1 Negotiating the Highway to the Cloud Dr David Ross Security Practice Manager, CISO Bridge Point Communications, Australia August 19, 2011 Abstract Data centre investment dollars are increasingly moving to virtualisation technologies and the cloud whether that is an in-house private cloud, external provisions, or a hybrid. This stampede to take advantage of the benefits of virtualisation also comes with its own set of headaches for management and system administrators alike. With many refurbishments and new disaster recovery plans utilising virtualisation and cloud computing, it is now essential to have a comprehensive toolset to assist in the secure design, implementation and provisioning of new virtual environments and the assurance of SPI (SaaS, PaaS, IaaS) offerings. The author presents the considerations and foremost advocacy in virtualisation and cloud computing security, including details of the Cloud Security Alliance s (CSA) Certificate of Cloud Security Knowledge (CCSK), along with a full update on the Cloud Security Alliance s Australian activities. Introduction The Cloud has received a large amount of press in recent times, not all of it favourable. Many incidents with public cloud service providers produced notable outages, such as those of Amazon s Elastic Compute Cloud (EC2), taking out FourSquare, HootSuite, Indaba Music, Quora, Reddit, and others , just after midnight (PDT) on 21 st April this year  and another massive outage, in Ireland, with some permanent data loss due to power and UPS failures on 7 th August . Microsoft s North American data centre outage on 16 th August just past, downed Microsoft Office 365, SkyDrive and CRM Online services . Google s numerous Gmail outages include the more notable ones of 24 th February 2009  and 1 st September 2009 ; and the Gmail lost s incident occurred after a faulty software update between 6:00 PM PST on 27 th February and 2:00 PM PST on 28 th February this year, that (permanently) rejected mail deliveries during the outage and denied access to all s, for some 40,000 of its 193 million user accounts for up to three days .
2 Figure 1: Amazon s EC2 outage took out FourSquare, Quora, Reddit, and others [8-10] More damaging, however, are the events of the likes of GoGrid cloud hosting and hybrid hosting company advising customers on 30 th March this year of a security breach exposing customer details including payment cards . There has also been active use of cloud services as a tool to perform Internet attacks, such as the much publicised use of Amazon's EC2 service to base a penetration of Sony Corporation s online entertainment systems . These are not attacks on cloud security as such, but simply security attacks that use cloud resources for the same reasons as any other cloud user. Sony Corporation s PlayStation Network and Qriocity entertainment service exposed 77 million registered users names, addresses, phone numbers, home addresses and user IDs , all of whom were effected for nearly a month  during the shutdown and recovery; and the Sony Entertainment Online network was also disconnected on 24.6 million users , after the discovery that it is believed credit and debit card details of 24,000 users  were stolen. It has previously been shown  that using the cloud to brute force passwords and encryption keys is far more cost-effective than using private resources. So why use the cloud? The usual answer is that the benefits by far outweigh the risks. But is this really the case? Before you present your business case to your board, you had better make sure you have all the facts for an informed assessment.
