation to enforce isolation of in-scope components from out-of-scope components via shared resources or other out-of-band channels, all components accessing the shared resource or out-ofband channel should be considered in scope, as they are effectively connected to the in-scope component. Proper Segmentation is Difficult

21 Control Considerations Requirement 1: Install and maintain a firewall configuration to protect cardholder data Inbound and outbound traffic to/from the CDE could include VM-to-VM interactions that never traverse the physical network. Boundaries between trusted and untrusted networks may be dynamic and difficult to define Recommendation Do not locate untrusted systems or networks on the same host or hypervisor as systems included in the CDE.

22 Security Control Considerations Requirement 3: Protect stored cardholder data CHD, sensitive data and cryptographic keys could exist in archived, off-line or dormant VM images and snapshots Privileged accounts or processes running on the host or hypervisor could inadvertently be granted access to cryptographic keys from within a hosted component Recommendation Do not house virtual components that perform keymanagement functions or store keys on the same hypervisor or host as components that store or access data protected by those keys.

23 Control Considerations Requirement 6: Develop and maintain secure systems and applications Development/test systems and data could be inadvertently moved to production environments, or vice versa, via virtual replication, imaging, or snapshot mechanisms. Testing of changes to virtualized components may need to consider multiple levels of potential impact. Recommendation Do not locate development/test systems or networks on the same host or hypervisor as production systems or networks.

24 FishNet Security s Take

25 Scoping The Cloud Defining The Cloud? The Cloud refers to complete services delivered over the Internet typically using self-service end user portals with no visibility to the underlying technologies that enable these services and can incorporate hardware, software and services into a single revenue stream. A cloud can be private, public or a combination. A public cloud sells services to anyone on the Internet. A private cloud is a proprietary network or a data center that supplies hosted services to users behind a firewall.

26 Scoping The Cloud What type of cloud Cloud services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS).

27 Scoping The Cloud

28 Scoping The Cloud Cloud Considerations Compliance is not focused on SLAs, but control, ownership and acceptance of such. The cloud ultimately means a partial loss of control Cloud providers are still service providers Loss of control to a service provider means requirements in 12.8 must be fulfilled Tracking Due diligence Contractual ownership of cardholder data in possession PCI Compliance tracking at least annually

29 Key actions Carefully plan the security for a virtualization solution before installing, configuring and deploying it Deliver network security and segmentation Address platform hardening Harden and secure both the host and the virtualization application itself Ensure that only required capabilities are installed or active. Assure that all elements of a virtualization solution; Are secured to a principle of least privilege Provide a separation of duties where applicable Restrict, protect, account and log administrative access Maintain their security

30 Key actions Extend configuration and change management principles to the virtual components Monitor logs from the virtual infrastructure alongside those of physical assets Implement VM-specific security mechanisms, where available, to monitor and detect information opaque to traditional network security controls Track all instances from cradle to grave and assure proper destruction Validate any VM image or template before implementation Monitor for unplanned or unauthorized virtualization usage across enterprise Perform due diligence on service providers engaged in cloud services.

31 In Summary

32

33 Make Compliance Easier All PCI-DSS requirements apply to a virtualized environment. Do not mix non Card Data Environments with Card Data Environments on the same host Document all connections and data flows into the virtual environment and within the virtual environment If 1 virtual component is deemed in scope, consider all physical and virtual devices on the same host as in scope for a PCI-DSS assessment and treat them in the same manner as the physical counterpart

34 Links PCI SSC Virtualization Supplement Document https://www.pcisecuritystandards.org/documents/virtualization_infosupp_v2.pdf National Institute of Standards and Technology VMware Compliance Center Microsoft Virtualized Server Security Security.pdf The Cloud Security Alliance Consensus Assessments Initiative https://cloudsecurityalliance.org/research/initiatives/consensus-assessmentsinitiative/ Center for Internet Security Virtual Machine Security Guidelines

35 Questions

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011 Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines

More information

Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security

Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security WHITE PAPER August 2011 Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security HYTRUST AND TREND MICRO DEEP SECURITY TOC Contents Virtualization

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3 VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE

More information

managing the risks of virtualization

managing the risks of virtualization managing the risks of virtualization Chris Wraight CA Technologies 28 February 2011 Session Number 8951 abstract Virtualization opens the door to a world of opportunities and well managed virtualization

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0 WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,

More information

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015. Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines

More information

Thoughts on PCI DSS 3.0. September, 2014

Thoughts on PCI DSS 3.0. September, 2014 Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology

More information

VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard March 2013 Solution Guide for Payment Card Industry (PCI) Partner Addendum VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard VCE Vblock Systems The findings and recommendations

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

Making Data Security The Foundation Of Your Virtualization Infrastructure

Making Data Security The Foundation Of Your Virtualization Infrastructure Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges

More information

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics

More information

Virtualization Technologies. Embrace the new world of healthcare

Virtualization Technologies. Embrace the new world of healthcare Virtualization Technologies Embrace the new world of healthcare Overview Introduction and Virtualization Basics Core Virtualization Technologies Enterprise Server Virtualization Solutions End User and

More information

Mitigating Information Security Risks of Virtualization Technologies

Mitigating Information Security Risks of Virtualization Technologies Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved Agenda Virtualization Overview Key Components of Secure Virtualization

More information

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

CyberSource Payment Security. with PCI DSS Tokenization Guidelines CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance

More information

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project

More information

CloudControl Support for PCI DSS 3.0

CloudControl Support for PCI DSS 3.0 HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Desktop Virtualization Technologies and Implementation

Desktop Virtualization Technologies and Implementation ISSN : 2250-3021 Desktop Virtualization Technologies and Implementation Pranit Patil 1, Shakti Shekar 2 1 ( Mumbai, India) 2 (Mumbai, India) ABSTRACT Desktop virtualization is new desktop delivery method

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment

More information

T2 IaaSand PCI Compliance. Robert Zigweid, IOActive

T2 IaaSand PCI Compliance. Robert Zigweid, IOActive T2 IaaSand PCI Compliance Robert Zigweid, IOActive Introduction Robert M. Zigweid Principal Compliance Consultant at IOActive, Inc. PCI QSA, PCI PA-QSA QSA for Amazon Web Services 2 Creating a PCI Compliant

More information

Can PCI DSS Compliance Be Achieved in a Cloud Environment?

Can PCI DSS Compliance Be Achieved in a Cloud Environment? royal holloway Can Compliance Be Achieved in a Cloud Environment? Organisations are considering whether to run -based systems in a cloud environment. The security controls in the cloud may be sufficient

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

Using Trend Micro s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance

Using Trend Micro s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...

More information

Protecting the Irreplacable. November 2013 Athens Ian Whiteside, F-Secure Ian.Whiteside@f-secure.com

Protecting the Irreplacable. November 2013 Athens Ian Whiteside, F-Secure Ian.Whiteside@f-secure.com Protecting the Irreplacable November Athens Ian Whiteside, F-Secure Ian.Whiteside@f-secure.com PC Sales continue to fall. Lack of innovation and no excitement Windows 8 doesn t seem to have excited the

More information

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

Virtualization and Cloud Computing

Virtualization and Cloud Computing Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing

More information

Proactively Secure Your Cloud Computing Platform

Proactively Secure Your Cloud Computing Platform Proactively Secure Your Cloud Computing Platform Dr. Krutartha Patel Security Engineer 2010 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals Agenda 1 Cloud

More information

PCI DSS Compliance Validation of Different Levels of Merchants in a Multi-tenant Private Cloud

PCI DSS Compliance Validation of Different Levels of Merchants in a Multi-tenant Private Cloud PCI DSS Compliance Validation of Different Levels of Merchants in a Multi-tenant Private Cloud Peter Olajide, Pavol Zavarsky, Ron Ruhl, Dale Lindskog Information Systems Security Department Concordia University

