1 Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Kate Donofrio Security Assessor Fortrex Technologies
2 Instructor Biography Background On Fortrex What s In A Cloud? Pick A Cloud Draft NIST SP Considerations PCI DSS Scope PCI SSC Guidance Sample Cloud Provider Stances CSA Cloud Controls Matrix Outsource Considerations Agenda
3 Background on Fortrex General Facts IT Security, Operational Risk and Advisory Services Founded in 1997 Headquarters in Frederick, Maryland Privately Held Approaching 1,000 Customers Baltimore to Alaska to Guam Broad Industry Coverage QSA, PA-QSA & ASV Abundance of References Integrity, Excellence, Empowerment, Teamwork and Thankfulness
4 What s In A Cloud? NIST Special Publication defines a cloud as a service which: o Maintains a pool of hardware resources to maximize service, minimize cost o Resource efficiency permits hardware refresh, migration of customer workloads
5 1950s Mainframes o Client/Server Model o Time-Sharing 1960s Pick A Cloud: History of the Cloud o Intergalatic Computer Network J.C.R Licklider ARPANET o Computation being delivered as a public utility John McCarthy Salesforce.com o Applications over the internet 2006 Amazon EC2 Rent technology 2009 Web 2.0 Browser based applications
6 Centralized or distributed Dedicated to single entity Pick A Cloud: Private Examples may include Data Warehouses or co-located cardholder data environments On-site Outsourced
7 Provide and/or subscribe o At least one participant must provide a service Pick A Cloud: Community May include one or many entities On-site Examples may include Wikipedia or SharePoint site structures Outsourced
8 Pick A Cloud: Public Potentially large computing and storage resources afford clients elasticity Communication links are generally provided over the public Internet Serves a diverse pool of clients Workload locations are hidden from clients Limited visibility and control over data security Public Examples may include Amazon or RackSpace
9 Pick A Cloud: Hybrid Composed of two or more private, community, and/or public clouds Uses may include Cloud bursting client employs private cloud and accesses one or more public clouds during periods of high demand May serve as backup resource o Disaster recovery Hybrid
10 Pick A Cloud: Environments Software as a Service (SaaS) Application access and use o Google, Twitter, Facebook Platform as a Service (PaaS) Access to tools and execution resources to develop, test, deploy and administer applications o Operating Systems, Network Access, Hosting, Database Management Infrastructure as a Service (IaaS) - Access to virtual computers, network-accessible storage, network infrastructure components such as firewalls, and configuration services
11 NIST SP Considerations Off-line Data Synchronization Interoperability Between Cloud Providers Compliance Physical Location Support for Forensics Information Security Responsibilities Data Privacy
12 PCI DSS Scope To confirm the accuracy and appropriateness of PCI DSS scope, perform the following: The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE). Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations). The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE unless such data is deleted or migrated/consolidated into the currently defined CDE. The entity retains documentation that shows how PCI DSS scope was confirmed and the results, for assessor review and/or for reference during the next annual PCI SCC scope confirmation activity.
13 PCI SSC Guidance June 2011 PCI DSS Virtualization Guidelines state: Perform a detailed assessment of the unique risks associated with each service Hosted entity and provider clearly define and document the responsibilities assigned to each party for maintaining PCI DSS requirements and any other controls that could impact the security of cardholder data. Cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider s PCI DSS compliance program and which are responsibility of the hosted entity Cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant
14 PCI SSC Guidance Define Responsibilities such as in the following example:
15 PCI SSC Guidance: Public Cloud Distributed architectures add layers of technology and complexity Designed to be public-facing, to allow access into the environment from anywhere on the Internet Infrastructures are by nature dynamic, and boundaries between tenant environments can be fluid Hosted entities have limited or no visibility into the underlying infrastructure and related security controls Hosted entities have limited or no oversight or control over cardholder data storage
16 PCI SSC Guidance: Public Cloud Hosted entities have no knowledge of who they are sharing resources with, or the potential risks their hosted neighbors may be introducing to the host system, data stores, or other resources shared across a multi-tenant environment Additional controls must be implemented to compensate for inherent risks and lack of visibility into architecture These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner Evidence of cloud provider compliance should be subjected to rigorous review of controls
17 Sample Cloud Provider Stances: Amazon Is AWS now PCI certified? AWS provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant. What does this mean to me as a PCI merchant or service provider? Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers.
18 Sample Cloud Provider Stances: Amazon Does the PCI standard require single-tenant environments in order to be compliant? No. The AWS environment is a virtualized, multi-tenant environment. AWS has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment. Do QSAs for Level 1 merchants require a physical walkthrough of a service provider s data center? No. A merchant can obtain certification without a physical walkthrough of a service provider s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.