3 Drivers Licence Theory Before we proceed down the Highway to the Cloud, we first need some basic cartography, including a common terminology and understanding of the concepts. Over the past 40 years we have moved from a centralised model of computing with single central processors executing programs for multiple users connected by remote terminals over multiplexed serial lines terminal server nodes, through a distributed model where the dumb terminals have been replaced by increasingly more powerful personal computers doing their own processing and exchanging data through the worldwide Internet; and now, as we advance technology further, we move back to the centralised processing model in the cloud albeit now a distributed, redundant, centralised processing model, where increasingly powerful personal computers become over-resourced graphics cards to the centralised cloud. The true origins of the actual term cloud computing are somewhat vague, with clouds being used to abstract telephony and packet networks up to 40 years ago [16-18], the Internet commonly being referred to as the cloud for at least the last ten years or more, and the term cloud computing having appeared in a patent application in 1997 . In more recent times the term was rejuvenated by Google s Executive Chairman (then CEO) Eric Schmidt , shortly before Amazon announced it s Elastic Compute Cloud . Figure 2: Early Network Clouds [16-18]
4 The Roadmap The Cloud Security Alliance (CSA) in its Security Guidance for Critical Areas of Focus in Cloud Computing Version 2.1, provides a description of Cloud Computing that is specifically tailored to the unique perspective of IT network and security professionals [21, p. 13]. It states cloud computing describes the use of a collection of services, applications, information, and infrastructure comprised of pools of compute, network, information, and storage resources [21, p. 13], that can be rapidly commissioned, expanded, reallocated, deallocated, and torn down; providing an on-demand utility-like model of allocation and consumption [21, p. 13] of resources. The CSA guidance aligns with the U.S. Department of Commerce s National Institute of Standards and Technology (NIST) Definition of Cloud Computing. On 30 th March this year, NIST presented the first version of the NIST Cloud Computing Reference Architecture consistent with the NIST Definition of Cloud Computing . The NIST cloud reference architecture supports three service models [22, p. 14]: Software as a Service (SaaS) Deployed applications targeted towards end-user software clients or other programs, and made available via the cloud. The consumer has no control over the network, servers, operating systems, storage, or the applications themselves; Platform as a Service (PaaS) Services for consumers to develop and deploy applications onto the cloud infrastructure, including application containers, application development tools, database management systems, etc. The consumer has no control over the network, servers, operating systems, or storage, but dictates and controls the applications; and Infrastructure as a Service (IaaS) The provisioning of processing, storage, networks, and other fundamental computing resources upon which cloud consumers can deploy and run applications on the cloud infrastructure. The consumer has no control over the hardware infrastructure, but dictates and controls the operating systems, virtual storage, applications, and possibly also some of the virtual networking functions. The NIST cloud reference architecture also describes four deployment models [22, p. 13]: Private Cloud The cloud infrastructure (internal, or external by a third party) is solely for one organisation; Community Cloud The cloud infrastructure (may also be a third party provider) is shared by several organisations for a specific community of interest, with shared security requirements, policy, and compliance considerations ; Public Cloud The cloud infrastructure tenancy is not restricted to any particular organisation(s); and Hybrid Cloud The cloud infrastructure is a composition of private, community, or public, that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
5 The NIST cloud reference architecture provides five essential characteristics [21, p. 15]: On-demand self-service consumers can provision services as required without requiring human interaction with a provider; Broad network access services allow access by thin or thick clients or other cloud services; Resource pooling provider s resources are pooled and dynamically assigned to serve multiple consumers in a multi-tenant model; Rapid elasticity resources can be quickly provisioned and released, possibly appearing unlimited; and Measured service resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the service. Roadworthiness Cloud computing relies at its very heart on virtualisation technologies. It is the virtualisation of hardware, networks, servers, operating systems, platforms, and applications, that form the basis of all cloud computing endeavours. Modern advances in virtualisation technologies have enabled cloud computing as a viable business process. The security of virtualisation technologies is intertwined with the security of cloud computing services at its lowest level. In its most basic form, virtualisation is in use on almost every computer today, such as in disk partitioning to create virtual disks. There are three main types of virtualisation involved in the provision of cloud services: Storage virtualisation Storage resources are pooled and centrally managed to appear as a single elastic set of storage