Upload
mike-d
View
426
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
There Is No Spoon: Compliance & Privacy in
the Cloud
Michael DahnMSIA, CISSP
Friday, November 20, 2009
Which Cloud do you mean?
Compliance Cloud
Technical Cloud
Friday, November 20, 2009
Compliance Cloud
Friday, November 20, 2009
Compliance Cloud
Friday, November 20, 2009
Compliance Cloud
Friday, November 20, 2009
Compliance Cloud
Friday, November 20, 2009
Compliance Cloud
Friday, November 20, 2009
Compliance Cloud
Friday, November 20, 2009
Compliance Cloud
CA, MA, MN, FL, ...Friday, November 20, 2009
Compliance Cloud
CA, MA, MN, FL, ...Friday, November 20, 2009
Technical Cloud
• SPI Model: Software, Platform, Infrastructure
✓*aaS (Something* as a Service)
Friday, November 20, 2009
Technical Cloud
• SPI Model: Software, Platform, Infrastructure
✓*aaS (Something* as a Service)
Friday, November 20, 2009
What is Compliance?
Friday, November 20, 2009
• Compliance is a state of being, like auto insurance you need to have it continuously
• Validation isproof of complianceyou do annually
Compliance vs Validation
Friday, November 20, 2009
Compliance vs Security
Friday, November 20, 2009
Compliance vs Security
“The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and enhance
cardholder data security and facilitate
the broad adoption of consistent data
security measures globally.”
Friday, November 20, 2009
Compliance vs Security
Myth 4 - PCI Will Make Us Secure
Successful completion of a system
scan or assessment for PCI is but a
snapshot in time. Security exploits are
non-stop and get stronger every day,
which is why PCI compliance efforts
must be a continuous process of
assessment and remediation to ensure
safety of cardholder data.
“The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and enhance
cardholder data security and facilitate
the broad adoption of consistent data
security measures globally.”
Friday, November 20, 2009
Compliance vs Security
Myth 4 - PCI Will Make Us Secure
Successful completion of a system
scan or assessment for PCI is but a
snapshot in time. Security exploits are
non-stop and get stronger every day,
which is why PCI compliance efforts
must be a continuous process of
assessment and remediation to ensure
safety of cardholder data.
Compliant until you're compromised...
“The Payment Card Industry (PCI)
Data Security Standard (DSS) was
developed to encourage and enhance
cardholder data security and facilitate
the broad adoption of consistent data
security measures globally.”
Friday, November 20, 2009
the “Singularity”
Friday, November 20, 2009
the “Singularity”
• “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron
Friday, November 20, 2009
the “Singularity”
• “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron
• If someone dies wearing a seat belt, does that make them useless?
Friday, November 20, 2009
Risk & Transference
• #1 Question everyone has: Liability?
• “You can outsource the work, but you cannot outsource the responsibility”
• Cloud-sourcing does not transfer risk
Friday, November 20, 2009
There is No Spoon
Friday, November 20, 2009
There is No Spoon
• Can any firewall be used to segment a network?
Friday, November 20, 2009
There is No Spoon
• Can any firewall be used to segment a network?
✓No! Only a properly configured firewall
Friday, November 20, 2009
There is No Spoon
• Can any firewall be used to segment a network?
✓No! Only a properly configured firewall
• Can any Cloud be used and achieve compliance?
Friday, November 20, 2009
There is No Spoon
• Can any firewall be used to segment a network?
✓No! Only a properly configured firewall
• Can any Cloud be used and achieve compliance?
✓Maybe... if considerations are made
Friday, November 20, 2009
There is No Spoon
• Can any firewall be used to segment a network?
✓No! Only a properly configured firewall
• Can any Cloud be used and achieve compliance?
✓Maybe... if considerations are made
• Think beyond technology, checklists, and compliance. Think Risk.
Friday, November 20, 2009
Problem List
Friday, November 20, 2009
Problems: PCI DSS
Friday, November 20, 2009
Problems: PCI DSS
• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”
Friday, November 20, 2009
Problems: PCI DSS
• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”
✓Virtualization?
