PCI-DSS Compliant Cloud - Design & Architecture Best Practices

• 1. PCI-DSS Compliant Cloud -Design & Architecture Best Practices Session ID: SEC2484 Track: Cloud Infrastructure: Security and Compliance Moderator: Hemma Prafullchandra, HyTrust Panelists: Allan MacPhee, Trend Micro Tom McAndrew, Coalfire Davi Ottenheimer, VMware Ken Owens, Savvis1

2. PCI DSS 2.0 & Virtualization Information Supplement DSS 2.0 (released 10/2010) clarified that CDE system componentscan be physical or virtual Virtualization Guidance Information Supplement (released 6/2011)provides an overview of different classes of virtualization asapplicable to payment chain, key risks and challenges, scoping,set of recommendations of how best to virtualize CDE, and finally aset of testing procedures for specific PCI DSS requirements thatneed further considerations given use of virtualization Brief discussion on mixed mode and use of cloud computing: takerisk based approach and work with your QSA/card brand todetermine what is adequate2 3. The NIST Cloud Definition Framework Hybrid Clouds Deployment ModelsSoftware as a Service (SaaS) ServicePlatform as a Service (PaaS) ModelsInfrastructure as a Service (IaaS)On Demand Self-ServiceEssentialBroad Network Access Rapid ElasticityCharacteristicsResource Pooling Measured Service Massive ScaleResilient ComputingCommonHomogeneityGeographic DistributionCharacteristics Virtualization Service Orientation Low Cost Software Advanced Security3 4. PCI Info Supp Recommendations1. Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is in-scope PCI controls apply to hypervisor and virtual management components2. One function per server VMs treated in a manner consistent with their physical counterparts3. Separation of duty Enforce least privilege where possible with RBAC Audit administrative operations4. Mixing VMs of different trust levels Conservative approach: all VMs (CDE and non-CDE) are in scope Work with your QSA on de-scoping options and best practices4 5. PCI Info Supp Recommendations5. Dormant VMs and VM snapshots New and unique to virtualized environments, treat in same manner as data backups Recognize that VMs being brought back online may be vulnerable (missing patches, stale AV pattern files, etc.)6. Immaturity of monitoring solutions Traditional monitoring tools need to be supplemented with virtualization- aware tools that provide greater visibility into virtualization activity7. Information leakage Increased risk of information leakage between logical network segments and components require virtualization-aware tools that provide greater visibility into virtualization activity5 6. PCI Info Supp Recommendations8. Defense in depth Dynamic nature and mobility of VMs require virtualization specific security tools and approaches Ideally, VMs are self-defending regardless of state or location9. VM & Hypervisor Hardening Harden hypervisors based upon vendor best practices Apply hypervisor & guest VM patches regularly (e.g. within 30 days) Use integrity monitoring software to detect unauthorized changes Collect and review log files diligently10. Cloud Computing Cloud providers must provide customers with proof of what was included in the scope of their PCI DSS assessment and what was not in scope The customer is responsible to ensure security controls not covered by the cloud provider are in place and managed appropriately6 7. Scoping & Responsibility7 8. PanelistsKen OwensAllan MacPhee Vice President of Security &Senior Product Manager, Virtualization Technologies,Trend Micro SavvisDavi OttenheimerTom McAndrew Security & Compliance Architect/Vice President of ProfessionalConsultant,Services, Coalfire VMware8 9. Why are you here? How many of you are governed by PCI? How many of you are already using virtualization/private cloud for PCI CDE? How many of you are planning to use public cloud? Anybody passed a PCI assessment with use of cloud (or partial use of cloud)? What type of cloud? Which vendor? Who was the assessor?9 10. Discussion What are the characteristics of a cloud that make PCI compliance difficult? Can a shared cloud environment even be PCI compliant? What does it mean when your cloud provider tells you that they are PCI certified? What areas should your cloud provider be responsible for? What are the key questions you should ask your cloud provider to understandthe scope of PCI certification achieved? How does a merchant figure out what the shared responsibility split is indetail? If my environment is already PCI compliant and I want to just extend a single tier to a public cloud, what should I be concerned about?10 11. Discussion What is the best way to involve my QSA in these discussions? What resources can I use to help me plan for and use cloud computing for my CDE? Policy, People, Process, Technology11 12. Key Guidance PCI Compliance in Virtualized environments (on-premise) Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls) View virtualization as an opportunity to improve your current processes i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation12 13. Key GuidancePCI Compliance in the Cloud Compliance is possible, but it takes the right cloud provider Compliance is a shared responsibility, there is no magic bullet Understand the details & scope of your cloud providers PCI certification Work with your QSA to create a strategy for addressing the remaining required PCIcontrols Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics Create a strategy for Cloud compliance Start with virtualized on premise and dedicated hosting environments Evolve and apply these controls to cloud environments13 14. Useful Resources www.pcisecuritystandards.org www.coalfiresystems.com www.hytrust.com/pci www.savvis.net http://us.trendmicro.com/us/solutions/enterprise/security-solutions/compliance/ http://www.vmware.com/solutions/datacenter/cloud-security-compliance/unified- framework.html Just Published: PCI-compliant Cloud Reference Architecture14 15. Thank You15