blocks; Network virtualisation The resources and functionality of network components are pooled and centrally managed to provide flexible networking options such as quality of service and virtual local area networks (VLANs) over virtual switches, routers, and firewalls; and Server virtualisation Server hardware resources are pooled and centrally managed so that they can be allocated to virtual machines to consume resources on an as-needs basis without limiting the virtual machines to a single set of hardware. Server virtualisation of the lowest layers, the hardware, occurs in various forms relevant to cloud computing: Full virtualisation, where the virtualisation layer completely emulates a set of hardware for each guest operating system (OS), using binary translation to trap all system calls for the guest (virtual) machine and translate to the appropriate calls to host (native) machine, such that guests that do not require to be aware of the virtualisation and do not require any modification to run as virtual machines; or
6 Para virtualisation, where the virtualisation layer emulates some of the hardware functions, but each guest is aware of the virtualisation and requires modifications to drivers and system calls to call the virtualisation layer directly to handle such requests rather than require the virtualisation layer to emulate all the hardware at a significant processing overhead and trap and translate such calls. In both cases, the advances in hardware assisted virtualisation, where the physical processors automatically trap guest calls to the hypervisor Virtual Machine Monitors (VMM) running in a special Root Mode privilege level and provide data structures to store VM states, can be used to supplement full virtualisation or para virtualisation functions. The virtualisation layer can be provided by two primary types of hypervisor: Type 1 Hypervisor or Bare Metal Hypervisor, which runs on the host (native) machine as the base OS and controls all native activity on the host, either as the sole footprint (e.g. VMware ESXi) or with a hardened general purpose OS providing management capabilities which can create new domains and manage virtual devices and physical hardware such as network interfaces and hard disk controllers (e.g. VMware ESX [+Linux], Xen, XenServer [+Linux], or Microsoft Hyper-V [+Windows Server 2008]); and Type 2 Hypervisor or Hosted Hypervisor, which runs on top of an existing general purpose OS on the host hardware gains the advantage of the most versatile host hardware integration at the expense of having to make all calls via the host OS in addition to all the Type 1 hypervisor tasks and being exposed to all of the host s general purpose OS footprint and vulnerabilities (e.g. VMware Server, VMware Workstation, VMware Player [on Windows or Linux], Parallels Workstation [on Windows or OSX], Microsoft VirtualBox [on Windows], or KVM [on Linux]). Uncharted Waters In a virtualised environment, virtualised machines have their own independent operating systems running as if they were instantiated on their own individual physical device, however their calls to the physical hardware instead go to the hypervisor that is controlling all of the physical resources on one or a cluster of physical machines, sharing these resources among any number of virtual machines. The virtualised environment provides virtual networks that may enable the virtual machines to network with each other or with the actual physical network interfaces on the physical machines. These virtual networks include virtual switches and may include also include other network management functionality. Many current information security policies and procedures, indeed often entire Information Security Management Systems (ISMS), including the information security risk management methodologies, do not account for the use of virtualisation technology in production environments.
7 Compliance and Audit Take for example, the Payment Card Industry Data Security Standard (PCI DSS) . This is of particular relevance to those organisations planning to deploy private clouds that may either contain Cardholder Data (CHD) or in any way impinge on their Cardholder Data Environment (CDE). The PCI DSS is a highly prescriptive list of controls dictated by the PCI Security Standards Council (PCI SSC), founded by the five card brands: Visa Inc., MasterCard Worldwide, American Express Company, Discover Financial Services, and JCB International . Every merchant and service provider dealing with credit cards must be compliant, including conducting quarterly external and internal vulnerability scans and annual external and internal penetration tests on their systems and heavy users must prove it with an annual audit. Meeting the security requirements of the PCI DSS requires the implementation of a fixed set of controls with very limited exception where it can be shown additional controls, beyond those already required by the standard, are in place, effective, and maintained. Figure 3: Example Gap Analysis against the PCI DSS v2.0 The PCI community has been long waiting the inclusion of virtualisation in the PCI DSS, with the previous versions leading many PCI QSAs to simply declare virtualised environments non-compliant, or at least declare segregation (network segmentation) ineffective and thus make the cardholder data environment (CDE) subject to the most severe restrictions, encompass the entire virtualisation cluster. It was therefore with great expectation that organisations and QSAs waited for the release of Version 2.0 of the PCI DSS, including virtualisation for the first time.
8 PCI DSS Version 2.0 The PCI DSS version 2.0 was released on 28 October 2010 and came into effect on 1 January this year. This latest revision provided many clarifications and additional guidance on the previous revision; however, as the standard is becoming more mature, only one of the twelve sections was even moderately rearranged and significantly updated. The PCI DSS version 2.0 now included references to virtualised environments, as the definition of system components, previously defined as any network component, server, or application that is included in or connected to the cardholder data environment , was expanded to system components also include any virtualisation components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors . The new version of the standard also added that if virtualisation is implemented all components within the virtual environment will need to be identified and considered in scope of the review, including individual virtual hosts or devices, management interfaces, central management consoles, hypervisors, and all intra-host and external communications and data flows . The implementation of a virtualised environment must meet the intent of all requirements such that the virtualised systems can be effectively regarded as separate hardware [26, p. 5]. So while the PCI DSS now included the specific burden of securing virtualised environments, unlike all other aspects of the standard, it provided no guidance on the actual controls to achieve this, referring further advice to come from a long awaited report from the Virtualisation Special Interest Group (SIG), started at the end of 2008 and initially expected in the last half of 2010, finally released in June The Information Supplement: PCI DSS Virtualization Guidelines from the Virtualisation SIG starts out by defining virtualisation and associated terminology, before proceeding with scoping guidance for PCI DSS impacts on the extent of the CDE, to the effect that if any VM, virtual switch, network, or virtual security device, is in-scope, then the associated hypervisor and all possible physical hardware are automatically in-scope for PCI DSS assessment . Scope guidance on cloud computing mirrors that of any hosted CDE components: The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider s PCI DSS compliance program. Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity to manage and assess. The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant. [27, p. 9]. The PCI DSS virtualization guidelines make special mention of the new attack surface introduced by a hypervisor. This is of particular relevance for Type 1 hypervisors that use a general purpose OS for management, particularly those hypervisors without a hardened OS;
9 and especially Type 2 (hosted) hypervisors. Hypervisors are not created equal, and it is particularly important to choose a solution that supports the required security functions for each environment. [27, p. 10]. The guidelines then detail considerations that must be taken into account regarding mixing VMs of different trust levels, VM-to-VM and VM-to-hypervisor attacks, the loss of separation of network, system administration, and audit duties, dormant VMs and the security of images and snapshots, but leaves it entirely to your selected QSA as to what meets compliance in a virtualised environment. Some QSAs will require a separate virtualised cluster for the CDE using separate physical networks controlled by separate physical firewall from other internal virtualised clusters and a separate physical DMZ virtualised cluster, again with separate physical network and separate physical perimeter firewall out to the border routers. Other QSAs may well sign off on a single encompassing virtualised cluster including CDE, DMZ, firewalls, and other internal hosts. The rest of us lie anywhere on the range in between. Note that in view of yet another hypervisor breach, breaking out of KVM , presented at the Black Hat USA 2011 and Defcon 19 conference in August, most QSAs will reject Type 2 hypervisors in a mixed environment. Navigating a Steady Course An overarching consideration in assessing an organisation for any sort of information security, is just what constitutes the sensitive data. This is a primal concern in determining not only the scope but the controls required and their locations. The hypervisor It must be remembered, that since the hypervisor affects the security of its virtualised guests, if any virtualised guest system contains sensitive data, then that automatically means the hypervisor controlling that guest is automatically part of the control environment. As such all of the physical machines constituting that cluster controlled by that hypervisor are subject to all the physical requirements of machines relative to the most sensitive data on any VM. Questions that arise as to the issues invoked by moving virtual machines from one physical machine to another and whether or not other virtual machines are then also part of the sensitive data environment or can such machines be effectively segregated? The PCI DSS requirements The PCI DSS has six goals that drive 12 requirements. These 12 requirements dictate 196 control components, with another six for managed service providers, which in an audit requires 989 items of evidence to be verified and documented.
10 Requirement requires a firewall at each Internet connection and between any DMZ and the internal networks. In a virtualised environment, providing a firewall between the DMZ and the internal networks can be achieved by deploying a separate physical virtualised cluster for the DMZ separated by physical firewall from the internal virtualised cluster. This splits the physical hardware and thus reduces the efficiency of the virtualisation. There is a further restriction under requirement to use firewall and router configurations that restrict inbound and outbound traffic to and from the cardholder data environment. Where the cardholder data environment is segregated from the rest of the internal networks, this requires segregation within the internal networks. Under this scheme, this would dictate yet another separate physical cluster so that routers and firewalls can provide the segregation from the rest of the internal cluster. This drastically reduces the efficiency and utility of a virtualised environment. Another option relies on the hypervisor to provide the segregation between hosts by tying these groups of virtual hosts to separate physical network interface cards (NIC) so that a separate physical firewall can be used to guarantee this segregation. Figure 4 : Example of Using Separate Physical Firewall(s) While this helps maintain the utility of the internal virtualised cluster, this still limits the number of externally controlled segments and the utility of the network interface cards. Current technology is moving to maximise physical network throughput by teaming all physical interfaces together and providing segregation at the logical level.
11 Virtual Alternative An alternative involves using a single enterprise virtualised cluster and deploying virtual firewalls within the cluster two separate environments. However it is up to your QSA, and not you, to declare whether the technology you use meets the PCI DSS requirements for segregation of networks. Many QSA is would not consider this to achieve effective segregation. If you use para-virtualisation, that is a hypervisor that runs in a general-purpose operating system such as Microsoft windows, UNIX, or UNIX-like operating systems, then the hypervisor is subject to the security vulnerabilities of the underlying operating system and thus can be subverted by exploits on the underlying operating system, in turn subverting the security of the guest virtual machines as well is any segregation between them. The use of so-called bare metal virtualisation technology exposes a vastly reduced attack surface, making such virtual segregation more palatable to your QSA. Virtual Firewalls In addition, virtual firewalls also come in two forms: a firewall running as a virtualised guest and so competing with all the other virtualised guest machines for resources physical resources; or for a new breed of virtualised systems where firewalls, intrusion detection, antivirus, and the like, are provided with hooks into the hypervisor itself guaranteeing true access to the data flows in and out of the virtualised guest machines. Intrusion detection Requirements for intrusion detection state that all traffic in the CDE must be monitored. In a virtualised environment this is a requires either requires host IDS (HIDS) on every single virtualised guest machine (effectively resulting in multiple instances of the same code running simultaneously on the physical hardware) or network IDS (NIDS) patched into all of the virtual networks within the virtual cluster, monitoring the traffic between the virtual machines and to and from the outside world. Where such a system runs as a guest in the virtualisation environment, it must compete with the other virtual machines for physical resources. Again, the latest virtualisation technology allows IDS vendors to provide solutions that hook into the actual hypervisor to guarantee access to all of the data flows to and from the virtual machines. Antivirus The PCI DSS requires antivirus software be deployed on all systems commonly affected by viruses, including servers. In a separate physical environment, this requires an instance of the antivirus software on every machine. Similarly, in a virtualised environment every machine must have antivirus. Where an instance of the antivirus software is running on each virtual guest machine, this results in many instances of the same software running simultaneously within the physical cluster.
12 By using the latest virtualisation technologies and deploying an antivirus solution that hooks in to the hypervisor itself, thus monitoring all data flowing into all of the virtual machines, to detect and action viruses malicious code in transit to the virtual machine, as well as scanning the virtual machine image as it is loaded or swapped, may meet these PCI requirements and substantially reduce the computing overheads involved with antivirus in a virtualised environment. Figure 5: Example of a Bare-Metal Hypervisor providing hooks for Firewalls, IDS & AV Conclusion The security and auditing of virtualisation environments is now a pressing need in both government and commercial environments. In the commercial world, and in particular the Payment Card Industry, virtualisation is a leading topic of research and debate. New and emerging virtualisation technologies, although untested from a compliance and audit perspective, now have the potential to provide tangible benefits not only in power, space, and cost efficiencies, but now provide increased abilities to secure and monitor Information Systems. For those who are subject to the PCI DSS, you should engage and work with your QSA at the earliest opportunity to explore the opportunities and advantages you can leverage from virtualisation before you commit your resources and design and build your systems.
13 Cloud Security Alliance, Australia Chapter In February 2011, Gary Blair, Executive General Manager, CBA (Sydney) made enquires with Jim Reavis, Executive Director, Cloud Security Alliance (USA) in regards to an Australian Regional Coordinating Body and State Chapters. On 7th April 2011, David Ross, CISO, Bridge Point Communications (Brisbane) with 24 Queensland members of the CSA LinkedIn group, one QLD/WA member, and one NSW/ACT member applied to start CSA Australia and expand it throughout Australia. This application required a greater breadth of membership to proceed. On 29th April 2011, Jim Reavis (CSA) invited all interested parties who had contacted him from around Australia to get together and advance the application. On 5th May 2011, Gary Blair hosted a meeting via teleconference, chaired by David Ross and attended also by Jim Reavis (CSA) and those aforementioned interested parties. This meeting decided to proceed with a single overall Australian chapter, with a structure to be reviewed after six months. Nominations for roles on the Board of Directors were called. On 16th May 2011, A CSA Australia BoF session was announced at all AusCERT conference sessions. This meeting concluded the nominations and the Board of Directors was finalised soon after. David Ross sent a refreshed application supported by 58 Australian members of the CSA LinkedIn group to Jim Reeves and on the 21 st June 2011 the Cloud Security Alliance, Australia Chapter was approved for development. The Founding Directors of CSA Australia are: Ben Chung (HP NSW), Gary Gardiner (Check Point QLD), Craig Lawson (HP QLD), Wipul Jayawickrama (Infoshield QLD), Richard Keirstead (Ernst & Young VIC), Phil Kernick (CQR Consulting SA), Archie Reed (HP NSW), David Ross (Bridge Point QLD), Darren Skidmore (FIS Australasia VIC), Tim Smith (Bridge Point QLD), Marcel Sorouni (BUPA Australia NSW), Michael Trott (Bridge Point QLD), Chad Walker (Infoshield QLD), Marcus Wong (CBA NSW), Jason Wood (CBA NSW).
