Will Your Cloud Be Compliant?Scott Carlson – PayPal

Evgeniya Shumakher - Mirantis

© MIRANTIS 2013

OpenStack Cloud Compliance

Evgeniya ShumakherBusiness Analyst

What is ‘Compliance’?Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations.

http://en.wikipedia.org/wiki/Regulatory_compliance

Compliance <> Security

Security Compliance

It’s all about informationConfidentiality

IntegrityAvailability

Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

Enterprise ecosystem

Data

Applications

Operating Systems

OpenStack

Processing and Memory, Data Storage, Network

Physical facilities

Peop

le

Busin

ess P

roce

sses

Regulations

Who is responsible?CloudStack IaaS PaaS SaaSDataApplicationsOperating SystemsOpenStackProcessing and Memory, Data Storage, NetworkPhysical facilities

Cloud user

Cloud builder

Standards• PCI DSS• HIPAA / HITECH• SOX• FedRAMP/FISMA• ISO/IEC 27001-2005• NIST SP800-53

Typical structure

Standard

Requirement #1

Control #1.1

Control #1.2

Control #1.NRequirement #2

Requirement #N

• CLOUD CONTROLS MATRIX VERSION 3.0

Controls are very similar

Standards are pretty generic: PCI DSSBuild and

Maintain a Secure

Network and Systems

1. Install and maintain a

firewall configuration

to protect cardholder

data 2. Do not use

vendor-supplied

defaults for system

passwords and other security

parameters

Protect Cardholder

Data

3. Protect stored

cardholder data

4. Encrypt transmission of cardholder

data across open, public

networks

Maintain a Vulnerability Management Program

5. Protect all systems against

malware and regularly

update anti-virus software or programs

6. Develop and maintain

secure systems and applications

Implement Strong Access

Control Measures

7. Restrict access to

cardholder data by

business need to know

8. Identify and authenticate

access to system

components

9. Restrict physical access to cardholder

data

Regularly Monitor and

Test Networks

10. Track and monitor all access to network

resources and cardholder

data

11. Regularly test security systems and processes

Maintain an Information

Security Policy

12. Maintain a policy that addresses

information security for all

personnel

Cloud Guidelines • PCI DSS Virtualization Guidelines • PCI DSS Cloud Computing Guidelines• NIST Special Publication 800-144

Guidelines on Security and Privacy in Public Cloud Computing

PCI DSS Cloud Guidelines Don’t store, process or transmit payment card data in the cloud.

PCI DSS Virtualization Guidelines • Requirement 3: Protect stored cardholder data

– As well as being present in known locations, cardholder data could exist in archived, off-line or dormant VM images, or be unknowingly moved between virtual systems via dynamic mechanisms such as live migration or storage migration tools.

– Sensitive data, such as unencrypted PAN, sensitive authentication data, and cryptographic keys, could be inadvertently captured in active memory and replicated via VM imaging and snapshot functions...

OpenStack Security Guidelines• OpenStack Security Guide• Securing OpenStack for compliance

Q&A• email: eshumakher@mirantis.com• irc: eshumakher

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Private Cloud ComplianceScott Carlson - @relaxed137

26CURRENCIES SUPPORTED

148MACTIVE REGISTERED ACCOUNTS

193MARKETS OFFER PAYPAL

80LOCALIZED MARKETING SITES

GLOBALLY

EUROPEAN UNIONEURO

AUSTRALIANDOLLAR

CANADIANDOLLAR

NEW ZEALANDDOLLAR

HUNGARIANFORINT

MALAYSIANRINGGIT

UNITED KINGDOMPOUNDS STERLING

HONG KONGDOLLAR

UNITED STATESDOLLAR

TAIWANNEW DOLLAR

CHINESERMB

SWEDISHKRONA

SINGAPOREDOLLAR

PHILIPPINEPESO

BRAZILIANREAL

RUSSIANRUBLE

NORWEGIANKRONE

JAPANESEYEN

MEXICANPESO

TURKISHLIRA

SWISSFRANC

CZECHKORUNA

ISRAELINEW SHEKEL

DANISHKRONE

THAIBAHT

POLISHZLOTY

148MACTIVE

ACCOUNTS1

$6,688 IN PAYMENTS PROCESSEDEVERY SECOND 2

9M PAYMENTS PROCESSEDEVERY DAY 3 +6M NEW ACTIVE

ACCOUNTS 1

1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses.

Q1 2014 Financial Metrics

$1.8BPAYPAL REVENUES

20% YOYTPV2

26% YOY

$52B

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

PayPal Cloud & Software Defined Data CenterAgility with Security

Cloud Design PrincipalsDeploy from TemplatesAny Image, Anywhere

Automatically scale up/down workloadsFollow devops auto-deployments CI/CDRespond to intra-cloud events

ELASTIC

VIRTUAL

PCI-DSS 2.0 and 3.0Local Country RequirementsSECURE

20

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Compliance requirements

Compliant with PCI-DSS 2.0 StandardsNon-US locations compliant with local country regulations

21

Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Basic MethodologyJust pretend its infrastructure

OpenStack has servers in itHardware Configured and dedicated to the cloud

Hypervisor/Build Image meeting NIST/CIS standard templates

Vulnerability Scanning with third party tooling

Patching 7, 30, 90 day windows with vendor provided patches to OS

Configuration Management for important system files

Password Management – non-default, complex and unique!

OpenStack has Users in itDo not use shared accounts for anything. Just don’t

Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time.

22

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Basic MethodologyJust pretend its infrastructure

Hypervisor ComponentsIts Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST)

Have a separate management interface from your production traffic (physical or virtual)

Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”

Audit Access, Audit changes, be ready to show your work

Be ready to defend decisions to share ports for components

OpenStack Software StackLimited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan)

Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!

You still need to code review if CDE passes through here

Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok)

23

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Basic MethodologyJust pretend its infrastructure

Physical Network Components? YepFirewall rules around the cloud to limit ingress and egress

Monitor what happens on your firewalls, send it somewhere, keep it a LONG time

Make sure the person building your network isn’t the person building your cloud (SOD)

Configuration Guidelines exist for most physical installations (avoid virtual for now…)

Automation is fine, but make sure you log it, and auto-ticket it.

Virtual Network Components? NopeToo early in the testing process to rely on virtual versions of components at scale

Okay for intra-tenant traffic with minimal rule set

Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing?

24

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

Basic MethodologyJust pretend its infrastructure

Data? If its Card-holder data, controls become interesting very quickly

Storing things encrypted at rest in VM’s mean you can’t use OpenStack components

HSM, crypto, key management required

User management, controls over data, logging, all of the standard stuff needed

25

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.

For more information, please contact:

Scott Carlsonsccarlson@paypal.com@relaxed137