a look at pci compliance with dyn's chris brenton and cory von wallenstein

DNS Security: PCI In The Public Cloud November 20, 2013

DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton

Your Presenters

Cory von Wallenstein Chief Technologist @cvwdyn

Chris Brenton Director of Security @Chris_Brenton


What We’ll Talk About

•  PCI: The reality of non-compliance •  Can you be compliant in the

public cloud? •  Analyzing scope •  Should you outsource?

3


Payment Card Industry Data Security Standards

4

What’s at stake?

Trust & confidence of customers

Fines & loss of Merchant privileges

DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 5

h<p://usa.visa.com/download/merchants/cisp-‐pcidss-‐compliancestats.pdf


Cost of Breach

6

May 2013 Study by Ponemon InsKtute •  277 orgs in nine countries •  $136 average cost per record breached •  (Germany $199, USA $188)

•  2,300 records – 99,000 records •  average of 23,647 records breached


Compliance & Data Breach Correlation

7

April 2011 Study by Ponemon InsKtute •  Breach in past 24 months: •  2009 -‐> 79%, 2011 -‐> 85%

•  12% believed PCI DSS compliance reduced loss •  50% unsure

•  64% of compliant companies: no breach in 24 mos. •  38% non-‐compliant could say the same


Let’s Cut To The Chase Can PCI DSS compliance be achieved in public cloud?

•  Yes and folks are doing it •  PCI Council released

guidelines last year

8


Let’s Cut To The Chase

There are three paths before you: •  The easy way - Work with a PCI DSS certified CSP •  The hard way – Work with non-certified CSPs •  The other hard way – Do it all yourself

9


Let’s Cut To The Chase

All are possibilities: •  One leads to less gray hair •  We’ll discuss your options today

10


Where To Start

•  Limit scope as much as possible!

11


Where To Start •  Limit scope as much as possible! •  The fewer components touched by CC#’s the

better

12


Where To Start •  PCI DSS is extremely broad

o  Network security o  Host Security o  Policy security o  Process security o  Malware protection o  Access and identity management

13


Where To Start •  PCI DSS is extremely broad

o  Network security o  Host Security o  Policy security o  Process security o  Malware protection o  Access and identity management

•  Reducing scope minimizes control pain points

14


Ways to Limit Scope

•  Understand the flow of CC#’s in your system o  Are there opportunities to minimize interaction?

15


Ways to Limit Scope


•  Segregate systems processing CC#’s as much as possible

16


Ways to Limit Scope


•  Segregate systems processing CC#’s as much as possible

•  Can some or all of the process be outsourced? o  This is where CSPs can come in o  We’ll expand on this point in later slides

17


Helpful PCI Cloud Guidance?

PCI DSS = 75 pages of compliance goodness


Helpful PCI Cloud Guidance? PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to… •  Public cloud •  Private cloud •  Hybrid cloud •  IaaS, PaaS,SaaS •  Nested providers •  Oh my…


The Bottom Line

•  PCI in public cloud is a shared responsibility model

•  You can’t completely exempt yourself from accountability for PCI controls

•  However, you can limit the scope of the number of controls you are responsible for

20


Cloud Responsibility Delineation


Study Figure 3


Zuora as an Example •  PCI Level 1 compliant

23


Zuora as an Example •  PCI Level 1 compliant

•  Z-Payment offering

o  Redirect all payments via iframe o  All processing and storage takes place on their systems

24


Zuora as an Example

•  What does this do to scope? o  Can you validate that changes in the redirect code are

detected? o  You may be eligible to complete SAQ A o  15 questions versus 300+ o  Responsible for far fewer controls

25


Gab Analysis

•  Get a copy of the CSP’s scope and responsibility documentation

•  This will identify which controls they have accepted responsibility for

•  What ever is left is up to you to maintain

26


Scope & Responsibility Example - CSP


Scope & Responsibility Example - Client


A Basic Checklist

•  Understand the flow of credit card info o  What processes/services handle it? o  What communications exchange it? o  What drives/partitions store it?

29


A Basic Checklist

•  Understand what SaaS services will have Admin control o  Can be in-scope if controlling servers handling credit

card info

30


A Basic Checklist

•  Flow diagrams are your friend. Leverage them.

31


A Basic Checklist

•  Delineate portions that are internal vs. external

32


A Basic Checklist

•  For internal portions, you need to address all 12 PCI req.

33


A Basic Checklist

•  For external portions o  Understand the CSPs scope and responsibility

documentation o  Fill in the gaps as required

34


What if the CSP is not PCI compliant?

•  This is where things get painful

35



•  This is where things get painful •  Your assessment will need to include the CSP’s

controls

36




controls •  Extremely expensive and problematic

37




controls •  Extremely expensive and problematic •  Will require assurances the CSP will maintain

compliance

38




controls •  Extremely expensive and problematic •  Will require assurances the CSP will maintain

compliance •  Consider this your worst case option

39


What if my CSP gets 0wn3d?

•  Depends on whether the CSP is an approved service provider

40



•  Historically, merchants not liable when approved vendor messes up o  Heartland is a great example

41



•  If the CSP in not approved, you could still be on the hook.

42



•  Two examples: o  What if Zuora gets compromised? o  What if box.net gets compromised?

43


Final Thoughts

Can PCI DSS compliance be achieved in public cloud?

•  Yes and folks are doing it

44


Final Thoughts

The easy way: •  Work with a PCI DSS certified CSP •  Perform a gap analysis against the CSPs “PCI scope and

responsibility” documentation o Their scope should include any nested providers

•  Make sure you fill in all the gaps J

45


Final Thoughts

The hard way: •  Work with a CSP that has not achieved PCI compliance •  Your auditor must scope and review their environment •  You essentially must certify the CSP while footing the

bill

46


Questions?

Cory von Wallenstein Chief Technologist @cvwdyn

Chris Brenton Director of Security @Chris_Brenton

a look at pci compliance with dyn's chris brenton and cory von wallenstein

Technology