© 2011 Cloud Security Alliance, Inc. All rights reserved.
2
Thanks to Class Sponsors
Courseware created by Dr. Anton Chuvakin for Cloud Security Alliance
© 2011 Cloud Security Alliance, Inc. All rights reserved.
About the Cloud Security
Alliance
Global, not-for-profit organization
Building best practices and a trusted cloud
ecosystem
Comprehensive research and tools
Certificate of Cloud Security Knowledge (CCSK)
www.cloudsecurityalliance.org
© 2011 Cloud Security Alliance, Inc. All rights reserved.
3
4
About the Class
Learn/refresh knowledge about PCI DSS
Learn/refresh knowledge about cloud
computing
Understand how to assess PCI compliance in
cloud environments
Understand how to implement PCI DSS
controls in cloud environments
Gain useful tools for planning/doing this
© 2011 Cloud Security Alliance, Inc. All rights reserved.
5
© 2011 Cloud Security Alliance, Inc. All rights reserved.
66
Show of hands please…
1. QSA
2. Merchant
a) L1
b) L2-4
3. Service provider
4. Security tool vendor
5. Security consultant
6. Other
© 2011 Cloud Security Alliance, Inc. All rights reserved.
7
Prerequisites
Know how to spell “P-C-I D-S-S” 
Have heard about “The Cloud”
Possess basic information security
knowledge, IT management
© 2011 Cloud Security Alliance, Inc. All rights reserved.
8
Full Class Outline
Introduction
What this class is about, prerequisites, how to benefit
PCI DSS reminder
Cloud basics
Where cloud interacts with PCI DSS
Key cloud PCI controls
Core PCI DSS + cloud scenarios
Conclusions and action items
© 2011 Cloud Security Alliance, Inc. All rights reserved.
9
© 2011 Cloud Security Alliance, Inc. All rights reserved.
10
How to benefit?
If you are a merchant…
Learn how to stay compliant in the cloud, what to ask of CSPs, what to
show to QSAs
If you are a QSA…
Figure how to assess merchants and CSPs
If you are a cloud service provider…
Learn how to keep you and merchants compliant
If you are a security vendor…
Learn about the new problems you can solve
If you are a consultant around PCI and cloud…
Learn the “pain points” around PCI DSS and cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
11
PCI in the Cloud... In the Media
….bla bla …. bla bla ….. PCI DSS….
….. The Cloud……… cloud…..bla…cloud…
….bla bla…… compliant ..……cloud.
……cloud…..bla bla……possible ……….
……cloud……….. bla bla………cloud
….. as long as no cardholder data is in the
cloud… bla bla…………………………..
© 2011 Cloud Security Alliance, Inc. All rights reserved.
12
© 2011 Cloud Security Alliance, Inc. All rights reserved.
13
Quick Reality Check
© 2011 Cloud Security Alliance, Inc. All rights reserved.
14
Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
15
PCI DSS?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
16
Together?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
17
DISCUSSION!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
18
© 2011 Cloud Security Alliance, Inc. All rights reserved.
19
Why is PCI Here?
Where are the
most cards?
In
computers.
Criminals
need
money
Credit cards =
MONEY
Some organizations
still don’t care…
especially if the loss
is not theirs
Data theft
grows and
reaches
HUGE
volume.
© 2011 Cloud Security Alliance, Inc. All rights reserved.
PAYMENT
CARD
BRANDS
ENFORCE
DSS!
20
Laggards vs. Leaders
Issue: many merchants
don’t even want to “grow
up” to the floor of security
Result: breaches, loss of
card data, lawsuits,
unhappy consumers,
threat of regulation
Action: PCI DSS mandate!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
21
What is PCI DSS or PCI?
Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =
© 2011 Cloud Security Alliance, Inc. All rights reserved.
PCI DSS: Basic Security
Practices!
Build and Maintain a
Secure Network
• Install and maintain a firewall confirmation to protect data
• Do not use vendor-supplied defaults for system passwords
and other security parameters
Protect Cardholder Data
• Protect stored data
• Encrypt transmission of cardholder data and sensitive
information across public networks
Maintain a Vulnerability
Management Program
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
Regularly Monitor and
Test Networks
Maintain an Information
Security Policy
• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and
cardholder data
• Regularly test security systems and processes
• Maintain a policy that addresses information security
© 2011 Cloud Security Alliance, Inc. All rights reserved.
22
23
PCI DSS Domain Coverage
… In no particular order:
Security policy and procedures
Network security
Malware protection
Application security (and web)
Vulnerability scanning and remediation
Logging and monitoring
Security awareness
© 2011 Cloud Security Alliance, Inc. All rights reserved.
24
PCI DSS 2.0 is Here!
Select items changing for PCI 2.0
Scoping clarification
Data storage
Virtualization (!!)
DMZ clarification
Vulnerability remediation
Remote data access
© 2011 Cloud Security Alliance, Inc. All rights reserved.
25
Does it Apply to Me?
“PCI DSS compliance includes
merchants and service providers
who accept, capture, store,
transmit or process credit and
debit card data.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
26
PCI Game: The Players
PCI Security Standards Council
© 2011 Cloud Security Alliance, Inc. All rights reserved.
27
PCI Regime vs DSS Guidance
The PCI Council publishes PCI DSS
• Outlined the minimum data security
protections measures for payment card data.
• Defined Merchant & Service Provider Levels, and
compliance validation requirements.
• Left the enforcement to card brands (Council
doesn’t fine anybody!)
Key point: PCI DSS (document) vs PCI
(validation regime)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
29
My Data – Their Risk!?
*I* GIVE *YOU* DATA
*YOU* LOSE IT
*ANOTHER*
SUFFERS!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
30
Key Concept//
Scoping
© 2011 Cloud Security Alliance, Inc. All rights reserved.
