Transcription
ACHIEVING PCI COMPLIANCEBest Practices working with your Cloud ProviderMatthew Heap, Head of Solution Architecture
WHAT IS PCI-DSSIt’s a Data Security Standard that applies to all entitiesthat store, process, and/or transmit cardholder data. Itcovers technical and operational system componentsincluded in or connected to cardholder data.There are three ongoing stepsAssess - identifying all locations of cardholder data, taking an inventory of your IT assetsand business processes for payment card processing and analyzing them forvulnerabilities that could expose cardholder data.Repair - fixing identified vulnerabilities, securely removing any unnecessary cardholderdata storage, and implementing secure business processes.Report - documenting assessment and remediation details, and submitting compliancereports to the acquiring bank and card brands you do business with.3
PCI DATA SECURITY STANDARD – High Level OverviewBuild and Maintain aSecure Network andSystemsProtect Cardholder DataMaintain a VulnerabilityManagement Program1Install and maintain a firewall configuration to protect cardholder data2Do not use vendor-supplied defaults for system passwords and other security parameters34Protect stored cardholder dataEncrypt transmission of cardholder data across open, public networks5Protect all systems against malware and regularly update anti-virus software or programs6Develop and maintain secure systems and applications7Restrict access to cardholder data by business need to knowImplement Strong Access8Control Measures9Regularly Monitor and Test 10Networks11Maintain an InformationSecurity Policy12Identify and authenticate access to system componentsRestrict physical access to cardholder dataTrack and monitor all access to network resources and cardholder dataRegularly test security systems and processesMaintain a policy that addresses information security for all personnel4
SHORT HISTORY OF PCI-DSSPre-2001 – e-commerce relatively small - but breaches start to be detected ( 1.5bill in 2001)2001-04 – Each CC provide tries to go it aloneIntroduced in Dec 2004 - 1.0 – Backed 5 Major CC providers6 months later – 1st time to be compliant (many fail)1.1 released in Sep’ 2006 – Add WAF / Code review requirement2007 – Concerns about QSA’s, difficulty to comply, costs to comply2008 – PA-DSS Application Standards to help ISVs1.2 released – Big change to WIFI controls - millions of to fix2.0 No huge changes (add Virtualization guidance quickly after)3.0 release in Oct’2013All 3.2 Controls must be in place by Feb’20185
WHAT HAPPENS WHEN THINGS GO WRONG1984 TRW – 90 mill peoples credit data2006 TJX – 94 mill CC no. exposed2008 Heartland System 134 million CC lost (not discovered for 10 months)2011 Sony – 12 mil CC lost – 1st large publicized global breach2013 Target – 110 million CC lost2013 Adobe - 150 mill CC lost2014 Home Depot – 56 mill CC lostJul’2017 Equifax – 200k CC lost and growing (effected 45% of US citizen)Date of disclosure very different that the original breach6
KNOW YOUR DOCS (YOU & YOUR VENDORS)PCI-DSS Requirements and Security Assessment Produces (169 pages)The actual Standard to comply toAOC - Attestations of ComplianceSummary of Scope / Locations / Dates / Refers to the ROCROC - Report on ComplianceDetailed report on how the organization meets the PCI-DSSSAQ – Self Assessment Questionnaire – Aimed at small vendors7
Platform Risks& Best Practices
CLOUD COMPLIANCEIn a perfect world there would bea SaaS for every businessfunction you need, customizedprecisely how you need it, thatyou trusted and complied with allregulations. Life would be easy.9
AS-A-SERVICE DIFFERENTIATIONSAASPresentation ModalityThe lower down the stack the Cloudprovider stops, the more security theconsumer is tactically responsible forimplementing & managing.RFP / CONTRACTIT INDataMetadataContentIntegration & middlewareAPIsPAASIntegration & middlewareAPIsIAASAPIsBUILD IT INCore connectivity & deliveryCore connectivity & deliveryCore connectivity & ardwareHardwareFacilitiesFacilitiesFacilities10
WHAT IS THE SCOPE OF YOUR VENDORSo as PCI-DSS reports occurs on an annual basis, certain things will be missing from thescopeNew services (Azures release 2 new features a day)New locations (AWS’s 2018 Hong Kong Region)This doesn't mean the service cannot be compliant, but there is no evidence for a QSA toassess from the vendor to show that it is.Understand how they reply to important questions – Common response isCloud Vendor X is Service Provider that does not directly store, transmit or process any CHD.Requirement 3.4 is the likely the trickiest by customers / vendors – talk to your QSA11
WHAT IS YOUR RESPONSILBITYCertain controls will be 100% your will company responsible - Application CodingSome controls will be 100% Cloud Provider – Physical Security of Cloud ‘DC’ (AZ or Region)Some will be shared such as PaaS, Cloud Provider will be responsible for generating logsfrom the PaaS, Customer would be responsible to review and action themReview documents closely – As your QSA will know these requirements very well.12
