compliance & privacy in the cloud

There Is No Spoon: Compliance & Privacy in

the Cloud

Michael DahnMSIA, CISSP

Friday, November 20, 2009

Which Cloud do you mean?

Compliance Cloud

Technical Cloud


Compliance Cloud


Compliance Cloud

CA, MA, MN, FL, ...Friday, November 20, 2009

Technical Cloud

• SPI Model: Software, Platform, Infrastructure

✓*aaS (Something* as a Service)


What is Compliance?


• Compliance is a state of being, like auto insurance you need to have it continuously

• Validation isproof of complianceyou do annually

Compliance vs Validation


Compliance vs Security



“The Payment Card Industry (PCI)

Data Security Standard (DSS) was

developed to encourage and enhance

cardholder data security and facilitate

the broad adoption of consistent data

security measures globally.”



Myth 4 - PCI Will Make Us Secure

Successful completion of a system

scan or assessment for PCI is but a

snapshot in time. Security exploits are

non-stop and get stronger every day,

which is why PCI compliance efforts

must be a continuous process of

assessment and remediation to ensure

safety of cardholder data.









Myth 4 - PCI Will Make Us Secure

Successful completion of a system

scan or assessment for PCI is but a

snapshot in time. Security exploits are

non-stop and get stronger every day,

which is why PCI compliance efforts

must be a continuous process of

assessment and remediation to ensure

safety of cardholder data.

Compliant until you're compromised...








the “Singularity”



• “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron



• “When falls the Coliseum, Rome shall fall; And when Rome falls--the World” - Lord Byron

• If someone dies wearing a seat belt, does that make them useless?


Risk & Transference

• #1 Question everyone has: Liability?

• “You can outsource the work, but you cannot outsource the responsibility”

• Cloud-sourcing does not transfer risk


There is No Spoon


There is No Spoon

• Can any firewall be used to segment a network?


There is No Spoon


✓No! Only a properly configured firewall


There is No Spoon



• Can any Cloud be used and achieve compliance?


There is No Spoon




✓Maybe... if considerations are made


There is No Spoon




✓Maybe... if considerations are made

• Think beyond technology, checklists, and compliance. Think Risk.


Problem List


Problems: PCI DSS


Problems: PCI DSS

• Requirement 2.2.1: when creating baseline configuration standards “only one primary function per server”


Problems: PCI DSS


✓Virtualization?


Problems: PCI DSS


✓Virtualization?

✓Cloud?


Problems: PCI DSS


✓Virtualization?

✓Cloud?

✓WAF in the cloud?


Problems: PCI DSS


✓Virtualization?

✓Cloud?

✓WAF in the cloud?

• Requirement 11.2 - ASV Scans


Problems: Service Level Agreement

• Uptime/Availability? Yes’ish

• Security? No.

• Compliance? No.

• Assurance of data integrity? No.


Problems: Image Sprawl

12% month-over-month growth of Amazon Machine Images (AMI) in 2008



• First rule of fight club? Find your data!





• Second rule of fight club? Find your data (no really)!






• Always “ask twice” - how it works? fails?






• Always “ask twice” - how it works? fails?

• Now assume everything moves



Problems: Audit Logging



• Goals:

✓Alert on suspicious activity? Yes

✓Facilitate a forensic investigation? Maybe



• Goals:



• Are the logs backed up?



• Goals:



• Are the logs backed up?

• Are they accessible 12-18 months later?

✓What if the server is no longer there?


Problems: Forensic Issues

• During peak retail months systems are scaled up and then down

• Fraud patterns have lead time of 12-18 mo.

• How do you forensically examine a ‘ghost’ server?


Problems: Third-Party Access

• People you give data to

• People you give access to data

• People who have access to your data

Who has Remote admin on my server?


Problems: Third-Party Access

• People you give data to

• People you give access to data

• People who have access to your data

Who has Remote admin on my server?

Maintain a written agreement that

includes an acknowledgement that the

service providers are responsible for

the security of cardholder data the

service providers possess.

... monitor service providers!

PCI DSS compliance status.


Problems: Data Destruction

• Where do the following go?

✓Failed hard drive

✓Deleted VM

Who owns the data? You or your cloud?


Problems: Backup?

• Who is backing up?

• How is it backed up?

• Where do the backups go?

✓Offsite to a third-party? New scope/contract


Conclusion

• Cloud Compliance is possible but not probable .. until the services evolve

• Cloud gives you scalability, but not security .. unless you bake it in


Thank You

• Questions?

• Contact Mike Dahn?


compliance & privacy in the cloud

Technology

compliance vs security

pci compliance efforts

compliance cloudca

compliance privacy

proof of compliance

pci dss requirement

security exploits

yesish security