31
Sidenote//
FLAT NET to FLAT CLOUD
REALITY: “Without adequate network
segmentation (sometimes called a "flat
network") the entire network is in scope of the
PCI DSS assessment.“ (PCI DSS 2.0)
DREAM: “Without adequate network
segmentation the entire CLOUD is in scope of
the PCI DSS assessment.“
© 2011 Cloud Security Alliance, Inc. All rights reserved.
32
Key Concept//
Compliance vs Validation
Q: What to do after your QSA leaves?
A: PCI DSS compliance does NOT end when
a QSA leaves or SAQ is submitted.
Use what you built for PCI to reduce risk
“Own” PCI DSS; make it the basis for your
policies
© 2011 Cloud Security Alliance, Inc. All rights reserved.
33
Key Concept//
Stay Compliant
Ongoing compliance with PCI DSS – tasks:
TASK
FREQUENCY
Risk assessment, security awareness, key changes,
review off-site backups, QSA assessment, etc
Annual
ASV and internal scans, wireless scans
Quarterly
File integrity checking
Weekly
Log and alerts review, other operational procedures
Daily
© 2011 Cloud Security Alliance, Inc. All rights reserved.
34
Failing That…
“Classic” example
from my PCI
book, co-author
Branden Williams
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Two BIG Approaches
to PCI DSS Compliance
SECURE the
data:
Encrypt, access
control, monitor,
block attempts,
authenticate,
authorized, etc…
DELETE the
data:
Organize your
business to avoid
dealing with the
data
These apply to PCI in the cloud as well!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
35
36
© 2011 Cloud Security Alliance, Inc. All rights reserved.
37
© 2011 Cloud Security Alliance, Inc. All rights reserved.
38
NIST Definition of Cloud Computing
“Cloud computing is a model for
enabling convenient, on-demand
network access to a shared pool of
configurable computing resources
that can be rapidly provisioned and
released with minimal management
effort or service provider interaction. “
© 2011 Cloud Security Alliance, Inc. All rights reserved.
5 Essential Cloud
Characteristics
1. On-demand self-service
2. Broad network access
3. Resource pooling
– Location independence
4. Rapid elasticity
5. Measured service
© 2011 Cloud Security Alliance, Inc. All rights reserved.
39
39
40
3 Cloud Service Models
1. Cloud Software as a Service (SaaS)
– Use provider’s applications over a network
2. Cloud Platform as a Service (PaaS)
– Deploy customer-created applications to a cloud
3. Cloud Infrastructure as a Service (IaaS)
– Rent processing, storage, network capacity, and other
fundamental computing resources
To be considered “cloud” they must be deployed on
top of cloud infrastructure that has the essential
characteristics
© 2011 Cloud Security Alliance, Inc. All rights reserved.
41
41
4 Cloud Deployment Models
Private cloud
Enterprise owned or leased
Community cloud
Shared infrastructure for specific community
Public cloud <- our focus in this class!
Sold to the public, mega-scale infrastructure
Hybrid cloud
Composition of two or more clouds
© 2011 Cloud Security Alliance, Inc. All rights reserved.
7 Common Cloud
Characteristics
1.
2.
3.
4.
5.
6.
7.
Massive scale
Homogeneity
Virtualization
Resilient computing
Low cost software
Geographic distribution
Service orientation
© 2011 Cloud Security Alliance, Inc. All rights reserved.
42
All of this TOGETHER: The Cloud
43
43
Hybrid Clouds
Deployment
Models
Service
Models
Community
Cloud
Private
Cloud
Software as a
Service (SaaS)
Public Cloud
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
On Demand Self-Service
Essential
Characteristics
Common
Characteristics
Broad Network Access
Rapid Elasticity
Resource Pooling
Measured Service
Massive Scale
Resilient Computing
Homogeneity
Geographic Distribution
Virtualization
Service Orientation
Low Cost Software
Advanced Security
© 2011 Cloud Security Alliance, Inc. All rights reserved.
44
44
Example IaaS//
Amazon Cloud
Amazon cloud components
– Elastic Compute Cloud (EC2)
• Run your own or Amazon’s OS “instances”
– Simple Storage Service (S3)
– SimpleDB
– Other services
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example PaaS//
45
Google App Engine
Create, deploy and run applications
NO control (or, in fact, even visibility) of OS
Use SDK to
develop the
applications
Run “natively”
in the cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Example SaaS//
Salesforce
Well-known SaaS CRM application
Cloud CRM + a lot more applications
© 2011 Cloud Security Alliance, Inc. All rights reserved.
46
46
Example P/IaaS //
Azure
Source: Microsoft Presentation, A Lap Around Windows Azure, Manuvir Das
© 2011 Cloud Security Alliance, Inc. All rights reserved.
47
47
48
48
Service Model Architectures
Cloud Infrastructure
Cloud Infrastructure
Cloud Infrastructure
IaaS
PaaS
PaaS
SaaS
SaaS
SaaS
Cloud Infrastructure
Cloud Infrastructure
IaaS
PaaS
PaaS
Cloud Infrastructure
IaaS
Software as a Service
(SaaS)
Architectures
Platform as a Service (PaaS)
Architectures
Infrastructure as a Service (IaaS)
Architectures
© 2011 Cloud Security Alliance, Inc. All rights reserved.
50
Security?
Are there …mmm
…cloud security issues?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Security: Barrier to Adoption?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
51
What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
52
Security Relevant Cloud
Components
53
53
Cloud Provisioning Services
Cloud Data Storage Services
Cloud Processing Infrastructure
Cloud Support Services
Cloud Network and Perimeter Security
Elastic Elements: Storage, Processing, and
Virtual Networks
© 2011 Cloud Security Alliance, Inc. All rights reserved.
54
What is Different about Cloud?
SERVICE OWNER
SaaS
PaaS
IaaS
Data
Joint
Tenant
Tenant
Application
Joint
Joint
Tenant
Compute
Provider
Joint
Tenant
Storage
Provider
Provider
Joint
Network
Provider
Provider
Joint
Physical
Provider
Provider
Provider
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
55
What is Different about Cloud?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
56
57
CSA Cloud “Threats”
1.