More information

Session 1: Managing Software Licenses in Virtual Environments. Paul Baguley, Principal, Advisory Services KPMG

Session 1: Managing Software Licenses in Virtual Environments. Paul Baguley, Principal, Advisory Services KPMG Session 1: Managing Software Licenses in Virtual Environments Paul Baguley, Principal, Advisory Services KPMG Managing Software Licenses in Virtual Environments June 2015 Paul Baguley Principal KPMG LLP

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g Virtualization: Architectural Considerations and Implementation Options Virtualization Virtualization is the

More information

Your success is our mission. Your success is our mission

Your success is our mission. Your success is our mission PARTNER WITH WITH VEEAM VEEAM Your success is our mission. Your success is our mission Veeam Cloud Provider Licensing Options EMEA January, 2015 01142015 Contents LINK INDEX... 4 CONTACTING VEEAM... 4

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Trend Micro Cloud Protection

Trend Micro Cloud Protection A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com

Introduction to Cloud Computing. Srinath Beldona srinath_beldona@yahoo.com Introduction to Cloud Computing Srinath Beldona srinath_beldona@yahoo.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns

More information

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

Realities of Private Cloud Security

Realities of Private Cloud Security SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from

More information

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed

More information

Integrating NComputing Virtual Desktops with VMware and Citrix

Integrating NComputing Virtual Desktops with VMware and Citrix Click to edit Master title style Integrating NComputing Virtual Desktops with VMware and Citrix Karen Gaines Director of Southern Europe, NComputing, Inc. September, 2010 1 Click Topicsto edit Master title

More information

In addition to their professional experience, students who attend this training should have technical knowledge in the following areas.

In addition to their professional experience, students who attend this training should have technical knowledge in the following areas. 6422A - Implementing and Managing Windows Server 2008 Hyper-V Course Number: 6422A Course Length: 3 Days Course Overview This three-day instructor-led course teaches students how to implement and manage

More information

Can You be HIPAA/HITECH Compliant in the Cloud?

Can You be HIPAA/HITECH Compliant in the Cloud? Can You be HIPAA/HITECH Compliant in the Cloud? Background For the first 10 years of its existence, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a toothless tiger. Although

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

Business Values of Network and Security Virtualization

Business Values of Network and Security Virtualization Business Values of Network and Security Virtualization VMware NSX in the context of the Software Defined Data Center Klaus Jansen Virtual Networks Sales Specialist VMware NSBU 2014 VMware Inc. All rights

More information

Security Considerations

Security Considerations Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver

More information

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may

More information

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published

More information

PCI Compliance Updates

PCI Compliance Updates PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf

More information

Hybrid PA-DSS Report on Validation

Hybrid PA-DSS Report on Validation Hybrid PA-DSS Report on Validation For Applications that Store, Process, or Transmit Payment Card Data but are Not Part of Authorization or Settlement Application Vendor: KomBea Corporation 3400 N. Ashton

More information

Delivering the Software Defined Data Center

Delivering the Software Defined Data Center Delivering the Software Defined Data Center Georgina Schäfer Sr. Product Marketing Manager VMware Calvin Rowland, VP, Business Development F5 Networks 2014 VMware Inc. All rights reserved. F5 & Vmware

More information

How Virtualization Affects PCI DSS

How Virtualization Affects PCI DSS How Virtualization Affects PCI DSS Part 1: Mapping PCI Requirements and Virtualization Authors: William Hau Vice President Professional Services Foundstone Professional Services Rudolph Araujo Director

More information

Cloud Computing. Chapter 8 Virtualization

Cloud Computing. Chapter 8 Virtualization Cloud Computing Chapter 8 Virtualization Learning Objectives Define and describe virtualization. Discuss the history of virtualization. Describe various types of virtualization. List the pros and cons

More information

Server Virtualization: The Essentials

Server Virtualization: The Essentials Server Virtualization: The Essentials Part 1 of 4 Jim Smith TeamQuest TeamQuest and the TeamQuest logo are registered trademarks in the US, EU and elsewhere. All other trademarks and service marks are

More information

What are your firm s plans to adopt x86 server virtualization? Not interested

What are your firm s plans to adopt x86 server virtualization? Not interested The benefits of server virtualization are widely accepted and the majority of organizations have deployed virtualization technologies. Organizations are virtualizing mission-critical workloads but must

More information

San Jose Airport PCI@SJC. Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011

San Jose Airport PCI@SJC. Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011 San Jose Airport PCI@SJC Diane Mack-Williams SJC Airport Technology Services ACI NA San Diego, 15th October 2011 Why PCI-DSS at SJC? SJC as a Service Provider Definition: Business entity that is not a

More information

9/26/2011. What is Virtualization? What are the different types of virtualization.

9/26/2011. What is Virtualization? What are the different types of virtualization. CSE 501 Monday, September 26, 2011 Kevin Cleary kpcleary@buffalo.edu What is Virtualization? What are the different types of virtualization. Practical Uses Popular virtualization products Demo Question,

More information

Technical Brief: Virtualization

Technical Brief: Virtualization Technical Brief: Virtualization Technology Overview Tempered Networks automates connectivity and network security for distributed devices over trusted and untrusted network infrastructure. The Tempered

More information

Network Access Control in Virtual Environments. Technical Note

Network Access Control in Virtual Environments. Technical Note Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved

More information

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director

More information

Oracle Solaris 11 and PCI DSS Meeting PCI DSS Compliance with Oracle Solaris 11

Oracle Solaris 11 and PCI DSS Meeting PCI DSS Compliance with Oracle Solaris 11 A COALFIRE WHITE PAPER Oracle Solaris 11 and PCI DSS Meeting PCI DSS Compliance with Oracle Solaris 11 April 4, 2013 Matt Getzelman PCI Practice Director, Coalfire 2013 Coalfire Systems, Inc. All Rights

More information

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or

More information

Securing the Physical, Virtual, Cloud Continuum

Securing the Physical, Virtual, Cloud Continuum Securing the Physical, Virtual, Cloud Continuum By Ted Ritter, CISSP Senior Research Analyst Executive Summary The data center is undergoing a radical shift, from virtualization towards internal cloud

More information

A Look at the New Converged Data Center

A Look at the New Converged Data Center Organizations around the world are choosing to move from traditional physical data centers to virtual infrastructure, affecting every layer in the data center stack. This change will not only yield a scalable

More information

Third Party Agent (TPA) Registration Program - TPA Types and Functional Descriptions

Third Party Agent (TPA) Registration Program - TPA Types and Functional Descriptions Third Party Agent (TPA) Registration Program - TPA Types and Functional Descriptions Independent Sales Organizations (ISO) ISO Merchant (ISO M) Conducts merchant account or transaction processing solicitation,

More information

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com Secure Multi Tenancy In the Cloud Boris Strongin VP Engineering and Co-founder, Hytrust Inc. bstrongin@hytrust.com At-a-Glance Trends Do MORE with LESS Increased Insider Threat Increasing IT spend on cloud

More information

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

CHAPTER 2 THEORETICAL FOUNDATION

CHAPTER 2 THEORETICAL FOUNDATION CHAPTER 2 THEORETICAL FOUNDATION 2.1 Theoretical Foundation Cloud computing has become the recent trends in nowadays computing technology world. In order to understand the concept of cloud, people should

More information

Cloud Computing. Bringing the Cloud into Focus

Cloud Computing. Bringing the Cloud into Focus Cloud Computing Bringing the Cloud into Focus November 2011 Introduction Ken Cochrane CEO, IT/NET Partner, KPGM Performance and Technology National co-leader IT Advisory Services KPMG Andrew Brewin Vice

More information

INDUSTRY OUTLOOK. The Virtual Office: The Next-Generation Workplace

INDUSTRY OUTLOOK. The Virtual Office: The Next-Generation Workplace INDUSTRY OUTLOOK M AY 2 0 1 2 The Virtual Office: The Next-Generation Workplace INDUSTRY OUTLOOK 2012: THE VIRTUAL OFFICE Enabling mobile access to corporate applications drives workforce productivity,

