- 1. PCI-DSS Compliant Cloud -Design & Architecture Best
Practices Session ID: SEC2484 Track: Cloud Infrastructure: Security
and Compliance Moderator: Hemma Prafullchandra, HyTrust Panelists:
Allan MacPhee, Trend Micro Tom McAndrew, Coalfire Davi Ottenheimer,
VMware Ken Owens, Savvis1
2. PCI DSS 2.0 & Virtualization Information Supplement DSS
2.0 (released 10/2010) clarified that CDE system componentscan be
physical or virtual Virtualization Guidance Information Supplement
(released 6/2011)provides an overview of different classes of
virtualization asapplicable to payment chain, key risks and
challenges, scoping,set of recommendations of how best to
virtualize CDE, and finally aset of testing procedures for specific
PCI DSS requirements thatneed further considerations given use of
virtualization Brief discussion on mixed mode and use of cloud
computing: takerisk based approach and work with your QSA/card
brand todetermine what is adequate2 3. The NIST Cloud Definition
Framework Hybrid Clouds Deployment ModelsSoftware as a Service
(SaaS) ServicePlatform as a Service (PaaS) ModelsInfrastructure as
a Service (IaaS)On Demand Self-ServiceEssentialBroad Network Access
Rapid ElasticityCharacteristicsResource Pooling Measured Service
Massive ScaleResilient ComputingCommonHomogeneityGeographic
DistributionCharacteristics Virtualization Service Orientation Low
Cost Software Advanced Security3 4. PCI Info Supp Recommendations1.
Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is
in-scope PCI controls apply to hypervisor and virtual management
components2. One function per server VMs treated in a manner
consistent with their physical counterparts3. Separation of duty
Enforce least privilege where possible with RBAC Audit
administrative operations4. Mixing VMs of different trust levels
Conservative approach: all VMs (CDE and non-CDE) are in scope Work
with your QSA on de-scoping options and best practices4 5. PCI Info
Supp Recommendations5. Dormant VMs and VM snapshots New and unique
to virtualized environments, treat in same manner as data backups
Recognize that VMs being brought back online may be vulnerable
(missing patches, stale AV pattern files, etc.)6. Immaturity of
monitoring solutions Traditional monitoring tools need to be
supplemented with virtualization- aware tools that provide greater
visibility into virtualization activity7. Information leakage
Increased risk of information leakage between logical network
segments and components require virtualization-aware tools that
provide greater visibility into virtualization activity5 6. PCI
Info Supp Recommendations8. Defense in depth Dynamic nature and
mobility of VMs require virtualization specific security tools and
approaches Ideally, VMs are self-defending regardless of state or
location9. VM & Hypervisor Hardening Harden hypervisors based
upon vendor best practices Apply hypervisor & guest VM patches
regularly (e.g. within 30 days) Use integrity monitoring software
to detect unauthorized changes Collect and review log files
diligently10. Cloud Computing Cloud providers must provide
customers with proof of what was included in the scope of their PCI
DSS assessment and what was not in scope The customer is
responsible to ensure security controls not covered by the cloud
provider are in place and managed appropriately6 7. Scoping &
Responsibility7 8. PanelistsKen OwensAllan MacPhee Vice President
of Security &Senior Product Manager, Virtualization
Technologies,Trend Micro SavvisDavi OttenheimerTom McAndrew
Security & Compliance Architect/Vice President of
ProfessionalConsultant,Services, Coalfire VMware8 9. Why are you
here? How many of you are governed by PCI? How many of you are
already using virtualization/private cloud for PCI CDE? How many of
you are planning to use public cloud? Anybody passed a PCI
assessment with use of cloud (or partial use of cloud)? What type
of cloud? Which vendor? Who was the assessor?9 10. Discussion What
are the characteristics of a cloud that make PCI compliance
difficult? Can a shared cloud environment even be PCI compliant?
What does it mean when your cloud provider tells you that they are
PCI certified? What areas should your cloud provider be responsible
for? What are the key questions you should ask your cloud provider
to understandthe scope of PCI certification achieved? How does a
merchant figure out what the shared responsibility split is
indetail? If my environment is already PCI compliant and I want to
just extend a single tier to a public cloud, what should I be
concerned about?10 11. Discussion What is the best way to involve
my QSA in these discussions? What resources can I use to help me
plan for and use cloud computing for my CDE? Policy, People,
Process, Technology11 12. Key Guidance PCI Compliance in
Virtualized environments (on-premise) Virtualization increases the
risk and complexity of PCI compliance, engage your QSA early to
streamline the audit process Look beyond traditional security
vendors for solutions that address virtualization specific
requirements (hypervisor/VM controls) View virtualization as an
opportunity to improve your current processes i.e. reporting,
monitoring, inter-VM controls, etc. and achieve objectives that you
always wanted in physical environments but could not afford or were
restricted by legacy infrastructure Embrace virtualization with a
virtualization by default approach and build compliance into the
default mode of operation12 13. Key GuidancePCI Compliance in the
Cloud Compliance is possible, but it takes the right cloud provider
Compliance is a shared responsibility, there is no magic bullet
Understand the details & scope of your cloud providers PCI
certification Work with your QSA to create a strategy for
addressing the remaining required PCIcontrols Cloud compliance
requires elastic and automated VM security and persistence of
machine data for audit and forensics Create a strategy for Cloud
compliance Start with virtualized on premise and dedicated hosting
environments Evolve and apply these controls to cloud
environments13 14. Useful Resources www.pcisecuritystandards.org
www.coalfiresystems.com www.hytrust.com/pci www.savvis.net
http://us.trendmicro.com/us/solutions/enterprise/security-solutions/compliance/
http://www.vmware.com/solutions/datacenter/cloud-security-compliance/unified-
framework.html Just Published: PCI-compliant Cloud Reference
Architecture14 15. Thank You15