2.
3.
4.
5.
6.
7.
Abuse & Nefarious Use of Cloud Computing
Insecure Interfaces & APIs
Malicious Insiders
Shared Technology Issues
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile
© 2011 Cloud Security Alliance, Inc. All rights reserved.
58
ENISA Cloud Risks
1.
2.
3.
4.
5.
6.
7.
8.
Loss of governance
Lock-in
Isolation failure
Compliance risks
Management interface compromise
Data protection
Insecure or incomplete data deletion
Malicious insider
© 2011 Cloud Security Alliance, Inc. All rights reserved.
iSEC Realistic Cloud
“Threats”
1. Authentication abuse
2. Operations breakdown
3. Misuse of cloud-specific technology
© 2011 Cloud Security Alliance, Inc. All rights reserved.
59
60
FBI Takes Cloud Away
© 2011 Cloud Security Alliance, Inc. All rights reserved.
61
Discussion
What do YOU think are actual,
relevant, TRUE threats to cloud
computing?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
62
While we are “in the cloud”
Here are some additional
CSA/cloud security resources…
© 2011 Cloud Security Alliance, Inc. All rights reserved.
63
CSA GRC Stack
Bringing it all together to peel back the
layers of control ownership and
address concerns for trusted Cloud
adoption.
Private,
Community &
Public Clouds
Control
Requirements
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Provider
Assertions
64
CSA CloudAudit
Open standard and API to automate
provider audit assertions
Change audit from data gathering to data analysis
Necessary to provide audit & assurance at the
scale demanded by cloud providers
Uses Cloud Controls Matrix as controls namespace
Use to instrument cloud for continuous controls
monitoring
© 2011 Cloud Security Alliance, Inc. All rights reserved.
65
CSA Cloud Controls Matrix
Controls derived from
guidance
Mapped to familiar
frameworks: ISO 27001,
COBIT, PCI, HIPAA
Rated as applicable to
SaaS/PaaS/IaaS
Customer vs Provider role
Help bridge the “cloud gap”
https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/
for IT & IT auditors
© 2011 Cloud Security Alliance, Inc. All rights reserved.
66
Next?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
67
Do We See A Cloud in There?
Requirement 12.8 “If
cardholder data is
shared with service
providers, maintain and
implement policies and
manage
procedures
service
to providers…”
Requirement A.1: “Shared hosting
providers must protect the cardholder data
environment”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
68
Magic of Requirement 12.8
Q: Does PCI DSS apply to merchants who use
payment gateways to process transactions on their
behalf, and thus never store, process or transmit
cardholder data?
A: PCI DSS requirements are applicable if a Primary
Account Number (PAN) is stored, processed, or
transmitted. If PAN is not stored, processed, or
transmitted, PCI DSS requirements do not apply.
….…………………. however ………………………
© 2011 Cloud Security Alliance, Inc. All rights reserved.
69
Magic of 12.8 Revealed
“If the merchant shares cardholder data with a … service
provider, the merchant must ensure that there is an
agreement with that …service provider that includes their
acknowledgement that the third party
processor/service provider is responsible for the
security of the cardholder data it possesses.
In lieu of a direct agreement, the merchant must obtain
evidence of the … provider's compliance with PCI
DSS via other means, such as via a letter of
attestation.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Requirement 9//
70
Amazon Example
Q: “Do QSAs for Level 1 merchants require a
physical walkthrough of a service provider’s
data center?
A: No. A merchant can obtain certification without
a physical walkthrough of a service provider’s
data center if the service provider is a Level 1
validated service provider (such as AWS). A
merchant’s QSA can rely on the work performed by
our QSA, which included an extensive review of the
physical security of our data centers.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
June 2011//
71
PCI SSC Virtualization
Guidance
Key Cloud Items:
“CSP should clearly identify
which PCI DSS requirements,
system components, and
services are covered by the
cloud provider’s PCI DSS
compliance program.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
72
PCI SSC on Cloud Challenges
“The distributed architectures of cloud environments add layers of
technology and complexity to the environment.
Public cloud environments are designed to be public-facing, to allow
access into the environment from anywhere on the Internet.
The infrastructure is by nature dynamic, and boundaries between tenant
environments can be fluid.
The hosted entity has limited or no visibility into the underlying
infrastructure and related security controls.
The hosted entity has limited or no oversight or control over cardholder
data storage.
The hosted entity has no knowledge of ―who‖ they are sharing
resources with, or the potential risks their hosted neighbors may be
introducing to the host system, data stores, or other resources shared
across a multi-tenant environment”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
73
And now…
… a brainteaser
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Requirement 11.3//
74
Pentesting
“11.3 Perform external and internal penetration testing
at least once a year and after any significant
infrastructure or application upgrade or modification
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests”
“Cloudify” this for me, please!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
75
Audience Poll
Q: How should we address it?
A: Only pentest applications with narrow
rules
B: Go full blast and “own” provider’s
datacenter
C: Trust that “they do it”
D: Hide under our desks and squeal 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Detailed Example//
Amazon PCI
Happy now?
“Amazon is PCI
OK”
Huh?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
76
77
Say What….
Q: “What does this mean to me as a PCI merchant or
service provider?
A: Our PCI Service Provider status means that customers who
use our services to store, process or transmit cardholder data
can rely on our PCI compliance validation for the technology
infrastructure as they manage their own compliance and
certification, including PCI audits and responses to incidents.
Our service provider compliance covers all requirements as
defined by PCI DSS for physical infrastructure service
providers. Moving the entire cardholder environment to AWS
can simplify your own PCI compliance by relying on our
validated service provider status.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
78
Example//
Amazon view of this
© 2011 Cloud Security Alliance, Inc. All rights reserved.