More information

Platform as a Service and PCI www.engineyard.com

Platform as a Service and PCI www.engineyard.com Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it

More information

Virtualization in a Multipurpose Commercial Data Center

Virtualization in a Multipurpose Commercial Data Center Virtualization in a Multipurpose Commercial Data Center Gartner Data Center Conference December 6, 2010 Hostway Corporation Global Provider of Infrastructure, Platforms, and Web Enabled Business Applications

More information

Implementing and Managing Windows Server 2008 Hyper-V

Implementing and Managing Windows Server 2008 Hyper-V Course 6422A: Implementing and Managing Windows Server 2008 Hyper-V Length: 3 Days Language(s): English Audience(s): IT Professionals Level: 300 Technology: Windows Server 2008 Type: Course Delivery Method:

More information

How to Turn the Promise of the Cloud into an Operational Reality

How to Turn the Promise of the Cloud into an Operational Reality TecTakes Value Insight How to Turn the Promise of the Cloud into an Operational Reality By David Talbott The Lure of the Cloud In recent years, there has been a great deal of discussion about cloud computing

More information

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI

More information

Observations from the Trenches

Observations from the Trenches Observations from the Trenches CSO Breakfast Club Retail and PCI Security Forum May 2010 Olivia Rose Jenkins, CISSP, QSA Sr. Security Consultant Agenda Conversations with CXO s PCI and Your Security Program

More information

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE VMware Security Briefing Rob Randell, CISSP Senior Security Specialist SE Agenda Security Advantages of Virtualization Security Concepts in Virtualization Architecture Operational Security Issues with

More information

Security Compliance in a Virtual World

Security Compliance in a Virtual World RSA Security Brief Security Compliance in a Virtual World Best Practices to Build a Solid Foundation Authors Bret Hartman, Chief Technology Officer, RSA, the Security Division of EMC Dr. Stephen Herrod,

More information

Implementing and Managing Microsoft Desktop Virtualization 10324 en

Implementing and Managing Microsoft Desktop Virtualization 10324 en Implementing and Managing Microsoft Desktop Virtualization 10324 en Course Outline Module 1: Overview of Desktop Virtualization Scenarios Many organizations are exploring the use of virtualization to optimize

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

S24 Virtualiza.on Security from the Auditor Perspec.ve

S24 Virtualiza.on Security from the Auditor Perspec.ve S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

Top virtualization security risks and how to prevent them

Top virtualization security risks and how to prevent them E-Guide Top virtualization security risks and how to prevent them There are multiple attack avenues in virtual environments, but this tip highlights the most common threats that are likely to be experienced

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Presentation for ISACA Chapter NL. Auditing Virtual Servers. VMware: Security and Operations. Gert-Jan Timmer 3. September, 2012

Presentation for ISACA Chapter NL. Auditing Virtual Servers. VMware: Security and Operations. Gert-Jan Timmer 3. September, 2012 Presentation for ISACA Chapter NL Auditing Virtual Servers VMware: Security and Operations Gert-Jan Timmer 3. September, 2012 Auditing Virtual Servers: Vmware: Security and Operations Presentation today:

More information

Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC

Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC Paper 347-2009 Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC ABSTRACT SAS groups virtualization into four categories: Hardware Virtualization,

More information

Sample Statement of Work

Sample Statement of Work Sample Statement of Work Customer name Brad Miller brad@solidborder.com Fishnet Security Sample Statement of Work: Customer Name Scope of Work Engagement Objectives Customer, TX ( Customer or Client )

More information

VMware Building Many Bridges to the Cloud

VMware Building Many Bridges to the Cloud VMware Building Many Bridges to the Cloud Robin Ren, Cloud Applications and Services, VMware July 2010 2009 VMware Inc. All rights reserved Agenda Cloud Characteristics Benefits Challenges VMware and Cloud

More information