14 The name of the association is the Cloud Security Alliance, Australian Chapter, hereinafter called CSA Australia and abbreviated as CSA-AU. The purposes for which the association is established are, in line with CSA Global, to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. The geographical boundary of CSA, Australian Chapter, until otherwise amended, is the Commonwealth of Australia. The geographical boundary does not affect membership in CSA Australia, but simply defines the service area. The membership of CSA Australia shall consist of all current members of the global Cloud Security Alliance LinkedIn group who have elected to join the chapter s official LinkedIn sub-group within CSA s LinkedIn group. The CSA (global) LinkedIn group is at: The CSA Australia LinkedIn group is at: The Cloud Security Alliance s Certificate of Cloud Security Knowledge (CCSK) is the industry s first user certification program for secure cloud computing. The CCSK is designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud . The CCSK provides evidence that an individual has successfully completed an examination covering the key concepts of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1 and the European Network and Information Security Agency (ENISA) whitepaper Cloud Computing: Benefits, Risks and Recommendations for Information Security. Jim Reavis, CSA executive director said The CCSK is a low cost certification that establishes a robust baseline of cloud security knowledge. Combined with existing professional certifications, it helps provide necessary assurance of user competency in this important area of growth .
15 Bibliography  BBC. Amazon fault takes down websites. BBC News Technology, 21 st April, [Online] Available:  Amazon Web Services. Summary of the Amazon EC2 and Amazon RDS Service Disruption in the US East Region. 21 st April, Amazon Web Services LLC. [Online] Available:  Charles Babcock. Amazon Issues Post Mortem On Cloud Outage. InformationWeek, 15 th August, UBM TechWeb, UBM LLC. [Online] Available:  Lee Pender. Another Bad Day for the Cloud: Microsoft Office 365, Dynamics CRM Go Down. Redmond Channel Partner, August 18, Media Inc., Chatsworth, CA, USA. Posted August 18, 2011 at 1:35 PM. [Online] Available:  Tim Beyers. Gmail Fails, Cloud Computing Wins?. The Motley Fool. 24 th February, [Online] Available:  Erick Schonfeld. Why Gmail Failed Today. In TechCrunch. 1 st September, AOL Inc. [Online] Available:  Robert Charette. Google Gmail's "Lost s" Restored to Life. In The Risk Factor, IEEE Spectrum, 1 st March Institute of Electrical and Electronics Engineers, Inc. [Online] Available:  AP Photo. foursquare.com. In FoxNews.com, Downed Amazon Servers Leave Websites Across Internet Struggling. 22 nd April, FOX News Network, LLC. [Online] Available: 0take%20out%20Foursquare.jpg  Leon Katsnelson. reddit_down-due-to-aws.jpg. In BigDataOnCloud + FreeDB2, When cloud fails. 17 th March, [Online] Available:  Charles Arthur. The message greeting visitors to Quora during the outage. In guardian.co.uk, 21 st April, Guardian News and Media Limited. [Online] Available:
16  Craig Balding. GoGrid Security Breach. 30 th March, [Online] Available:  John Kennedy. Amazon EC2 service used in Sony attack?. In Siliconrepublic, Stragegy, 14 th May, Siliconrepublic Publishing Ltd. [Online] Available:  Pavel Alpeyev, Joseph Galante and Mariko Yasu. Amazon.com Server Said to Have Been Used in Sony Attack. In Bloomberg News, 15 th May, Bloomberg L.P. [Online] Available:  Paul Wagenseil. Amazon's Cloud Servers Possibly Used in Sony Attack. In SecurityNewsDaily, 16 th May, MSNBC Interactive News LLC. [Online] Available:  Dan Goodin. PlayStation Network hack launched from Amazon EC2 (Cloud economics strikes again). In The Register, Cloud Business, 14 th May, Situation Publishing. [Online] Available:  Vinton Cerf. Untitled network diagram In Katie Hafner and Matthew Lyon, Where Wizards Stay Up Late: The Origins Of The Internet. Simon&Schuster, ISBN  Takeshi Utsumi. Diagram of CSNET. c In Electronic Global University System and Services (Unpublished draft July, 1998). [Online] Available: T.jpg  Cisco Systems, Inc. Multiple networks are included in the DCN network cloud. In Cisco Network Solutions for the Telco DCN: Telephone Switch Environments, January, [Online] Available:  John M. Willis. Who Coined The Phrase Cloud Computing?. 31 st December, [Online] Available:  Reuven Cohen. Response to John Willis. Who Coined The Phrase Cloud Computing?. 31 st December, [Online] Available:  Glenn Brunette and Rich Mogull, editors. Security Guidance for Critical Areas of Focus in Cloud Computing Version 2.1. The Cloud Security Alliance. December, [Online] Available: https://cloudsecurityalliance.org/csaguide.pdf
