a look at pci compliance with dyn's chris brenton and cory von wallenstein
Post on 22-Oct-2014
440 views
DESCRIPTION
Dyn's Cory von Wallenstein and Chris Brenton conducted a webinar on PCI compliance and how DNS fits in.TRANSCRIPT
DNS Security: PCI In The Public Cloud November 20, 2013
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Your Presenters
Cory von Wallenstein Chief Technologist @cvwdyn
Chris Brenton Director of Security @Chris_Brenton
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What We’ll Talk About
• PCI: The reality of non-compliance • Can you be compliant in the
public cloud? • Analyzing scope • Should you outsource?
3
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Payment Card Industry Data Security Standards
4
What’s at stake?
Trust & confidence of customers
Fines & loss of Merchant privileges
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton 5
h<p://usa.visa.com/download/merchants/cisp-‐pcidss-‐compliancestats.pdf
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Cost of Breach
6
May 2013 Study by Ponemon InsKtute • 277 orgs in nine countries • $136 average cost per record breached • (Germany $199, USA $188)
• 2,300 records – 99,000 records • average of 23,647 records breached
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Compliance & Data Breach Correlation
7
April 2011 Study by Ponemon InsKtute • Breach in past 24 months: • 2009 -‐> 79%, 2011 -‐> 85%
• 12% believed PCI DSS compliance reduced loss • 50% unsure
• 64% of compliant companies: no breach in 24 mos. • 38% non-‐compliant could say the same
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Let’s Cut To The Chase Can PCI DSS compliance be achieved in public cloud?
• Yes and folks are doing it • PCI Council released
guidelines last year
8
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Let’s Cut To The Chase
There are three paths before you: • The easy way - Work with a PCI DSS certified CSP • The hard way – Work with non-certified CSPs • The other hard way – Do it all yourself
9
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Let’s Cut To The Chase
All are possibilities: • One leads to less gray hair • We’ll discuss your options today
10
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Where To Start
• Limit scope as much as possible!
11
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Where To Start • Limit scope as much as possible! • The fewer components touched by CC#’s the
better
12
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Where To Start • PCI DSS is extremely broad
o Network security o Host Security o Policy security o Process security o Malware protection o Access and identity management
13
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Where To Start • PCI DSS is extremely broad
o Network security o Host Security o Policy security o Process security o Malware protection o Access and identity management
• Reducing scope minimizes control pain points
14
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Ways to Limit Scope
• Understand the flow of CC#’s in your system o Are there opportunities to minimize interaction?
15
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Ways to Limit Scope
• Understand the flow of CC#’s in your system o Are there opportunities to minimize interaction?
• Segregate systems processing CC#’s as much as possible
16
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Ways to Limit Scope
• Understand the flow of CC#’s in your system o Are there opportunities to minimize interaction?
• Segregate systems processing CC#’s as much as possible
• Can some or all of the process be outsourced? o This is where CSPs can come in o We’ll expand on this point in later slides
17
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Helpful PCI Cloud Guidance?
PCI DSS = 75 pages of compliance goodness
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Helpful PCI Cloud Guidance? PCI Cloud SIG Guidance = 52 pages describing how to apply those 75 pages to… • Public cloud • Private cloud • Hybrid cloud • IaaS, PaaS,SaaS • Nested providers • Oh my…
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
The Bottom Line
• PCI in public cloud is a shared responsibility model
• You can’t completely exempt yourself from accountability for PCI controls
• However, you can limit the scope of the number of controls you are responsible for
20
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Cloud Responsibility Delineation
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Study Figure 3
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Zuora as an Example • PCI Level 1 compliant
23
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Zuora as an Example • PCI Level 1 compliant
• Z-Payment offering
o Redirect all payments via iframe o All processing and storage takes place on their systems
24
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Zuora as an Example
• What does this do to scope? o Can you validate that changes in the redirect code are
detected? o You may be eligible to complete SAQ A o 15 questions versus 300+ o Responsible for far fewer controls
25
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Gab Analysis
• Get a copy of the CSP’s scope and responsibility documentation
• This will identify which controls they have accepted responsibility for
• What ever is left is up to you to maintain
26
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Scope & Responsibility Example - CSP
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Scope & Responsibility Example - Client
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
A Basic Checklist
• Understand the flow of credit card info o What processes/services handle it? o What communications exchange it? o What drives/partitions store it?
29
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
A Basic Checklist
• Understand what SaaS services will have Admin control o Can be in-scope if controlling servers handling credit
card info
30
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
A Basic Checklist
• Flow diagrams are your friend. Leverage them.
31
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
A Basic Checklist
• Delineate portions that are internal vs. external
32
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
A Basic Checklist
• For internal portions, you need to address all 12 PCI req.
33
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
A Basic Checklist
• For external portions o Understand the CSPs scope and responsibility
documentation o Fill in the gaps as required
34
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if the CSP is not PCI compliant?
• This is where things get painful
35
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if the CSP is not PCI compliant?
• This is where things get painful • Your assessment will need to include the CSP’s
controls
36
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if the CSP is not PCI compliant?
• This is where things get painful • Your assessment will need to include the CSP’s
controls • Extremely expensive and problematic
37
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if the CSP is not PCI compliant?
• This is where things get painful • Your assessment will need to include the CSP’s
controls • Extremely expensive and problematic • Will require assurances the CSP will maintain
compliance
38
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if the CSP is not PCI compliant?
• This is where things get painful • Your assessment will need to include the CSP’s
controls • Extremely expensive and problematic • Will require assurances the CSP will maintain
compliance • Consider this your worst case option
39
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if my CSP gets 0wn3d?
• Depends on whether the CSP is an approved service provider
40
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if my CSP gets 0wn3d?
• Historically, merchants not liable when approved vendor messes up o Heartland is a great example
41
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if my CSP gets 0wn3d?
• If the CSP in not approved, you could still be on the hook.
42
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
What if my CSP gets 0wn3d?
• Two examples: o What if Zuora gets compromised? o What if box.net gets compromised?
43
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Final Thoughts
Can PCI DSS compliance be achieved in public cloud?
• Yes and folks are doing it
44
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Final Thoughts
The easy way: • Work with a PCI DSS certified CSP • Perform a gap analysis against the CSPs “PCI scope and
responsibility” documentation o Their scope should include any nested providers
• Make sure you fill in all the gaps J
45
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Final Thoughts
The hard way: • Work with a CSP that has not achieved PCI compliance • Your auditor must scope and review their environment • You essentially must certify the CSP while footing the
bill
46
DNS Security: PCI In The Public Cloud @dyn @cvwdyn @chris_brenton
Questions?
Cory von Wallenstein Chief Technologist @cvwdyn
Chris Brenton Director of Security @Chris_Brenton