Friday, November 20, 2009
Problems: PCI DSS
• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”
✓Virtualization?
✓Cloud?
Friday, November 20, 2009
Problems: PCI DSS
• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”
✓Virtualization?
✓Cloud?
✓WAF in the cloud?
Friday, November 20, 2009
Problems: PCI DSS
• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”
✓Virtualization?
✓Cloud?
✓WAF in the cloud?
• Requirement 11.2 - ASV Scans
Friday, November 20, 2009
Problems: Service Level Agreement
• Uptime/Availability? Yes’ish
• Security? No.
• Compliance? No.
• Assurance of data integrity? No.
Friday, November 20, 2009
Problems: Image Sprawl
12% month-over-month growth of Amazon Machine Images (AMI) in 2008
Friday, November 20, 2009
Problems: Image Sprawl
• First rule of fight club? Find your data!
12% month-over-month growth of Amazon Machine Images (AMI) in 2008
Friday, November 20, 2009
Problems: Image Sprawl
• First rule of fight club? Find your data!
• Second rule of fight club? Find your data (no really)!
12% month-over-month growth of Amazon Machine Images (AMI) in 2008
Friday, November 20, 2009
Problems: Image Sprawl
• First rule of fight club? Find your data!
• Second rule of fight club? Find your data (no really)!
• Always “ask twice” - how it works? fails?
12% month-over-month growth of Amazon Machine Images (AMI) in 2008
Friday, November 20, 2009
Problems: Image Sprawl
• First rule of fight club? Find your data!
• Second rule of fight club? Find your data (no really)!
• Always “ask twice” - how it works? fails?
• Now assume everything moves
12% month-over-month growth of Amazon Machine Images (AMI) in 2008
Friday, November 20, 2009
Problems: Image Sprawl
12% month-over-month growth of Amazon Machine Images (AMI) in 2008
Friday, November 20, 2009
Problems: Audit Logging
Friday, November 20, 2009
Problems: Audit Logging
• Goals:
✓Alert on suspicious activity? Yes
✓Facilitate a forensic investigation? Maybe
Friday, November 20, 2009
Problems: Audit Logging
• Goals:
✓Alert on suspicious activity? Yes
✓Facilitate a forensic investigation? Maybe
• Are the logs backed up?
Friday, November 20, 2009
Problems: Audit Logging
• Goals:
✓Alert on suspicious activity? Yes
✓Facilitate a forensic investigation? Maybe
• Are the logs backed up?
• Are they accessible 12-18 months later?
✓What if the server is no longer there?
Friday, November 20, 2009
Problems: Forensic Issues
• During peak retail months systems are scaled up and then down
• Fraud patterns have lead time of 12-18 mo.
• How do you forensically examine a ‘ghost’ server?
Friday, November 20, 2009
Problems: Third-Party Access
• People you give data to
• People you give access to data
• People who have access to your data
Who has Remote admin on my server?
Friday, November 20, 2009
Problems: Third-Party Access
• People you give data to
• People you give access to data
• People who have access to your data
Who has Remote admin on my server?
Maintain a written agreement that
includes an acknowledgement that the
service providers are responsible for
the security of cardholder data the
service providers possess.
... monitor service providers!
PCI DSS compliance status.
Friday, November 20, 2009
Problems: Data Destruction
• Where do the following go?
✓Failed hard drive
✓Deleted VM
Who owns the data? You or your cloud?
Friday, November 20, 2009
Problems: Backup?
• Who is backing up?
• How is it backed up?
• Where do the backups go?
✓Offsite to a third-party? New scope/contract
Friday, November 20, 2009
Conclusion
• Cloud Compliance is possible but not probable .. until the services evolve
• Cloud gives you scalability, but not security .. unless you bake it in
Friday, November 20, 2009
Thank You
• Questions?
• Contact Mike Dahn?
Friday, November 20, 2009