peer stories: how rightscale achieved pci on cloud infrastructure
TRANSCRIPT
1
Peer Stories: How RightScale Achieved PCI Compliance on Cloud Infrastructure
Rand WackerVP, ProductsCloudPassage
Phil CoxDirector, Security & ComplianceRightScale
2
About The Presenters
Phil Cox
• RightScale, Director of Security and Compliance
• Multiple PCI SIGs
• 20+ years InfoSec
Twitter: @sec_prof
Rand Wacker
• CloudPassage, VP of Products
• Cisco Security, IronPort, UC Berkeley Security/Network Ops
Twitter: @randwacker
3
Introducing RightScale
RightScale pioneered IaaS cloud management
• Enables organizations to manage all of their cloud infrastructure
• Established in 2006, partners with all major cloud providers
• Has launched nearly 6 million servers with the RightScale management platform
4
RightScale’s PCI Challenge
• Payment processing servers are in scope for PCI DSS
• Built and runs on Amazon Web Services (AWS) for the Infrastructure-as-a-Service (IaaS) benefits
• Required PCI DSS compliance on AWS servers
With background as a Qualified Security Assessor, confident PCI
DSS compliance could be achieved in an IaaS environment
5
PCI Shared Responsibility (IaaS)
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
• Customer responsibility– OS, application, and data– And the compliance of these
components
• Service provider responsibility – Infrastructure, networking,
storage, and virtualization mechanism
– And the compliance of these components
6
One Approach From the CSA
1. Plan PCI DSS controls for as though your IaaS infrastructure is your on-premise network
2. Realize which elements you do not control since it is really not an on-premise network (e.g. physical facilities)
3. Talk with a service provider on whether they can and will cover the elements they control for compliance
4. Realize which controls don’t apply verbatim to the cloud environment and figure out how to compensate
7
Options for Achieving PCI DSS Compliance• RightScale used its own proven cloud
management platform to deploy the PCI cloud servers in the AWS
• Still needed ongoing visibility and intrusion detection capabilities in an IaaS environment. Either: – Build it themselves using traditional security tools– Buy a cloud security and compliance product
RightScale choseCloudPassage Haloto speed up efforts
8
Why RightScale Picked Halo
• Purpose-built for cloud environments, requiring no development resources
• Visibility into servers running within an IaaS infrastructure
• Real-time monitoring and enforcement
• Support for any cloud platform
9
Benefits Experienced with Halo
• Saved Time and Resources– Saved 6 months of
development time with a part-time staff person
– Takes 1/5 the management time (2 hours a week with Halo versus ¼ FTE for other tools)
10
Benefits Experienced with Halo
• Established RightScale as a Trusted Advisor with Customers– Used as part of RightScale’s reference architecture for PCI
DSS compliance– Runs on any virtual or cloud platform, protecting various
customer environments
11
Benefits Experienced with Halo
• Helped Enable Sales– Went to market faster
– Enabled sales to pitch Halo along with RightScale for compliance
12
Best Practices for PCI DSS Compliance in IaaS
• Select from PCI Approved Service Provider with the IaaS features you need
• Avoid storing the Primary Account Numbers (PANs)
• Use purpose-built cloud security products (we recommend CloudPassage Halo)
13
Poll: PCI Status• What is the status of your PCI initiative (IaaS-
hosted or otherwise)?– We have passed our audits and are fully operational– We have an audit planned within the next year– We are investigating what it will take to be PCI
compliant– No plans to go through PCI audits
14
Using CloudPassage Halo for PCI Compliance
15
• Software-as-a-Service delivery
• Private cloud / SDDC / IaaS
• Elastic application hosting
• Big data analytics
Halo is a security-as-a-service that enables cloud adoption.
16
Server Account Managements
Security Event Alerting
File Integrity Monitoring
REST API Integrations
Cloud Firewall Automation
System & Application Config Security
Multi-Factor Authentication
Vulnerability & Patch Scanning
HALO PLATFORM
Halo consolidates multiple critical security & compliance controls.
17
Halo Admin
Web Portal
Halo REST
API gateway
www-1
Halo
mysql-1
Halo
bigdata-1
Halo
Halo architecture is highly scalable, automated, and israpidly deployed.
Halo Security Analytics Engine
18
Halo works in any environment.
Workload VM Instance
Operating System
Application Code
System Administration Services
ApplicationEngine
App StorageVolume
System StorageVolume
Halo Daemon
1
Halo activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates.
1
2
Halo secures privileged access via dynamic firewall rules triggered by multi-factor user authentication.
2
4
Application configurations are scanned for vulnerabilities and are continuously monitored.
4
5
Cryptographic integrity monitoring ensures app code and binaries are not compromised.
5
6
Halo monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities.
6
Halo scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity.
3
3
7
Application data stores are monitored for access; outbound firewall rules prevent data extrusion.
7
Example Security & Compliance Automation with Halo
20
Halo PCI Coverage
21
Halo Grid: PCI & SOC2
• Certified Level 1 Service Provider– First entirely cloud-based vendor certified across multiple CSPs– Hosted in Rackspace Cloud & AWS, with full DevOps
automation
• Multiple customers recently cleared PCI QSA audits
• Recently announced: SOC2 certification
22
Poll: PCI & IaaS• What percentage of your “in-scope” PCI
systems run in a private or public IaaS infrastructure?– 100% of in-scope PCI systems on IaaS– PCI in-scope systems run across mix of IaaS and
traditional infrastructures– No in-scope systems on IaaS (all on traditional physical
hardware)– N/A, we run no PCI in-scope systems
23
Wrapping Up
24
Summary• PCI compliance on IaaS is possible
• Responsibility shared with cloud provider
• Security and management must be designed to work in dynamic, highly automated clouds
• CloudPassage Halo designed and built to automate compliance in today’s complex environments
25
Q&A and Resources
cloudpassage.com/pci-kit
PCI Compliance in the Public IaaS
Cloud: How I Did Itblog.rightscale.com
26
Thank You!
Phil Cox
• Email: [email protected]
• Twitter: @sec_prof
www.rightscale.com
Rand Wacker
• Email: [email protected]
• Twitter: @randwacker
www.cloudpassage.com