PCI-DSS Compliant Cloud - Design & Architecture Best Practices
- 1. PCI-DSS Compliant Cloud - Design & Architecture Best Practices Session ID: SEC2484 Track: Cloud Infrastructure: Security and Compliance Moderator: Hemma Prafullchandra, HyTrust Panelists: Allan MacPhee, Trend Micro • Tom McAndrew, Coalfire • Davi Ottenheimer, VMware • Ken Owens, Savvis 1
- 2. PCI DSS 2.0 & Virtualization Information Supplement DSS 2.0 (released 10/2010) clarified that CDE system components can be physical or virtual Virtualization Guidance Information Supplement (released 6/2011) provides an overview of different classes of virtualization as applicable to payment chain, key risks and challenges, scoping, set of recommendations of how best to virtualize CDE, and finally a set of testing procedures for specific PCI DSS requirements that need further considerations given use of virtualization Brief discussion on mixed mode and use of cloud computing: take risk based approach and work with your QSA/card brand to determine what is adequate 2
- 3. The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Software as a Service (SaaS) Service Platform as a Service (PaaS) Models Infrastructure as a Service (IaaS) On Demand Self-Service Essential Broad Network Access Rapid Elasticity Characteristics Resource Pooling Measured Service Massive Scale Resilient Computing Common Homogeneity Geographic Distribution Characteristics Virtualization Service Orientation Low Cost Software Advanced Security 3
- 4. PCI Info Supp Recommendations 1. Hypervisor is ALWAYS in-scope if it hosts a guest-VM that is in- scope • PCI controls apply to hypervisor and virtual management components 2. One function per server • VMs treated in a manner consistent with their physical counterparts 3. Separation of duty • Enforce least privilege where possible with RBAC • Audit administrative operations 4. Mixing VM’s of different trust levels • Conservative approach: all VMs (CDE and non-CDE) are in scope • Work with your QSA on de-scoping options and best practices 4
- 5. PCI Info Supp Recommendations 5. Dormant VMs and VM snapshots • New and unique to virtualized environments, treat in same manner as data backups • Recognize that VMs being brought back online may be vulnerable (missing patches, stale AV pattern files, etc.) 6. Immaturity of monitoring solutions • Traditional monitoring tools need to be supplemented with “virtualization- aware” tools that provide greater visibility into virtualization activity 7. Information leakage • Increased risk of information leakage between logical network segments and components require “virtualization-aware” tools that provide greater visibility into virtualization activity 5
- 6. PCI Info Supp Recommendations 8. Defense in depth • Dynamic nature and mobility of VMs require virtualization specific security tools and approaches • Ideally, VMs are self-defending regardless of state or location 9. VM & Hypervisor Hardening • Harden hypervisors based upon vendor best practices • Apply hypervisor & guest VM patches regularly (e.g. within 30 days) • Use integrity monitoring software to detect unauthorized changes • Collect and review log files diligently 10. Cloud Computing • Cloud providers must provide customers with proof of what was included in the scope of their PCI DSS assessment and what was not in scope • The ‘customer’ is responsible to ensure security controls not covered by the cloud provider are in place and managed appropriately 6
- 8. Panelists Ken Owens Allan MacPhee Vice President of Security & Senior Product Manager, Virtualization Technologies, Trend Micro Savvis Davi Ottenheimer Tom McAndrew Security & Compliance Architect/ Vice President of Professional Consultant, Services, Coalfire VMware 8
- 9. Why are you here? How many of you are governed by PCI? How many of you are already using virtualization/private cloud for PCI CDE? How many of you are planning to use public cloud? Anybody passed a PCI assessment with use of cloud (or partial use of cloud)? • What type of cloud? • Which vendor? • Who was the assessor? 9
- 10. Discussion What are the characteristics of a cloud that make PCI compliance difficult? Can a shared cloud environment even be PCI compliant? What does it mean when your cloud provider tells you that they are PCI certified? • What areas should your cloud provider be responsible for? • What are the key questions you should ask your cloud provider to understand the scope of PCI certification achieved? • How does a merchant figure out what the shared responsibility split is in detail? If my environment is already PCI compliant and I want to just extend a single tier to a public cloud, what should I be concerned about? 10
- 11. Discussion What is the best way to involve my QSA in these discussions? What resources can I use to help me plan for and use cloud computing for my CDE? • Policy, People, Process, Technology 11
- 12. Key Guidance PCI Compliance in Virtualized environments (on-premise) Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls) View virtualization as an opportunity to improve your current processes – i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation 12
- 13. Key Guidance PCI Compliance in the Cloud Compliance is possible, but it takes the right cloud provider Compliance is a shared responsibility, there is no magic bullet • Understand the details & scope of your cloud provider’s PCI certification • Work with your QSA to create a strategy for addressing the remaining required PCI controls Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics Create a strategy for Cloud compliance • Start with virtualized on premise and dedicated hosting environments • Evolve and apply these controls to cloud environments 13
- 14. Useful Resources www.pcisecuritystandards.org www.coalfiresystems.com www.hytrust.com/pci www.savvis.net http://us.trendmicro.com/us/solutions/enterprise/security-solutions/compliance/ http://www.vmware.com/solutions/datacenter/cloud-security-compliance/unified- framework.html Just Published: PCI-compliant Cloud Reference Architecture 14
- 15. Thank You 15