CISO

Enterprise Information Security

Cloud solutions & PCI DSS Compliance

by Leave a Comment

Businesses are increasing its dependence on cloud computing solutions. PCI DSS compliance is often a concern for many organizations when considering cloud or virtualized solutions. As mentioned in one of my earlier post, .If you do not store cardholder data in public cloud, then it is possible to reach compliance with PCI DSS.. It is possible for an organization to build a private cloud or virtualized which is PCI Compliant.

Before we get into the compliance aspects of public cloud, let us see which entities are in the scope: .PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.. PCI DSS guidance also defines what is .credit and debit card data. exactly. PAN, CVV, etc represent examples of cardholder data while (for example) the name only does not.

A key step in PCI DSS implementation is Scoping and Scope Reduction where the card holder environment is segmented to reduce the control implementation scope. In reality, .Without adequate network segmentation the entire network is in scope of the PCI DSS assessment, as per PCI DSS 2.0.. So what would be the case with cloud computing?. By the above definition, Cloud Computing could be considered as a Flat Network or un-segmented network.

These 5 Essential Cloud Characteristics are a good test of whether a particular service provider is indeed a cloud provider.

  • On-demand self-service
  • Broad network access
  • Resource pooling (Location independence)
  • Rapid elasticity
  • Measured service

Essentially, cloud-based is not the same as simply web-based. Let us look at use case, if a stand alone web server is hacked does it impact you if it does not belong to you? In the case of a cloud based solution, if one webserver in the cloud which shares the resources is compromised, it is highly likely that the associated services are vulnerable and thus the risk status is high.

Now let us review some of the controls which are more relevant in terms cloud computing:

.As referenced in Requirement 12.8, all service providers with access to cardholder data (including shared hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that shared hosting providers must protect each entity.s hosted environment and data. Therefore, shared hosting providers must additionally comply with the requirements in this Appendix. .

Requirement A.1: .Shared hosting providers must protect the cardholder data environment

.If the merchant shares cardholder data with a service provider, the merchant must ensure that there is an agreement with that service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the provider’s compliance with PCI DSS via other means, such as via a letter of attestation.. Source: CSA Alliance

Some challenges as outlined in the PCI SSC virtualization guidance:

.In addition to the challenges of defining scope and assigning responsibilities across a shared infrastructure, the inherent characteristics of many cloud environments present additional barriers to achieving PCI DSS compliance. Some of these characteristics include:

  • The distributed architectures of cloud environments add layers of technology and complexity to the environment.
  • Public cloud environments are designed to be public-facing, to allow access into the environment from anywhere on the Internet.
  • The infrastructure is by nature dynamic, and boundaries between tenant environments can be fluid.
  • The hosted entity has limited or no visibility into the underlying infrastructure and related security controls.
  • The hosted entity has limited or no oversight or control over cardholder data storage.
  • The hosted entity has no knowledge of ?who they are sharing resources with, or the potential risks their hosted neighbours may be introducing to the host system, data stores, or other  resources shared across a multi-tenant environment.

.In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity.s CDE.

These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.

As with all hosted services in scope for PCI DSS, the hosted entity should request sufficient assurance from their cloud provider that the scope of the provider.s PCI DSS review is sufficient, and that all controls relevant to the hosted entity.s environment have been assessed and determined to be PCI DSS compliant. The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer.s responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be ?in place? and ?not in place; and confirmation of when the assessment was conducted.

Any aspects of the cloud-based service not covered by the cloud provider.s PCI DSS review should be identified and documented in a written agreement. The hosted entity should be fully aware of any and all aspects of the cloud service, including specific system components and security controls, which are not covered by the provider and are therefore the entity.s responsibility to manage and assess

References

  • CSA Alliance presentations
  • PCI SSC virtualization guidance

How long can CISO’s avoid Cloud Computing?

by 2 Comments

Cloud computing is gaining momentum in the business world. More and more business wants to increase their IT usage on the cloud utilizing the cloud computing benefits such as faster provisioning, scalability and lower of capital expenditure

Many of the Security professionals are not very comfortable with Cloud Computing as an option for the technology needs of the organization. Often they act as the .Dr.No. towards cloud computing options available or presented.

No the big question is that .How long can CISO’s avoid Cloud Computing?.

Let us look at the history

  • Banks introduced ATM machines and we were doubtful about the ATMs and often counted the money. Now it is a normal thing to take money and many a times no one counts how much the machine delivered
  • The next thing was the Internet. Critical systems were never connected to internet in the earlier days. Now most of the systems are connected to the internet directly or indirectly.
  • Internet Banking was the next thing. A UAE based bank opened the internet banking channel only two years bank. Though there are people still using the conventional channels for banking, Online Banking is a key channel today where the customers do financial transactions over the internet. In the earlier days, it was not the case.

In all these cases, there used to be resistance to adapt the change. Cloud computing is no different. It is only a matter of time to get this adapted by companies and CISO.s.

Many of the CEO.s are not very sure about the cloud computing and if they are already using cloud computing in their business. Think about services like GMail powered emails, SalesForce CRM and many of those sort, it is all cloud services

Now the question is .How to get the Cloud Computing adapted in your business when required?.

There are some key questions a CISO should ask the cloud computing vendor to assess whether they can protect your data as you are protecting them internally in your organization.

Network & Systems delivering the cloud service

  • How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication?
  • About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc.
  • Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc.
  • Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally?
  • Does it undergo periodic audits against standards like ISO27001, SAS70 etc?
  • How is the customer data separated from one another? What are the security controls implemented to ensure this separation?
  • What are the protection and response controls against the Denial of Service attacks?

Cloud Applications & Data Protection

  • What are the security controls in the application development process? Does it include security code reviews of the code being developed or used?
  • Is there a documented change and configuration management process? How does the application servers patched and what frequency?
  • What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities.
  • IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed?
  • How is the data loss prevention ensured? Details of the DLP controls implemented?
  • Is there a backup mechanism established? How is the data protected in the backups?
  • Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements?
  • Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?
  • What are the conditions / scenarios where the data is revealed without the consent / approval of the organization?
  • Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?

Security Management

  • What are the information security management policies and procedures implemented and documented? Are all employees required to undergo the security awareness training and acknowledge their acceptance to the policies and procedures at least annually?
  • Is the cloud computing service provider has a dedicated information security professional? What are the network security capabilities established by the service provider? Are these personal technical qualified and certified?
  • How is the insider threats within the cloud service provider being addressed? What is the background verification process being followed by the cloud service provider?
  • Is there a privileged activity monitoring of systems and databases? How is the security incidents and violations are handled? Does it have a documented policy?
  • How is the log integrity ensured? What are the mechanisms implemented to ensure that the logs cannot be altered and / or stopped. How long the logs are kept online and on the backup?
  • What are the business continuity and disaster recovery capabilities of the cloud service provider? Many organization look at cloud as a BCM solution. Does the underlying cloud service provider is capable of delivering a BCM aware cloud service?

Not all questions above are not necessarily in the scope of all cloud computing vendor selection process. Depending on the criticality of the data being hosted at the cloud computing infrastructure you would need to choose the questions.

These questions are complied to assess a cloud computing offering from a financial service provider and may not be suitable to all organizations. If you think I should add more into the list, do let me know. I might release an excel sheet covering all these questions as a decision tree tool.

You may also want to read:

PCI Compliance hosting

by Leave a Comment

In my earlier post about PCI Compliant Hosting, we have discussed about the PCI Compliance areas to be looked into when considering a hosting service provider. In this post, I would like to cover the scope and some of the key aspects of hosting to ensure you have the compliance towards PCI DSS

Some of the key services which requires PCI Compliant hosting include:

  • E-Commerce service providers
  • Online Banking

    • The key requirements which should be available with with the hosting in order it to be PCI Compliant includes:

  • Firewall to separate the webserver from other webservers. Limit the open services and allow only secure communications. Also to separate any database servers from having access directly from the internet
  • Configure the webservers to have only the secure services allowed.
      • Enable HTTPS and use an SSL Certificate for web communications to your server
  • Enable SSH for terminal communication, instead of Telnet
  • Enable SFTP instead of FTP for file transfers
  • Configure your servers with unique usernames for all users who would be accessing your servers
  • Modify the vendor default settings to more secure configurations. The raw MYSQL server comes with no password for the root user, for example, which needs to be changed.
  • Implement encryption on critical database tables and store the encryption keys away from these servers
  • Configure your servers meet some baseline security configurations, examples can be found at CIS Security.
  • Use secure web applications if choose to use off the shelf product. Payment services or shopping carts such as PayPal, Google Checkout etc. can be of help and would make your liability very limited towards PCI Compliance
  • If you build web applications for the purpose, it should be code reviewed for security. Web Application Firewall should be set up to ensure web application security, you may use open source web application firewalls
  • Have a mechanism established for updating the security patches, it required for PCI Compliance

In the next post related to PCI Compliance, I would try posting a checklist for verifying if the hosting service is PCI compliant hosting.

Who should be PCI Compliant

by Leave a Comment

It is often asked if this organization should be PCI Compliant. Many conferences include a discussion around the topic of Who should be PCI compliant.

PCI DSS is applicable to all organizations who store, process or transmit account data. Extract from the PCI Standard tells us that the account data consist of cardholder data plus Sensitive Authentication Data

Cardholder data includes:

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code

Sensitive Authentication Data includes:

  • Full magnetic stripe data or equivalent on a chip
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks

If the PAN is stored, processed or transmitted then the PCI DSS requirements are applicable to the organization. However, if the PAN is not stored, processed or transmitted PCI DSS requirements do not apply.

This provides clarity on whether or not your organization falls under the PCI DSS requirement and weather you should be PCI Compliant

PCI Compliant Hosting

by 1 Comment

PCI compliant hosting is one of the key aspect you need to look for when you plan to host some of the credit card data of your customers at hosting providers site. Some of the key aspects you should look for from a PCI DSS Compliance perspective are (to qualify a service provider as PCI compliant hosting provider):

  • The hosting provider should support / allow the periodic pci scans/ vulnerability scans /asv scans
  • Shared hosting providers must protect each entity.s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

Specific to the payment card industry data security standard or commonly known PCI standard the following requirements should be met by the PCI Compliant Hosting provider:

  • 1.1 Establish firewall and router configuration standards and all the sub controls
  • 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment and all the sub controls
  • 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment and all the sub controls
  • 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards and all the sub controls
  • 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access.
  • Requirement 5: (5.1 an 5.2) Use and regularly update anti-virus software or programs
  • 6.1 Ensure that all system components and software have the latest vendor-supplied security patches
    installed. Install critical security patches within one month of release.
  • 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by
    PCI DSS Requirement 2.2 to address new vulnerability issues.
  • 6.6 on the web application firewall requirement, if applicable
  • 8.3 You might need to consider this if it is applicable
  • 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components and some of the sub controls
  • Requirement 9: Restrict physical access to cardholder data and all sub controls. This is a key component as all the physical security is the responsibility of the hosting provider

As per my view, this list covers most of the requirements to be met by the service provider to be classify as PCI Compliant Hosting