PCI Compliance in Cloud

Editor's Notes

• #5: When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
• #6: When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
• #7: When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
• #9: When it comes to handling sensitive consumer data, PCI DSS make sure we’re all on the same page. PCI DSS stands for Payment Card Industry Data Security Standard, and it provides security guidelines for any business that processes, stores or transmits payment card account data. These guidelines were originally established jointly by the top 5 card issuers: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The guidelines are maintained and monitored by a non-profit agency watchdog called the PCI Security Standards Council, or PCI SSC.
• #10: Moving data storage to the cloud can bring tremendous benefits…the question is, how do you protect that data? How do you apply traditional PCI DSS measures – things like segmentation, network-based firewalls and intrusion protection –when you don’t own or control the infrastructure?
• #11: We need to emphasize that the risk of security breaches is very real – and none of us are immune. It really is a little like the Wild West out there… Case in point: In early 2011, electronics giant Sony experienced one of the biggest breaches in history. Hackers stole names, birth dates and possibly credit card numbers for nearly 77 million people who played online video games through Sony’s PlayStation console. Breaches have also been experienced by Bank of America, Epsilon (a leading provider of email and multi-channel marketing services), clothing retailer TJ Maxx, and Heartland Payment Systems. And the news gets worse … experts say that hackers are increasingly targeting smaller companies, because they figure their security systems are weaker than the bigger, more sophisticated companies. So it’s critical to realize that every organization, of every size, has to accept that the risks to their sensitive data is very real.
• #12: Our goal here today is to show you how you can leverage all the advantages of cloud storage, without exposing your sensitive data to risk. In truth, the same PCI DSS security principles that apply to your traditional operations still apply to your cloud operations. Where things differ is in the actions you take to apply those principles. This is what we’re going to walk you through today.
• #13: In traditional environments, PCI DSS requires you to establish a perimeter of security around your data. Typically, as we mentioned a minute ago, we do this through segmentation, firewalls and intrusion protection. In the cloud, we can achieve the same perimeter effect by using what is called a “DMZ” server in conjunction with your internal server, established within an Amazon Virtual Private Cloud, or VPC. The Amazon VPC lets you partition a private, isolated section of the Amazon Web Services cloud, where you can launch your servers within a virtual network that you define. Within this virtual network, you can layer protection on top of your internal server by using what is called a DMZ server. This name comes from the term “demilitarized zone”, and just like a demilitarized zone, this server provides a layer of protection for your internal server which houses your internal local area network. The DMZ server, which may be protected by a border firewall, provides connectivity to the public and all of your external-facing services, while your user database and sensitive data are stored on your internal server. An internal firewall prevents your DMZ server and your internal server from communicating directly with each other. In the event of an attack, the DMZ server may be vulnerable – but your internal server will remain secure. So how does this really work? How we adapt the PCI DSS to achieve this compliant cloud?
• #14: Current PCI standards specify 12 requirements for compliance, organized into six related groups called “control objectives.” These same objectives and the same 12 requirements also apply to the cloud. (read the 12 requirements) Let’s walk through how to apply these 12 requirements to the cloud.
• #15: Firewalls are required in a cloud environment, just as they are in a non-cloud environment. If you have multiple cloud servers, such as an internal network server and a DMZ server, then you must ensure that your web servers are published on the DMZ cloud and that your databases containing cardholder data are published on your internal network cloud. Your cloud provider would then be responsible for providing firewall rule set attestations. If you have a flat cloud environment, such as Amazon Web Services, you are responsible for implementing software firewalls that achieve DMZ and internal cloud boundaries themselves.
• #16: From a configuration management perspective, both the cloud provider and you have distinct responsibilities. The cloud provider is responsible for proving that secure configurations are implements for the host/hypervisor environment, that is, the base platform hosting the virtual machines. The cloud provider must show this through a shareable Report on Compliance or by submitting to a client audit. You, the customer, are responsible for ensuring secure configuration exists within the cloud images of the operating systems.
• #17: Just as in a non-cloud environment, you are responsible for ensuring that any data you store is encrypted and protected.
