compliance & privacy in the cloud

There Is No Spoon: Compliance & Privacy in

the Cloud

Michael DahnMSIA, CISSP

Friday, November 20, 2009

Which Cloud do you mean?

Compliance Cloud

Technical Cloud

Compliance Cloud

CA, MA, MN, FL, ...Friday, November 20, 2009

Compliance Cloud

CA, MA, MN, FL, ...Friday, November 20, 2009

Technical Cloud

• SPI Model: Software, Platform, Infrastructure

✓*aaS (Something* as a Service)

Technical Cloud

• SPI Model: Software, Platform, Infrastructure

✓*aaS (Something* as a Service)

What is Compliance?

• Compliance is a state of being, like auto insurance you need to have it continuously

• Validation isproof of complianceyou do annually

Compliance vs Validation

Compliance vs Security

“The Payment Card Industry (PCI)

Data Security Standard (DSS) was

developed to encourage and enhance

cardholder data security and facilitate

the broad adoption of consistent data

security measures globally.”

Myth 4 - PCI Will Make Us Secure

Successful completion of a system

scan or assessment for PCI is but a

snapshot in time. Security exploits are

non-stop and get stronger every day,

which is why PCI compliance efforts

must be a continuous process of

assessment and remediation to ensure

safety of cardholder data.

Myth 4 - PCI Will Make Us Secure

Successful completion of a system

scan or assessment for PCI is but a

snapshot in time. Security exploits are

non-stop and get stronger every day,

which is why PCI compliance efforts

must be a continuous process of

assessment and remediation to ensure

safety of cardholder data.

Compliant until you're compromised...

the “Singularity”

• “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron

• If someone dies wearing a seat belt, does that make them useless?

Risk & Transference

• #1 Question everyone has: Liability?

• “You can outsource the work, but you cannot outsource the responsibility”

• Cloud-sourcing does not transfer risk

There is No Spoon

• Can any firewall be used to segment a network?

There is No Spoon

✓No! Only a properly configured firewall

There is No Spoon

• Can any Cloud be used and achieve compliance?

There is No Spoon

✓Maybe... if considerations are made

There is No Spoon

✓Maybe... if considerations are made

• Think beyond technology, checklists, and compliance. Think Risk.

Problem List

Problems: PCI DSS

• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”

Problems: PCI DSS

✓Virtualization?

Problems: PCI DSS

✓Virtualization?

✓Cloud?

Problems: PCI DSS

✓Virtualization?

✓Cloud?

✓WAF in the cloud?

Problems: PCI DSS

✓Virtualization?

✓Cloud?

✓WAF in the cloud?

• Requirement 11.2 - ASV Scans

Problems: Service Level Agreement

• Uptime/Availability? Yes’ish

• Security? No.

• Compliance? No.

• Assurance of data integrity? No.

Problems: Image Sprawl

12% month-over-month growth of Amazon Machine Images (AMI) in 2008

• First rule of fight club? Find your data!

• Second rule of fight club? Find your data (no really)!

• Always “ask twice” - how it works? fails?

• Now assume everything moves

Problems: Audit Logging

• Goals:

✓Alert on suspicious activity? Yes

✓Facilitate a forensic investigation? Maybe

• Goals:

• Are the logs backed up?

• Goals:

• Are the logs backed up?

• Are they accessible 12-18 months later?

✓What if the server is no longer there?

Problems: Forensic Issues

• During peak retail months systems are scaled up and then down

• Fraud patterns have lead time of 12-18 mo.

• How do you forensically examine a ‘ghost’ server?

Problems: Third-Party Access

• People you give data to

• People you give access to data

• People who have access to your data

Who has Remote admin on my server?

Problems: Third-Party Access

• People you give data to

• People you give access to data

• People who have access to your data

Who has Remote admin on my server?

Maintain a written agreement that

includes an acknowledgement that the

service providers are responsible for

the security of cardholder data the

service providers possess.

... monitor service providers!

PCI DSS compliance status.

Problems: Data Destruction

• Where do the following go?

✓Failed hard drive

✓Deleted VM

Who owns the data? You or your cloud?

Problems: Backup?

• Who is backing up?

• How is it backed up?

• Where do the backups go?

✓Offsite to a third-party? New scope/contract

Conclusion

• Cloud Compliance is possible but not probable .. until the services evolve

• Cloud gives you scalability, but not security .. unless you bake it in

Thank You

• Questions?

• Contact Mike Dahn?

compliance & privacy in the cloud

compliance vs security

pci compliance efforts

compliance cloudca

compliance privacy

proof of compliance

pci dss requirement

security exploits

yesish security

Technology

google cloud platform hipaa overview guide · google cloud...

privacy law and compliance

microsoft trusted cloud - security privacy & control,...

product specifications: uc-b160-t...support. advanced...

windows azure - security privacy compliance

better in the cloud: business-critical apps for security...

privacy compliance

privacy policy v1 - sdl · sdl privacy policy cloud...

data privacy compliance: why & how

cloud privacy

huawei cloud compliance with malaysia pdpa€¦ · huawei...

hipaa privacy & security compliance donna r. burn compliance...

gain insight into data privacy : cloud manager...gain...

pages.ciphercloud.com...sharepoint office 365 benefits of...

huawei cloud compliance with south africa popia...huawei...

privacy compliance in schools

protecting data and privacy in the cloud...the introduction...

privacy compliance an introduction to privacy privacy...

user awareness and policy compliance of data privacy in...

integrity, compliance, privacy and security