17  National Institute of Standards and Technology. NIST Cloud Computing Reference Architecture Version 1. U.S. Department of Commerce, 30 th March,  PCI Security Standards Council LLC. Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 2.0. Wakefield, MA, USA, October  PCI Security Standards Council LLC. PCI DSS Quick Reference Guide, Understanding the Payment Card Industry Data Security Standard version 2.0. Wakefield, MA, USA, October  PCI Security Standards Council LLC. Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 2.0. Wakefield, MA, USA, October  PCI Security Standards Council LLC. Payment Card Industry (PCI) Data Security Standard, Navigating PCI DSS, Understanding the Intent of the Requirements, Version 2.0. Wakefield, MA, USA, October  PCI Security Standards Council Virtualization SIG. Information Supplement: PCI DSS Virtualization Guidelines. PCI Security Standards Council LLC, Wakefield, MA, USA. June  Nelson Elhage. Virtunoid: A KVM Guest -> Host privilege escalation exploit. In Proc. Black Hat USA 2011, August,  Cloud Security Alliance. Cloud Security Alliance announces availability of Certificate of Cloud Security Knowledge (CCSK). September, [Online] Available: https://cloudsecurityalliance.org/csa-news/cloud-security-alliance-announcesavailability-of-certificate-of-cloud-security-knowledge-ccsk/
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr. Virtualization Purpose of Presentation: To inform entities about the importance of assessing
royal holloway Can Compliance Be Achieved in a Cloud Environment? Organisations are considering whether to run -based systems in a cloud environment. The security controls in the cloud may be sufficient
VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE
Securing Industrial Control Systems on a Virtual Platform How to Best Protect the Vital Virtual Business Assets WHITE PAPER Sajid Nazir and Mark Lazarides firstname.lastname@example.org 9 Feb, 2016 email@example.com
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
PCI Compliance in a Virtualized World Security Technology Infrastructure Security Integration 24x7 Support MSS Training Information Assurance Staff Augmentation Presenters John Clark QSA, PMP, CISA, CISSP
Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
Eric A. Hibbard, CISSP, CISA Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor firstname.lastname@example.org January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
Courses Description 101: Fundamental Computing and Architecture Computing Concepts and Models. Data center architecture. Fundamental Architecture. Virtualization Basics. platforms: IaaS, PaaS, SaaS. deployment
SECURITY IN OPERATING SYSTEM VIRTUALISATION February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in
Volume 4, Issue 2, February 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com An Emerging
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP Principal Systems Engineer Security Specialist Agenda What is the Cloud? Virtualization Basics
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM email@example.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim
www.cloudtp.com Building Blocks of the Private Cloud Private clouds are exactly what they sound like. Your own instance of SaaS, PaaS, or IaaS that exists in your own data center, all tucked away, protected
Virtualization Objectives Definitions Why Problems Versions Virtualization vs Cloud Creating a New Virtual Machine Working with a Virtual Machine Virtual Machine Settings Virtual Machine Snapshots Definitions
IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF Introduction
Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels
NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson
Phillip Hampton LogicForce Consulting, LLC New IT Paradigm What is? Benefits of Risks of 5 What the Future Holds 7 Defined...model for enabling ubiquitous, it convenient, ondemand network access to a shared
Cloud Computing: Opportunities, Challenges, and Solutions Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University What is cloud computing? What are some of the keywords? How many of you cannot
BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH VORAPOJ.L@G-ABLE.COM Agenda Security Cases What is Cloud? Road Map Security Concerns 1 Security Cases on Cloud Data Protection - Two arrested in ipad
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
Cloud Models and Platforms Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF A Working Definition of Cloud Computing Cloud computing is a model
Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF CLOUD COMPUTING On demand provision of computational resources
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
Cloud Computing CS 15-319 Virtualization Case Studies : Xen and VMware Lecture 20 Majd F. Sakr, Mohammad Hammoud and Suhail Rehman 1 Today Last session Resource Virtualization Today s session Virtualization
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples
White Paper A10 Thunder Series PCI DSS and the A10 Solution For cloud service providers, A10 s Thunder Series & AX Series appliances and SoftAX are the first step towards PCI compliance, allowing you to
ILLUMIO ADAPTIVE SECURITY PLATFORM TM HIGHLIGHTS Security with Intelligence Illumio ASP is powered by the breakthrough PCE. The PCE contextualizes all traffic flows, services, and processes on application
Auditing Virtualized Environments 11 CHAPTER Innovations in operating system virtualization and server hardware permanently changed the footprint, architecture, and operations of data centers. This chapter
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
Security Review Web with Page-Integrated Encryption (PIE) Technology Prepared for HP Security Voltage by: Coalfire Systems Inc. March 2, 2012 Table of contents 3 Executive Summary 4 Detailed Project Overview
Product Overview Interoute provide our clients with a diverse range of compute options delivered from our 10 carrier-class data centre facilities. Leveraging our extensive and diverse next generation IP
Benefits of the Hyper-V Cloud For more information, please contact: Email: firstname.lastname@example.org Ph: 888-821-7888 Canadian Web Hosting (www.canadianwebhosting.com) is an independent company, hereinafter
Compliance for Cloud and Virtualized Environments White Paper Using 5nine Cloud Security to Meet PCI DSS v3.0 Compliance Authored By: Morgan Holm VP of Product Management at 5nine Software Dr. Konstantin
Learn the Essentials of Virtualization Security by Dave Shackleford by Dave Shackleford This paper is the first in a series about the essential security issues arising from virtualization and the adoption
Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Kate Donofrio Security Assessor Fortrex Technologies Instructor Biography Background On Fortrex What s In A Cloud? Pick
WHITE PAPER August 2011 Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security HYTRUST AND TREND MICRO DEEP SECURITY TOC Contents Virtualization
Basics of Virtualisation Volker Büge Institut für Experimentelle Kernphysik Universität Karlsruhe Die Kooperation von The x86 Architecture Why do we need virtualisation? x86 based operating systems are
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
CS 695 Topics in Virtualization and Cloud Computing and Storage Systems Introduction Hot or not? source: Gartner Hype Cycle for Emerging Technologies, 2014 2 Source: http://geekandpoke.typepad.com/ 3 Cloud
ILLUMIO ADAPTIVE SECURITY PLATFORM TM HIGHLIGHTS Security with Intelligence Illumio ASP is powered by the breakthrough PCE. The PCE contextualizes all traffic flows, services, and processes on application
HP Data Protector software Assuring Business Continuity in Virtualised Environments Would not it be great if your virtual server environment actually translated to a better reality? One where you could
Can PCI DSS compliance be achieved in a cloud environment? Durkin, Patrick Student number:100647746 Supervisor: Geraint Price Submitted as part of the requirements for the award of the MSc in Information
PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On
Learn the essentials of virtualization security White Paper Table of Contents 3 Introduction 4 Hypervisor connectivity and risks 4 Multi-tenancy risks 5 Management and operational network risks 5 Storage
Virtualization Dr. Yingwu Zhu What is virtualization? Virtualization allows one computer to do the job of multiple computers. Virtual environments let one computer host multiple operating systems at the