79
Example//
Amazon Guidance
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Sidenote//
“Compliant” Provider of
What?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
80
81
© 2011 Cloud Security Alliance, Inc. All rights reserved.
82
Scenarios Introduction
In scope for discussion:
– Public IaaS, PaaS, SaaS
– Chained or multiple CSPs
NOT in scope:
– Traditional hosting providers
– Outsourced data center or call center
– Private cloud and virtualization on-prem
– Virtual private cloud (sort of)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
83
Learn Using Scenarios
Description
How to assess this scenarios / Assessment tips
How to scope this scenario / Scoping tips
How to get compliant
How to stay compliant
What to show to QSA / compliance evidence
Notable PCI requirements to watch
Responsibility split
Pitfalls, Risks and Tips
© 2011 Cloud Security Alliance, Inc. All rights reserved.
84
Key Goal
DO build a framework for
assessing/complying, based on the scenarios
DO NOT memorize the scenarios, yours might
be different or be a combination of these
© 2011 Cloud Security Alliance, Inc. All rights reserved.
85
Scenario 1//
Clean Cloud
Merchant – ecommerce or stores
Use public cloud (SaaS, PaaS, IaaS)
Cloud environment segmented from CDE
NO PANs in any cloud environment
… or so they think 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
86
Description
Sells books online
Level 1 merchant
Uses cloud provider(s) for testing, training,
etc
Cloud provider NOT PCI-OK
NO payment data stored in the cloud
NO payment data processed in the cloud
NO payment data passed through cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
87
Scenario 1//
Visual
© 2011 Cloud Security Alliance, Inc. All rights reserved.
88
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
© 2011 Cloud Security Alliance, Inc. All rights reserved.
89
How to Assess?
Key: Are they right?
Test that PANs didn’t “escape” to Amazon
© 2011 Cloud Security Alliance, Inc. All rights reserved.
90
How to Scope?
On-prem: as usual
Cloud environment:
IaaS: run a discovery tool
Example: DLP tool, open source data discovery,
dedicated PAN discovery tool, custom script to look for
unencrypted PANs
Q: What about encrypted PANs?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
91
How to Get / Stay Compliant?
Easy huh:
Keep the PANs out of the cloud
Recheck (via discovery tools) that cloud
systems are not contaminated by the PANs
Look for old PANs, “test” PANs, etc.
© 2011 Cloud Security Alliance, Inc. All rights reserved.
92
Compliance Evidence
What to show to QSA?
Discovery scan results
Other data that confirms that PCI data does
not get to the cloud systems
Policies and procedures BANNING card data
in the cloud; evidence of people actually
following them….
© 2011 Cloud Security Alliance, Inc. All rights reserved.
93
Responsibility SPLIT
MERCHANT
All PCI controls
Scoping
Keeping cloud
systems out of
scope
PROVIDER
Nothing (not
even being PCI
compliant)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
94
Contract SLA Tips
Requirement 12.8 does NOT play
No SLA in regards to cardholder data
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Common Pitfalls and Key
Risks
95
Failing to assure that PANs don’t leak to the
cloud
Failing to maintain “no PANs in the cloud”
status
“Rogue PANs” theft is still CHD theft…
Tip: run a discovery tool on cloud systems
Tip: assure segmentation (no data flow from
CDE to YOUR cloud)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
96
Common PAN Leakage
Excel spreadsheet on cloud systems
– Excel spreadsheet on Google Documents
Application screenshots
Finance and HR documents with PANs
Other Office formats with PAN information
Text dumps from poorly-written/legacy
applications
© 2011 Cloud Security Alliance, Inc. All rights reserved.
97
Scenario 2//
Storage in the Cloud
Merchant – ecommerce or stores
Use public cloud (SaaS, PaaS, IaaS)
Stores PANs in public cloud environment!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
98
Description
A chain of stores across the US West
Level 2 merchant
Uses cloud provider(s) for testing, training,
backup systems, data storage, etc
Cloud provider MAY BE PCI-OK
PAN data stored in the cloud
PAN data transmitted through cloud
NO payment data processed in the cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
99
Scenario 2//
Visual
© 2011 Cloud Security Alliance, Inc. All rights reserved.
100
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
What about their service provider(s)?
Must they be PCI-OK for merchant to be PCI-OK?
Bonus question: What about their CSPs’ CSP?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
101
How to Assess?
Key: Encryption AND/OR
Provider PCI Status
Case #1: Unencrypted PANs at CSP => no PCI
compliance possible
Case #2: Encrypted with provider having the key =>
provider must be PCI-OK
Case #3: Encrypted with provider NOT having the key =>
presumably, provider may be NOT PCI-OK
© 2011 Cloud Security Alliance, Inc. All rights reserved.
102
Huh? What does it mean?
IaaS (e.g. VMs in the cloud, EC2
instances, etc) = likely case #3
Merchant deals with PCI DSS, provider may
not know anything about it
No unencrypted data possible in/across the
cloud
NO WAY for CSP to decrypt the data
Reminder: scan for unintended cloud PANs
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Huh? What does it mean?
Part II
103
SaaS or PaaS (e.g SalesForce, etc) =
likely case #2
Provider MUST be PCI-OK
Merchant and CSP share PCI responsibilities
CSP encrypts the data AND/OR can decrypt it
© 2011 Cloud Security Alliance, Inc. All rights reserved.
104
How to Scope?
On-prem: as usual
Cloud environment:
– IaaS (case #2)
• Cloud environment can be claimed to be out of scope
(if CSP has NO key!!!)
• Merchant is responsible for all controls
• Look for unintentional PANs
– SaaS and maybe PaaS (case #3)
• Cloud environment IS in scope
• Controls shared between CSP and Merchant
© 2011 Cloud Security Alliance, Inc. All rights reserved.
105
PCI Council Says…
“For example, an entity subscribing to an IaaS service may retain
complete control of, and therefore be responsible for, the
ongoing security and maintenance of all operating systems,
applications, virtual configurations (including the hypervisor
and virtual security appliances), and data. In this scenario, the
cloud provider would only be responsible for maintaining the
underlying physical network and computing hardware.
In an alternative scenario, a SaaS service offering may
encompass management of all hardware and software, including
virtual components and hypervisor configurations. In this scenario,
the entity may only be responsible for protecting their data,
and all other security requirements would be implemented and
managed by the service provider.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
106
How to Get Compliant?
1. Realize what scenario you are in, then either
a) Ensure CSP cooperation and PCI-OK status
(see matrix), or (“PCI in cloud”, SaaS/PaaS)
b) Encrypt all PANs and prevent the provider from
having the key (“no PCI in cloud”, IaaS)
2. In case a), build the control matrix and test it
© 2011 Cloud Security Alliance, Inc. All rights reserved.
107
How to Stay Compliant?
Either …
Keep testing the CSP PCI-OK status and
check the matrix for missing controls
Keep encrypting, preventing the provider
from seeing the key and testing for “rogue
PANs”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
108
Compliance Evidence
What to show to QSA? By case…
CSP PCI status and additional evidence of
how they do PCI DSS
Proof of your scoping decision to exclude the
cloud due to encryption
+ evidence of all other PCI controls, of course
© 2011 Cloud Security Alliance, Inc. All rights reserved.
109
Responsibility SPLIT//
IaaS/No Cloud PCI/Encryption
MERCHANT
PROVIDER
All PCI controls
Nothing (may not
even be PCI
compliant)
Encryption + key
management
Scoping
Keeping cloud
systems out of
scope
© 2011 Cloud Security Alliance, Inc. All rights reserved.
110
Responsibility SPLIT//
SaaS/Cloud PCI provider
MERCHANT
Security policy
Application security
Scoping
Monitoring (unless extra
$ to CSP)
PROVIDER
Security policy
Physical
Network
Encryption
Key management
System security
Parts of application
security
© 2011 Cloud Security Alliance, Inc. All rights reserved.
111
Example Scenario 2//
Control Matrix
PCI DSS Requirement
Secure application
development: R6
Merchant
IaaS, PaaS
Cloud provider
SaaS
Update OS: R6
Log management: R10
IaaS (joint)
IaaS (joint), PaaS
(joint)
IaaS, Maybe: PaaS
IaaS (joint), PaaS, SaaS
IaaS (joint), PaaS (joint),
SaaS
SaaS, Maybe: PaaS
None
IaaS, PaaS, SaaS
IaaS (joint – per
system), PaaS (joint)
IaaS (joint), PaaS (joint),
SaaS
Render PANs
unreadable: R3.4
Physical access control:
R9
Vulnerability scanning:
R11.2
Penetration tests: R11.3
IaaS (joint), PaaS
IaaS (joint), PaaS (joint),
(joint), SaaS (joint) –
SaaS (joint) – degree varies
degree varies
Security policy: R12
IaaS, PaaS, SaaS (all IaaS, PaaS, SaaS (all joint)
joint)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Wireless security: R11.1 None
IaaS, PaaS, SaaS
112
Ooops!
Merchant uses IaaS, manages the systems,
encrypts the data
– (so far, case “No Cloud PCI”)
…but
SHARES THE KEY WITH CSP!
What now?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Notable PCI DSS
Requirements to Watch
113
Requirement 3.4 covers the encryption of
stored data.
Requirement 12.8 covers service providers
and the matrix
Requirement A cover shared hosting
providers
© 2011 Cloud Security Alliance, Inc. All rights reserved.
114
Contract SLA Tips
Case SaaS/“PCI in the cloud”
Clear acceptance of responsibility for “their”
controls
Verification of provider controls
Incident response support for data breaches
© 2011 Cloud Security Alliance, Inc. All rights reserved.
115
PCI Council Says…
“The cloud provider should clearly identify which PCI DSS
requirements, system components, and services are covered by
the cloud provider’s PCI DSS compliance program. Any aspects
of the service not covered by the cloud provider should be
identified, and it should be clearly documented in the service
agreement that these aspects, system components, and PCI
DSS requirements are the responsibility of the hosted entity to
manage and assess. The cloud provider should provide
sufficient evidence and assurance that all processes and
components under their control are PCI DSS compliant. “
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Common Pitfalls and Key
Risks
For IaaS/No PCI in cloud/encryption case,
assurance of provider not being able to
decrypt the data
For SaaS/PCI in cloud, failure to test the
provider on the ongoing basis
SLA failures: no escalation, evidence
sharing, incident response cooperation
“Finger pointing”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
116
117
Scenario 3//
IaaS PCI
Merchant – ecommerce or stores
Use public cloud IaaS provider
Processes cards and possibly stores
them as well in the cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
118
Description
Global airline with physical and online purchases
Uses CSP for a broad spectrum of payment tasks
Cloud provider MUST be PCI-OK
PAN data stored in the cloud
PAN data passed through cloud
PAN data processed in the cloud – at the same
provider!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
119
Scenario 3//
Visual
© 2011 Cloud Security Alliance, Inc. All rights reserved.
120
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Who is doing what for the merchant to be PCI-OK?
Bonus question: What about their SPs’ SP’s SP?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
121
How to Assess?
Key: The Matrix …
Must Have No Holes
ALL PCI DSS controls are in place for all
layers of the cloud environment – and
somebody must … pay for it 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
122
Secret to PCI In the Cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
123
Huh? The Matrix?
Two basic FACTS:
1. Merchant CANNOT do PCI DSS without
the CSP!
2. CSP CANNOT make merchant compliant!
The only way is a clear delineation of duties aka
… The Control Matrix
© 2011 Cloud Security Alliance, Inc. All rights reserved.
124
PCI Council Says…
“For example, an entity subscribing to an IaaS service
may retain complete control of, and therefore be
responsible for, the ongoing security and
maintenance of all operating systems,
applications, virtual configurations (including the
hypervisor and virtual security appliances), and
data. In this scenario, the cloud provider would only be
responsible for maintaining the underlying physical
network and computing hardware.”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
125
How to Scope?
On-prem: as usual
Cloud IaaS environment:
– IaaS systems are in scope: systems,
applications, network, devices, hypervisor
– Two tiered scoping (PCI 2.0 artifact)
• Systems WITH data vs systems that
touch/manage systems with data
Think “outsourced datacenter+”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to Get Compliant?
One Approach!!
1. Pretend all IaaS infrastructure is YOUR ON-PREMISE
network
2. Plan PCI DSS controls for it
3. Realize which controls you CANNOT do since it is
really NOT an on-prem network and you don’t control
some domains (e.g. physical)
– Then have a talk with a provider on whether THEY
a) CAN and b) WILL cover that
4. Realize which controls DON’T APPLY verbatim to the
cloud environment
– Then and figure how to compensate!!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
126
127
For Example
Project: replace branch servers with IaaSdeployed servers
PCI controls: all on branch server
replacement, most on management servers,
etc
– Physical? => CSP
– Firewall management => CSP
– Monitoring? => CSP MSSP service ($)
– Web application scanning => Ooops!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
128
How to Stay Compliant?
Keep testing the CSP PCI-OK status and
check the matrix for missing controls
© 2011 Cloud Security Alliance, Inc. All rights reserved.
129
PAN Flow
© 2011 Cloud Security Alliance, Inc. All rights reserved.
130
Compliance Evidence
What to show to QSA?
Evidence of ALL controls – yours and CSPs
Evidence of ongoing compliance: logging,
testing, etc
MUST DO: obtained detailed PCI evidence
from CSP for controls that apply to your
environment!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
131
Responsibility SPLIT//
IaaS PCI
MERCHANT
PROVIDER
Application security
Scoping
Monitoring (unless
extra $ to CSP)
Physical
Network
Encryption
Key management
System security
Parts of application
security
© 2011 Cloud Security Alliance, Inc. All rights reserved.
132
Example Scenario 3//
Control Matrix
PCI DSS Requirement
Merchant: IaaS
Cloud provider: IaaS
Secure application
development: R6
Update OS: RXX
Yes
No
Yes – for guest OS
Yes – for host OS
Log management: R10
Yes – for guess OS,
applications, etc
Yes
Yes – for host OS,
management systems, etc
No (!)
None
Yes
Yes – for guest OS
Yes – for host OS,
management systems, etc
Yes – for physical, host OS,
etc
Yes – for ALL OTHER
PARTS
Yes
Render PANs
unreadable: R3.4
Physical access control:
R9
Vulnerability scanning:
R11.2
Penetration tests: R11.3
Security policy: R12
Wireless security: R11.1
Yes – for guest OS,
applications
Yes – for PARTS
None
© 2011 Cloud Security Alliance, Inc. All rights reserved.
133
Sidenote//
Owner vs Manager
Setting: IaaS provider (EC2 or other)
PCI Requirement: Req 1 firewall management
• CSP OWNS the firewall appliance
• Merchant, CSP, CSP MSSP or 3rd party
MANAGES the firewall settings
Who is left holding the PCI bag?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
134
PCI Council Says…
… you go figure it out! 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
135
Full SAMPLE Matrix Review
This matrix is JUST A SAMPLE
Used here AS AN EXAMPLE
This is NOT YOUR REAL THING
EXAMPLE means “here is what CAN be”
EXAMPLE SAMPLE ILLUSTRATION!

Did I mention it is just an example?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to use the shared PCI
control matrix?
The class addendum, EXAMPLE PCI DSS
shared control matrix can be used as follows:
To review one possible control sharing
methodology between CSP and merchant
To validate one’s own control sharing
For security discussion with CSPs
As a foundation for one’s control sharing
– with caution!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
136
Notable PCI DSS
Requirements to Watch
137
Requirement 3.4 covers the encryption of
stored data.
Requirement 12.8 covers service providers
and the matrix
Requirement A cover shared hosting
providers
© 2011 Cloud Security Alliance, Inc. All rights reserved.
138
Contract SLA Tips
Case SaaS/“PCI in the cloud”
Clear acceptance of responsibility for “their”
controls
Verification of provider controls
Incident response support for data breaches
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Common Pitfalls and Key
Risks
Failure to test the provider on the ongoing
basis
Trusting the provider without evidence
SLA failures: no escalation, evidence
sharing, incident response cooperation
Tip: make SLA as detailed as possible –
involve both information security AND legal
© 2011 Cloud Security Alliance, Inc. All rights reserved.
139
140
Scenario 4//
Twice-Cloudy PCI
Merchant – ecommerce or stores
Use public cloud IaaS provider
Processes cards and possibly stores them
as well in the cloud
Uses a dedicated CSP for payment
processing (P), NOT hosting CSP (H)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
141
Description
An ecommerce company with seasonal
highly sales
Uses CSP H, but with payment
processing handled by CSP P
Cloud provider P MUST be PCI-OK
Cloud provider H SHOULD be PCI-OK (?)
PAN data processed and stored in the
cloud – by CSP P
© 2011 Cloud Security Alliance, Inc. All rights reserved.
142
Scenario 4//
Visual
© 2011 Cloud Security Alliance, Inc. All rights reserved.
143
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Should CSP H be PCI compliant?
Can merchant be PCI compliant if CSP H is NOT?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
144
This is VERY COMMON…
… but there is A LOT OF DEVIL in
the details 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
145
Example//
Cloud Sites by Rackspace
© 2011 Cloud Security Alliance, Inc. All rights reserved.
146
Example//
Microsoft Azure
Official Azure FAQ (2011)
Q: “Can you host PCI (e.g. credit card) data [on Azure]?
A: Microsoft makes no claim regarding these standards for 3rd party hosting.
There are ways to develop cloud based applications to use 3rd party PCI
data processers that may keep the cloud application itself out of scope.”
Bonus question: where does here point?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
147
How to Assess?
Key: Contain Toxic (=PCI) Data In
“Special Clouds”, Don’t Taint Your IaaS!
The logic here is to offload all (if possible)
operations with PANs to a payment
provider
© 2011 Cloud Security Alliance, Inc. All rights reserved.
148
How to Scope?
On-prem: as usual
Don’t SCOPE - KILL the scope to
nothing in the cloud
Minimize “rogue PANs”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
149
Huh? Toxic What?
Three basic FACTS:
1. If neither Merchant nor CSP can see
payment data, there is tiny scope of PCI
for them (*)
2. If CSP cannot see the data, but Merchant
can, then this is a traditional on-prem PCI
environment
3. The more payment provider takes on, the
better: PCI stays in their cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
150
Example//
PayPal API
“With Website Payments Standard, Email
Payments, and Payflow Link*, PayPal handles
the payment card information for you. So you
don’t have to worry about your buyers’
payment card security or about compliance
with PCI DSS for your business.”
Will they really sign such agreement?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
151
Example//
Amazon FPS
Perfect “cloud shield”: “As a part of Amazon
Payments' services you [=merchant!] may not
have access to certain information
associated with Cards being processed,
including without limitation account number,
expiration date, and the card verification
value (CVV2/CVC2) (collectively, “Cardholder
Data”).”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
152
Example//
Rackspace “Compliant” Cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to Get and Stay
Compliant?
1. Avoid PANs
2. Engineer the payment chain to avoid
having PANs in CSP H and your own
environment
3. Verify CSP P compliant status (duh!)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
153
154
How to Stay Compliant?
Keep testing the CSP PCI-OK status and
check the matrix for missing controls
© 2011 Cloud Security Alliance, Inc. All rights reserved.
155
Compliance Evidence
What to show to QSA?
Evidence of zero scope
– Data flow, system architecture, etc
Evidence of CSP P PCI compliance
© 2011 Cloud Security Alliance, Inc. All rights reserved.
156
Responsibility SPLIT//
IaaS PCI
MERCHANT
Application
security
(maybe)
Provider
management
Others as
deployed
CSP H
CSP P
Nothing
© 2011 Cloud Security Alliance, Inc. All rights reserved.
All PCI
Controls
157
PCI Council Says…
… you go figure it out! 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Notable PCI DSS
Requirements to Watch
158
Possibly none
– if no merchant ID and no relationship with
acquirer
Requirement 12.8 covers service providers
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Common Pitfalls,
Risks and SLA Tips
159
PAN leakage, temporary files and other
artifacts of bad coding of payment provider
APIs
Web application attacks that redirect the PAN
flow to the attacker
Crash dumps with PANs
© 2011 Cloud Security Alliance, Inc. All rights reserved.
160
Scenario 5//
PaaS PCI
Merchant – ecommerce or stores
Use public cloud PaaS provider
Processes cards and possibly stores
them as well in the cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
161
PaaS… Come Again?
PaaS is EXACTLY between IaaS and SaaS
IaaS: OS, VM, networks, etc
SaaS: application
What’s in between? An environment for
application development … PaaS
© 2011 Cloud Security Alliance, Inc. All rights reserved.
162
Description
A major ecommerce website
Uses CSP for a broad spectrum of tasks,
including payments
Cloud provider MAY BE PCI-OK
PAN data stored/passed in the cloud
PAN data processed in the cloud
Merchant does NOT control the OS/VMs
at the CSP
© 2011 Cloud Security Alliance, Inc. All rights reserved.
163
Scenario 5//
Visual
© 2011 Cloud Security Alliance, Inc. All rights reserved.
164
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Must the provider be PCI-OK? Can the merchant be PCI-OK if
the CSP is not? What must merchant do because the provider
cannot do it?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
165
How to Assess?
Key: Need to Understand Your CSP…
Really Well
© 2011 Cloud Security Alliance, Inc. All rights reserved.
166
Decision Time
If PaaS CSP is
NOT PCI-OK
(Force.com, Azure)
THEN
the only way to PCI
is complete “3rd
party payment
takeover”
->Scenario 4
If PaaS CSP IS
PCI-OK
THEN
build the control
matrix
-> Scenario 3
© 2011 Cloud Security Alliance, Inc. All rights reserved.
167
How to Scope?
On-prem: as usual
Cloud PaaS environment:
– PaaS systems are in scope: systems,
applications, network, devices, hypervisor
– Two tiered scoping (PCI 2.0 artifact)
• Systems WITH data vs systems that
touch/manage systems with data
Think “outsourced IT-”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
How to Get Compliant?
168
One Approach!!
1. Review which controls the PaaS CSP will handle for
you
2. Check which PCI DSS controls they cannot ever handle
–
Example: your security policy, awareness training for your
employees (BTW, they should – for theirs)
3. Create the matrix and verify with the CSP
–
Request additional information from them as needed
4. Deploy additional controls where needed and where
prudent
© 2011 Cloud Security Alliance, Inc. All rights reserved.
169
For Example
Project: replace marketing analytics
application that uses PAN with PaaSdeployed application
PCI controls: all on the application, most on
management servers, etc
– Web application scanning => Merchant
– All others =>CSP
Decision: move the payment data
off CSP and “off PCI” you go
© 2011 Cloud Security Alliance, Inc. All rights reserved.
170
How to Stay Compliant?
Keep testing the CSP PCI-OK status and
check the matrix for missing controls
© 2011 Cloud Security Alliance, Inc. All rights reserved.
171
Compliance Evidence
What to show to QSA?
Evidence of ALL controls – yours and CSPs
MUST DO: obtained detailed PCI evidence
from CSP for controls that apply to your
environment!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
172
Responsibility SPLIT//
PaaS PCI
MERCHANT
PROVIDER
Application security
Scoping
Monitoring (unless
extra $ to CSP)
Application platform
security
Physical
Network
Encryption
Key management
System security
© 2011 Cloud Security Alliance, Inc. All rights reserved.
173
Example Scenario 5//
Control Matrix
PCI DSS Requirement
Merchant: PaaS user
Cloud provider: PaaS
Secure application
development: R6
Update OS: RXX
Yes
Yes (for platform)
No
Yes
Log management: R10
Yes – application logs
Render PANs
unreadable: R3.4
Physical access control:
R9
Vulnerability scanning:
R11.2
Penetration tests: R11.3
Yes
No
Yes – everything else (or
data provided to merchant!)
Yes – where touches their
environment
Yes
No
Yes
Yes – application level
Security policy: R12
Yes - applicable
Yes – for physical, network,
application, etc
Yes – for the rest
Wireless security: R11.1
No
Yes
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Notable PCI DSS
Requirements to Watch
174
Requirement 1 Firewall architecture (“cloud
networks are flat”)
Requirement 4.1 “Use strong cryptography and
security protocols “
– Intra-CSP traffic may be seen as public
Requirement 6.1 patch management is Joint; and
need to be done by both
Requirement 12.8 covers service providers and the
matrix
© 2011 Cloud Security Alliance, Inc. All rights reserved.
175
Contract SLA Tips
Clear acceptance of responsibility for “their”
controls
Verification of provider controls
Incident response support for data breaches
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Common Pitfalls and Key
Risks
Failure to test the provider on the ongoing
basis
SLA failures: no escalation, evidence
sharing, incident response cooperation
© 2011 Cloud Security Alliance, Inc. All rights reserved.
176
177
Scenario 6//
Tiered PCI
Merchant – ecommerce or stores
Use public cloud PaaS or SaaS provider
…
… who uses public IaaS provider
Processes cards and possibly stores
them … somewhere 
© 2011 Cloud Security Alliance, Inc. All rights reserved.
178
Description
A major ecommerce website
Uses CSP for a broad spectrum of tasks,
including payments
Their provider uses another cloud
provider
Some cloud providers MAY BE PCI-OK
PAN data stored/passed in the cloud
PAN data processed in the cloud
© 2011 Cloud Security Alliance, Inc. All rights reserved.
179
Scenario 6//
Visual
© 2011 Cloud Security Alliance, Inc. All rights reserved.
180
Audience Poll
Q: Can they be PCI DSS compliant?
A: Yes
B: No
C: Cannot tell
Must the provider be PCI-OK? Must their provider’s provider be
PCI-OK? Can the merchant be PCI-OK if some CSPs are not?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
181
Tiered Merchant Example
Merchant uses CSP
(SaaS)
that uses Amazon EC2
(IaaS)
A public Amazon case study
http://aws.amazon.com/solution
s/case-studies/36boutiques/
© 2011 Cloud Security Alliance, Inc. All rights reserved.
182
How to Assess?
Key: The Matrix …
Must Have No Holes, Again
…but
there are more dimensions now
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Your CSP’s CSP is NOT your
CSP!
… and that some controls are
NOT implemented by your CSP
and they simply “trust their CSP
assertions”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
183
184
How to Scope?
Worst case: FORGET IT!  We can never
figure it out…
……. reality ………………
Best case: payment chain is isolated from ALL
the CSPs (zero scope for you, all scope is
with payment provider)
© 2011 Cloud Security Alliance, Inc. All rights reserved.
185
Ahhhhhh……
We went through six PCI-in-thecloud scenarios!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
186
Exercise//
How to Comply/Assess?
Business: ecommerce
Setup: uses CSP for web hosting and all
application hosting, accepts payment cards,
sells to consumers
Challenge: we are a QSA they hired to “get
them compliant”
Next steps?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
What do the scenarios teach
us about PCI and cloud?
187
1. “Kill the scope” works in the cloud as well
2. It is better to have the payment processor
handle more and merchant/CSP handle
less of the PCI burden
3. CSP may do it, but MERCHANT is
responsible and need to validate it
4. Finally, we CAN have PCI in the cloud!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
188
Final Recommendations
Follow the scenarios as templates for your
projects
Learn to scope in the cloud
Make a matrix of shared responsibility (and
“keep it with you at all times” )
Remember: MERCHANT is on the hook,
even if CSP does it (as per PCI DSS)
Requirement 12.8 is NOT “a punt”
© 2011 Cloud Security Alliance, Inc. All rights reserved.
Additional Tips from
Past Class Discussions
Use PCI + cloud security thinking for other
sensitive data: SSN, PHI, financials, etc
Involve legal in SLA and other discussions
about regulated data in the cloud (!)
Scan for YOUR sensitive data being put in
the cloud by business partners – in THEIR
clouds
“Trust but verify” principle MUST be applied
to your CSP
© 2011 Cloud Security Alliance, Inc. All rights reserved.
189
Any Lessons from the
Audience?
Anything “juicy” I missed to conclude?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
190
191
A one-liner version?
If you can get rid of the PANs in the cloud,
DO IT!
© 2011 Cloud Security Alliance, Inc. All rights reserved.
192
Questions?
© 2011 Cloud Security Alliance, Inc. All rights reserved.
193
Thanks for Your Review!
Courseware author Dr. Anton Chuvakin would
like to thank the following people for their
thoughtful review of class materials:
Walt Conway @ 403 Labs
Martin McKeay @ Verizon
Mike Dahn @ PWC
Doug Barbin @ BrightLine
Jason Chan @ Netflix
© 2011 Cloud Security Alliance, Inc. All rights reserved.
194
Additional Materials
In the notes, there are links to various
useful reading, in addition to CSA and
other sites mentioned in the class.
Go to www.cloudsecurityalliance.org for
the latest information on our educational
resources
© 2011 Cloud Security Alliance, Inc. All rights reserved.
195
© 2011 Cloud Security Alliance, Inc. All rights reserved.