• #18: Just as in a non-cloud environment, you are responsible for ensuring that any data being transmitted is encrypted.
• #19: Just as in a non-cloud environment, you are responsible for ensuring that all cloud images of operating systems have antivirus software installed.
• #20: Just as in a non-cloud environment, you are responsible for ensuring that all applications are developed in a secure manner and do not have any vulnerabilities, such as OWASP.
• #21: From an access control/user ID perspective, the cloud provider and you the customer each have distinct responsibilities. The cloud provider is responsible for proving that access control and user Ids have been implements for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit. You are responsible for access control within your cloud images of your operating systems.
• #22: The cloud provider is responsible for proving that physical security controls have been implemented for the location wither the host environment, that is, the base platform hosting the virtual machines, is physically located. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit.
• #23: From a logging perspective, both the cloud provider and you the customer have responsibilities. The cloud provider is responsible for proving that logging is appropriately implemented for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit. You are responsible for logging within the cloud images of the operating systems.
• #24: From a vulnerability management perspective, there are responsibilities for both the cloud provider and you the customer. The cloud provider must prove that vulnerabilities are assessed and removed appropriately for the host/hypervisor environment, that is, the base platform hosting the virtual machines. Again, this must be demonstrated through a shareable Report on Compliance or by submitting to a client audit. You are responsible for assessing the internal, external and application vulnerabilities within the cloud images of the operating systems.
• #25: From a policy and procedure perspective, again, there are cloud provider responsibilities and you the customer responsibilities. The cloud provider is responsible for proving that policies exist appropriately for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit. You are responsible for ensuring that policies address the security aspects specific to the applications being deployed in the virtual machine.
• #26: So that’s how you implement the existing 12 PCI DSS requirements in a cloud environment. Of course, we’ve only touched on the basics of how the requirement apply to the cloud. If you’d like help in developing and implementing the actual policies and procedures that will keep your organization PCI compliant, ControlCase is ready to help.
• #27: From a policy and procedure perspective, again, there are cloud provider responsibilities and you the customer responsibilities. The cloud provider is responsible for proving that policies exist appropriately for the host/hypervisor environment, that is, the base platform hosting the virtual machines. This must be demonstrated by a shareable Report on Compliance or by submitting to a client audit. You are responsible for ensuring that policies address the security aspects specific to the applications being deployed in the virtual machine.
• #29: ControlCase provides everything you need to achieve and maintain PCI compliance, all in one convenient one-stop-shop. We call this “Compliance as a Service” or CaaS. And we like to think of it as “PCI in a box.” Our services include: PCI training Web application security testing Logging and monitoring Penetration testing Internal vulnerability assessments Card data discovery ASV scans File integrity monitoring, and of course, PCI DSS certification
• #30: We saw this slide earlier, when we discussed how the compliant cloud works. We’d like to point out what the ControlCase compliant cloud looks like, by adding 2 important layers of monitoring. First, our Security Operations Center monitors logs from both your DMZ and your internal server, 24/7/365. Using advanced Security Information and Event Management software, we proactively provide real-time analysis of security alerts, and we involve your security team as needed. And second, each quarter, our CaaS Team conducts Internal Vulnerability Assessments and Penetration Testing. This requires that our team have access to 1 Windows server and 1 Linux server within your private cloud during testing.
• #31: So why choose ControlCase? Only ControlCase has the global reach – with more than 200 clients in 15 countries and growing rapidly – and the certified resources – we are a PCI DSS Qualified Security Assessor, a QSA for Point-to-Point Encryption, and a Certified ASV vendor. We provide you with a broad portfolio of highly reliable turnkey CaaS solutions at a significant cost savings to you. We bring a blend of cloud-based and software-based automation and managed services to help you address regulations such as PCI DSS, Sarbanes Oxley, HIPAA, and the Gramm-Leach Billey Act. And we’d love to talk with you about the security and compliance challenges you face.
• #32: To learn more about PCI compliance, visit us at www.ControlCase.com, or call us at 1.703.483.6383 if you’re in the U.S., or 9820293399 if you’re in India. We look forward to talking with you!