19 Sample Cloud Provider Stances: RackSpace How do you handle payment for Cloud Sites? Cloud Sites is a multi-tenant hosted environment. The Payment Card Industry prohibits handling or maintaining credit card information in multi-tenant environments. Thus, all credit card processing must be handled completely by a third party payment gateway. Building an e-commerce solution using Cloud Sites Cloud Sites is designed to provide an elastic web-hosting environment. This capability can allow an e-commerce merchant to properly handle the high-volume shopping season without carrying extra infrastructure throughout the remainder of the year. Cloud Sites is not currently designed for the storage or archival of any credit card related information, all credit card information must be handled on the payment gateway.
20 Sample Cloud Provider Stances: RackSpace Rackspace understands that organizations have different needs and requirements, especially when it comes to critical IT infrastructure. In support of this, Rackspace offers a portfolio of Private Cloud solutions.
21 Cloud Security Alliance Cloud Security Matrix The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. The Cloud Security Alliance Cloud Controls Matrix (CCM) provides a controls framework in 13 domains aligned with industry-accepted security standards, regulations, and controls frameworks such as: ISO 27001/27002 ISACA COBIT PCI DSS NIST BITS GAPP HIPAA/HITECH Jericho Forum NERC CIP
22 Cloud Security Alliance Cloud Security Matrix CCM domains include: Compliance Data Governance Facility Security Human Resource Security Information Security Legal Operations Management Risk Management Release Management Resiliency Security Architecture
23 Outsource Considerations What do you really need? What are you really getting? Do standards, regulatory, or framework compliance requirements impact planned service/system? Is the platform single or multi-tenant? Is the selected platform truly scalable?
24 Outsource Considerations What boundary controls are established? What security controls are enforced? How are information security responsibilities allocated? Does the provider support forensics? Where are utilized data center facilities? Are they accessible?
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October
Data Intensive Storage Services for Cloud Environments Dimosthenis Kyriazis National Technical University of Athens, Greece Athanasios Voulodimos National Technical University of Athens, Greece Spyridon
Standard: PCI Data Security Standard (PCI DSS) Version: 3.0 Date: August 2014 Author: Third-Party Security Assurance Special Interest Group PCI Security Standards Council Information Supplement: Third-Party
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
Assessing the Audit Impact of Cloud Computing kpmg.com 1 Assessing the Audit Impact of Cloud Computing Cloud Computing Cloud computing is becoming an important IT strategy for entities that need varying
AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
FRAUNHOFER RESEARCH INSTITUTION AISEC CLOUD COMPUTING SECURITY PROTECTION GOALS.TAXONOMY.MARKET REVIEW. DR. WERNER STREITBERGER, ANGELIKA RUPPEL 02/2010 Parkring 4 D-85748 Garching b. München Tel.: +49
Journey to Cloud 9 Navigating a path to secure cloud computing Alastair Broom Solutions Director, Integralis March 2012 Navigating a path to secure cloud computing 2 Living on Cloud 9 Cloud computing represents
Your Place or Mine? In-House e-discovery Platform vs. Software as a Service Technology & Business Overview of Cloud Computing Janine Anthony Bowen, Esq. Jack Attorneys & Advisors www.jack-law.com Atlanta,
WHITE PAPER An Introduction to Cloud Computing in the Federal Public Sector AUGUST 2010 2010 BY APPTIS, INC. ALL RIGHTS RESERVED. The intended audience of this document comprises senior technical executives,
Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls
Cloud Computing: Transforming the Enterprise Cloud computing is not just a trend. It is changing the way IT organizations drive business value. THINK SMART. ACT FAST. FLEX YOUR BUSINESS. EXECUTIVE SUMMARY
Moving from Legacy Systems to Cloud Computing A Tata Communications White Paper October, 2010 White Paper 2010 Tata Communications Table of Contents 1 Executive Summary... 4 2 Introduction... 5 2.1 Definition
Office of the Chief Information Security Officer Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland 21244-1850 Risk Management Handbook Volume III Standard 3.2 FINAL Version
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 firstname.lastname@example.org www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
Security Considerations for Public Mobile Cloud Computing Ronnie D. Caytiles 1 and Sunguk Lee 2* 1 Society of Science and Engineering Research Support, Korea email@example.com 2 Research Institute of
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
CYBER SECURITY OPERATIONS CENTRE APRIL 2011, UPDATED SEPTEMBER 2012 Cloud Computing Security Considerations Table of Contents Cloud Computing Security Considerations... 3 Overview of Cloud Computing...
1 Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors Scott Woodison Executive Director, Compliance and Enterprise Risk Office of Internal Audit and Compliance