Will Your Cloud Be Compliant?
Scott Carlson – PayPal
Evgeniya Shumakher - Mirantis
OpenStack Cloud
Compliance
Evgeniya Shumakher
Business Analyst
© MIRANTIS 2013
What is ‘Compliance’?
Compliance means conforming to a rule, such as
a specification, policy, standard or law. Regulatory
compliance describes the goal that organisations
aspire to achieve in their efforts to ensure that
they are aware of and take steps to comply with
relevant laws and regulations.
http://en.wikipedia.org/wiki/Regulatory_compliance
Compliance <> Security
Security
Compliance
It’s all about information
Confidentiality
Availability
Integrity
Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to
encourage and enhance cardholder data security and facilitate the broad adoption of
consistent data security measures globally.
Enterprise ecosystem
Regulations
People
Applications
Operating Systems
OpenStack
Processing and Memory, Data Storage, Network
Physical facilities
Business Processes
Data
Who is responsible?
CloudStack
Data
Applications
Operating Systems
OpenStack
Processing and Memory, Data Storage, Network
Physical facilities
Cloud user
Cloud builder
IaaS
PaaS
SaaS
Standards
•
•
•
•
•
•
PCI DSS
HIPAA / HITECH
SOX
FedRAMP/FISMA
ISO/IEC 27001-2005
NIST SP800-53
Typical structure
Control #1.1
Standard
Requirement #1
Control #1.2
Requirement #2
Control #1.N
Requirement #N
Controls are very similar
• CLOUD CONTROLS MATRIX VERSION 3.0
Standards are pretty generic:
PCI DSS
Build and
Maintain a
Secure Network
and Systems
1. Install and
maintain a
firewall
configuration
to protect
cardholder
data
2. Do not use
vendorsupplied
defaults for
system
passwords and
other security
parameters
Protect
Cardholder Data
Maintain a
Vulnerability
Management
Program
Implement
Strong Access
Control
Measures
3. Protect
stored
cardholder
data
5. Protect all
systems
against
malware and
regularly
update antivirus software
or programs
4. Encrypt
transmission of
cardholder
data across
open, public
networks
6. Develop and
maintain
secure systems
and
applications
7. Restrict
access to
cardholder
data by
business need
to know
8. Identify and
authenticate
access to
system
components
9. Restrict
physical access
to cardholder
data
Regularly
Monitor and
Test Networks
10. Track and
monitor all
access to
network
resources and
cardholder
data
11. Regularly
test security
systems and
processes
Maintain an
Information
Security Policy
12. Maintain a
policy that
addresses
information
security for all
personnel
Cloud Guidelines
• PCI DSS Virtualization Guidelines
• PCI DSS Cloud Computing Guidelines
• NIST Special Publication 800-144 Guidelines on
Security and Privacy in Public Cloud Computing
PCI DSS Cloud Guidelines
Don’t store, process or transmit payment card
data in the cloud.
PCI DSS Virtualization Guidelines
• Requirement 3: Protect stored cardholder data
– As well as being present in known locations, cardholder data
could exist in archived, off-line or dormant VM images, or be
unknowingly moved between virtual systems via dynamic
mechanisms such as live migration or storage migration tools.
– Sensitive data, such as unencrypted PAN, sensitive
authentication data, and cryptographic keys, could be
inadvertently captured in active memory and replicated via
VM imaging and snapshot functions...
OpenStack Security Guidelines
• OpenStack Security Guide
• Securing OpenStack for compliance
Q&A
• email: eshumakher@mirantis.com
• irc: eshumakher
Private Cloud Compliance
Scott Carlson - @relaxed137
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
26
CURRENCIES SUPPORTED
EUROPEAN UNION
TAIWAN
MEXICAN
EURO
NEW DOLLAR
PESO
AUSTRALIAN
CHINESE
DOLLAR
RMB
CANADIAN
SWEDISH
DOLLAR
KRONA
TURKISH
LIRA
SWISS
FRANC
148M
ACTIVE REGISTERED ACCOUNTS
193
MARKETS OFFER PAYPAL
80
LOCALIZED MARKETING SITES
GLOBALLY
NEW ZEALAND
SINGAPORE
DOLLAR
DOLLAR
HUNGARIAN
PHILIPPINE
FORINT
PESO
MALAYSIAN
BRAZILIAN
RINGGIT
REAL
UNITED KINGDOM
RUSSIAN
POUNDS STERLING
RUBLE
HONG KONG
NORWEGIAN
DOLLAR
KRONE
UNITED STATES
JAPANESE
POLISH
DOLLAR
YEN
ZLOTY
CZECH
KORUNA
ISRAELI
NEW SHEKEL
DANISH
KRONE
THAI
BAHT
Q1 2014 Financial Metrics
148M
$1.8B
ACTIVE
ACCOUNTS1
PAYPAL REVENUES
$6,688
IN PAYMENTS
PROCESSED
EVERY SECOND 2
20% YOY
9M
PAYMENTS PROCESSED
EVERY DAY 3
$52B
TPV 2
26% YOY
+6M
NEW ACTIVE
ACCOUNTS 1
PayPal Cloud & Software Defined Data Center
Agility with Security
VIRTUAL
Cloud Design Principals
Deploy from Templates
Any Image, Anywhere
ELASTIC
Automatically scale up/down workloads
Follow devops auto-deployments CI/CD
Respond to intra-cloud events
SECURE
PCI-DSS 2.0 and 3.0
Local Country Requirements
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
20
Compliance requirements
Compliant with PCI-DSS 2.0 Standards
Non-US locations compliant with local
country regulations
Compliance Statement:
http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
21
Basic Methodology
Just pretend its infrastructure
OpenStack has servers in it
Hardware Configured and dedicated to the cloud
Hypervisor/Build Image meeting NIST/CIS standard templates
Vulnerability Scanning with third party tooling
Patching 7, 30, 90 day windows with vendor provided patches to OS
Configuration Management for important system files
Password Management – non-default, complex and unique!
OpenStack has Users in it
Do not use shared accounts for anything. Just don’t
Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time.
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
22
Basic Methodology
Just pretend its infrastructure
Hypervisor Components
Its Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST)
Have a separate management interface from your production traffic (physical or virtual)
Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”
Audit Access, Audit changes, be ready to show your work
Be ready to defend decisions to share ports for components
OpenStack Software Stack
Limited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan)
Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!
You still need to code review if CDE passes through here
Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok)
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
23
Basic Methodology
Just pretend its infrastructure
Physical Network Components? Yep
Firewall rules around the cloud to limit ingress and egress
Monitor what happens on your firewalls, send it somewhere, keep it a LONG time
Make sure the person building your network isn’t the person building your cloud (SOD)
Configuration Guidelines exist for most physical installations (avoid virtual for now…)
Automation is fine, but make sure you log it, and auto-ticket it.
Virtual Network Components? Nope
Too early in the testing process to rely on virtual versions of components at scale
Okay for intra-tenant traffic with minimal rule set
Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing?
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
24
Basic Methodology
Just pretend its infrastructure
Data?
If its Card-holder data, controls become interesting very quickly
Storing things encrypted at rest in VM’s mean you can’t use OpenStack components
HSM, crypto, key management required
User management, controls over data, logging, all of the standard stuff needed
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
25
For more information, please contact:
Scott Carlson
sccarlson@paypal.com
@relaxed137
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary.