VENDOR MANAGEMENT Inherited compliance and certificationso Scope mattersNot only PCI concerns Indemnification and Liability Limitso Differ amongst hyper-scalers Privacy (NDA, privacy policies) Data storage & data sovereignty (DPA, PrivacyShield)13
SHARED RESPONSIBILITY MODELCUSTOMERSCUSTOMER CONTENTCustomers areresponsible for theirsecurity and complianceIN the CloudPlatform, Applications, Identity & Access ManagementOperating System, Network & Firewall ConfigurationServer-side DataEncryptionClient-side DataEncryptionNetwork Traffic ProtectionFOUNDATION SERVICESComputeStorageDatabaseNetworkingAWS is responsible forthe security OFthe CloudGLOBALINFRASTRUCTUREAvailability ZonesEdge LocationsRegions14
PLATFORM SECURITY SETTINGSNumerous user controllable options governing cloud security. Define a corporate policy aroundappropriate settings, and ideally leverage tools which automatically check and report on a continualbasis.USER SECURITY SETTINGS Root account Root API Password Policy MFA VPC Encryption Insecure SGs / NACLs IAM Policies Object Storage Permissions15
IDENTITY AND FEDERATIONExternal identity management provides:ü Unified identity for cloud and on premise usersü Integration into existing starters/leavers processü Integration into corporate RBAC process (map toRoles)ü Sign-Sign On (MFA, UBA, etc.)16
INFRASTRUCTURE MATURITYSTEADY STATE DATACENTERHIGH-VELOCITY CLOUD DEPLOYMENTS Generally labeled as ‘Mode 1’ Generally labeled as ‘Mode 2’ Slowly changing applications with larger sets of changes perdeployment Also labeled as ‘DevOps’ in popular press Key feature is smaller, more rapid deployments driven by needto provide direct business value Less time-critical, business-focused need to change Often necessary due to competitive landscape in a line ofbusinessCHANGEMODE 2Systems ofInnovationSystems ofDifferentiationMODE 1Systems ofRecord -GOVERNANCE - Often seen in back-office applications17
MODE 1: SECURITYManual DeploymentsManual Patch Management & App UpdatesGoverned Under Change Control1System HardeningAgent Based SecurityVirtual Network Appliances18
MODE 2: SECURITYImmutable workloadsAMI builds / image factory / container registryUser-data bootstrappingAuto-inheritence of security policies2Auto-discovery via API and networkNo network chokepointsIdentifiers should not be IP address based19
NATIVE OR BRING YOUR OWNKey / Encryption Management Platform / Customer Managed KeysIAM Integration vs. Separate IdentitiesHSMNetwork Management Scale or visibility?Centralized vs. distributed control
GOVERNANCETaggingAccount & VPC segregationContinuous Integration / Continuous DeploymentCloud Access Security Broker (CASB) SaaS encryption, User Behavior Analytics / Compromised Credentials, DataLeak Protection21
ARCHITECTURAL PATTERNSü Management VPCü VPNü Bastion Hostsü NACLs & Security Groups22
WHY USE DATAPIPE FOR YOUR PCI NEEDS Compliant level 1 Service Provider since 2004 SOC staffed globally inc 3 staff in Hong Kong (Cantonese & Mandarin) Audited annually by a Qualified Security Assessor (QSA) Achieved PCI DSS 3.0 validation in December 2014 Participating Organization in the Security Standards Council PCI compliance package is supported on public and private clouds, dedicatedserver(s) and hybrid solutions. Internal Security Assessor (ISA) certified staff Turn-key suite of audited and validated security controls. PCI Schedule that clearly defines entity responsibilities (PCI Responsibility Matrix) PCI Community Cloud available exclusively to PCI clients23
SECURITY SERVICES FOCUSED ON CONTINOUS COMPLIANCEContinuous AuditGlobal Security Operations Center (SOC)Data EncryptionPatch Management to a required PCI-DSS requirementEvent ManagementTwo-Factor AuthenticationFirewall & VPNEach Service contractually maps back Ensuring ongoing responsibility fromboth parties for ongoing compliance Our goal is not just to meet theWeb Application Firewallrequirements dictated by PCI (or anyIntrusion Detection Servicesother body HKMA, SFC), but to ensureVulnerability ManagementFirewall Reviewa compliance record that reaffirms thesecurity and integrity of yourorganization.DAC – Datapipe Access ControlContinuous ComplianceAnti-Malware / Virus24
FURTHER READINGALIBABACLOUD SECURITY ALLIANCESecurity Guidance for Critical Areas of Focus in CloudComputingCSA Security, Trust & Assurance Registry (STAR)Cloud Controls Matrix (CCM)Consensus Assessments Initiative Questionnaire(CAIQ)Cloud Security WhitepaperAZUREAWS Introduction to AWS SecurityIntroduction to AWS Security ProcessesSecurity Best PracticesAWS Security ChecklistWell Architected Framework – Security PillarMany more Network Security Best PracticesData security and encryption best practicesIdentity management and access controlsecurity best practicesIaaS Security Best PracticesMany more 25
THANK YOU FOR LISTENINGANY QUESTIONS?
4 Build and Maintain a Secure Network and Systems 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability
