SlideShare a Scribd company logo

PCI and the Cloud

Download as PPTX, PDF
CloudPassage
CloudPassage

Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS. In this presentation, we will discuss: - How compliance is affected by using private, hybrid, and public cloud environments - What to consider when researching providers who offer "PCI-compliant" clouds - Recommendations for improving compliance and security posture in the cloud

Technology
1 of 45
PCI and the Cloud Dave Shackleford, CTO, IANS Andrew Hay, Chief Evangelist, CloudPassage Hashtag - #PCIcloud 8/29/2012
Who We Are Dave Shackleford Andrew Hay SVP of Research & Chief Evangelist at CTO at IANS CloudPassage, Inc. Interact with us on Twitter using the #PCIcloud hashtag Copyright © 2012 IANS. All rights reserved. 2
Introduction • There are lots of questions about PCI in cloud environments…but few answers to date How will compliance be affected with What should we How can I various cloud look for in PCI- satisfy the configurations? compliant security and providers? control What does requirements? a ‘PCI Compliant’ Can I even What am I cloud even Will my be PCI responsible for mean? existing compliant in in technical the cloud? Private/Public/H controls work ybrid clouds? in cloud? Copyright © 2012 IANS. All rights reserved. 3
It’s Not All Doom and Gloom • Yes, you can be PCI compliant in the cloud! • You will likely need some different tools and processes • Not all providers are created equal! • There is no “silver bullet” – but the responsibility is still yours Copyright © 2012 IANS. All rights reserved. 4
Survey Results: Compliance & Standards • What standards or regulatory compliance mandates apply to your cloud project(s)? PCI DSS 84.2% HIPAA 42.1% SOX 36.8% ISO 31.6% CoBIT 15.8% CIPA 5.3% Cloud Audit 5.3% COPPA 5.3% FISMA 5.3% GLBA 5.3% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% Copyright © 2012 IANS. All rights reserved. 5
A Little About Cloud Types US Public Cloud Provider EU Public Cloud Provider DB App App App Server Server Server DB App App App Auth Server Server Server Server Auth Server DB App Load App Load Auth DB DB App Server Balancer Server Balancer Server Server Legacy Datacenter / Colo Private Cloud / Hybrid Staging Copyright © 2012 IANS. All rights reserved. 6
Survey Results - Environments • Which of the following cloud hosting environments are leveraged by your project(s)? A private cloud hosted and/or operated by an 44.4% external provider A public, multi-tenant cloud provider 38.9% A public, multi-tenant Platform-as-a-Service 33.3% (PaaS) A private cloud hosted in your own data 27.8% center A private Platform-as-a-Service (PaaS) 16.7% Copyright © 2012 IANS. All rights reserved. 7
Who is responsible for Security? AWS Shared Responsibility Model Data “…the customer should assume Responsibility Customer responsibility and management App Code of, but not limited to, the guest operating system…and associated App Framework application software...” Operating System “it is possible for customers to enhance security and/or meet more Virtual Machine stringent compliance requirements with the addition of… host based Responsibility Hypervisor firewalls, host based intrusion Provider detection/prevention, encryption and Compute & Storage key management.” Amazon Web Services: Shared Network Overview of Security Processes Physical Facilities Copyright © 2012 IANS. All rights reserved. 8
General Notes on Cloud Service Providers (CSPs) • Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS • CSPs should be on the card brands’ “approved list” • PCI compliance should be in contract Copyright © 2012 IANS. All rights reserved. 9
What Else to Look For: CSPs • Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16 • Cloud SLAs and contract provisions • Who is responsible for what? This should be clear! • You cannot outsource your compliance status! • But you CAN take steps to secure the requirements under your control Copyright © 2012 IANS. All rights reserved. 10
Requirement Areas 1-3 PCI DSS Requirement Cloud Concerns and Comments 1: Install/maintain firewall configs 1. Data flow is important 2. Host-based firewalls may make the most sense Protect the perimeter, internal, and wireless networks. 3. Hardware and some network may be up to the CSP 2: Vendor defaults 1. Virtualization templates can help (once they are secured properly) 2. CSP audit data may be needed Secure payment card applications. 3. Always check for inappropriate settings 3: Protect stored data 1. Options will depend on data storage type Protect stored cardholder data. 2. Cloud storage platforms may have their own options Copyright © 2012 IANS. All rights reserved. 11
Requirement Areas 4-6 PCI DSS Requirement Cloud Concerns and Comments 4: Encrypt data in transit 1. VPN connections to/from cloud Protect stored cardholder data. environment 2. Leverage SSL connections 5: Use and update anti-malware 1. Ensure anti-malware is built into Monitor and control access to your templates for deployment systems. 6: Develop/maintain secure systems and 1. Build security into apps and VM apps templates in the cloud Secure payment card applications. 2. Be wary of provisioning and “cloud bursting” Copyright © 2012 IANS. All rights reserved. 12
Requirement Areas 7-9 PCI DSS Requirement Cloud Concerns and Comments 7: Restrict access to Cardholder Data 1. Leverage any role-based controls (e.g. (CHD) by “Need to Know” Amazon IAM and others) Monitor and control access to your 2. Build controls into cloud systems and systems. manage normally (if possible) 8: Use unique IDs for accessing PCI 1. Proper configuration management systems and role/group management are Monitor and control access to your required systems. 9: Restrict physical access 1. This is entirely on the CSP – similar to Monitor and control access to your a hosting environment systems. Copyright © 2012 IANS. All rights reserved. 13
Requirement Areas 10-12 PCI DSS Requirement Cloud Concerns and Comments 10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones? Monitor and control access to your 2. Send your own logs to a central log systems. server in the cloud or elsewhere 11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level Monitor and control access to your with the CSP systems. 2. Ask for CSP test reports if relevant 12: Maintain information security policies 1. Update any/all policies that may have Finalize remaining compliance ties to the new cloud-based assets. efforts, and ensure all controls are in place. Copyright © 2012 IANS. All rights reserved. 14
Survey Results: Audit • How many times has your cloud project been audited for adherence to the compliance standards above? 23.8% Never Once 9.5% More than three 66.7% times Copyright © 2012 IANS. All rights reserved. 15
Survey Results: Controls • What cloud security technologies did your auditors expect you to have deployed? Firewalls & Access Patch management 57.1% 78.6% control SIEM/LM 71.4% Disk encryption 42.9% WAF 71.4% HIDS 35.7% Multi-factor Configuration 64.3% 35.7% authentication monitoring Database encryption 57.1% FIM 35.7% Network encryption 57.1% NIDS 57.1% Code scanning 35.7% Copyright © 2012 IANS. All rights reserved. 16
Survey Results: Who Audited? • Who performed your cloud compliance audit (big four, small firm, QSA)? A LARGE ACCOUNTING FIRM (E.G. ONE OF 6.7% THE “BIG FOUR”) 6.7% 6.7% A LARGE TECHNOLOGY INTEGRATOR OR TECHNICAL CONSULTING FIRM 13.3% A SMALLER FIRM SPECIALIZING IN 66.7% INFORMATION SECURITY TECHNOLOGY A SMALLER FIRM SPECIALIZING IN GENERAL RISK MANAGEMENT, GOVERNANCE AND COMPLIANCE INTERNAL/SELF AUDIT Copyright © 2012 IANS. All rights reserved. 17
How Do I Secure Servers in the Cloud? Servers in hybrid and public clouds must be self-defending with highly automated controls like… Dynamic firewall & Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analysis Server account Integration & automation visibility & control capabilities Copyright © 2012 IANS. All rights reserved. 18
Mapping Compliance to the Cloud Copyright © 2012 IANS. All rights reserved. 19
Firewalling Without Network Control Copyright © 2012 IANS. All rights reserved. 20
Traditional Datacenter (DC) Firewalling Auth DB DB DB Server core core Firewal l Load App Load www-4 App Balancer Server Balancer Server ! dmz dmz Firewal l Copyright © 2012 IANS. All rights reserved. 21
Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l Copyright © 2012 IANS. All rights reserved. 22
Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud Copyright © 2012 IANS. All rights reserved. 23
Moving to the Cloud Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud Copyright © 2012 IANS. All rights reserved. 24
Moving to the Cloud Load Balancer App App Server Server ! DB Master ! public cloud Copyright © 2012 IANS. All rights reserved. 25
Dynamic Cloud Firewalling Load Balancer FW App App Server Server FW FW DB Master FW public cloud Copyright © 2012 IANS. All rights reserved. 26
Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 27
Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App App Server Server App Server FW FW FW Server IP DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 28
Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 29
Lessons to Learn Whatever firewall options you have, use them Make sure your firewall rules are updated quickly and automatically Plan for the future, because you will be multi-cloud Copyright © 2012 IANS. All rights reserved. 30
Securing Highly Dynamic Servers Copyright © 2012 IANS. All rights reserved. 31
Traditional DC Operations Model www-1 www-2 www-3 www-4 ! ! ! ! private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses Copyright © 2012 IANS. All rights reserved. 32
Cloud Operations Model www www www www www Gold Master Capacity is highly dynamic Copyright © 2012 IANS. All rights reserved. 33
Cloud Operations Model www www-2 www www www www ! public cloud Gold Master Capacity is highly dynamic Servers are short lived Copyright © 2012 IANS. All rights reserved. 34
Cloud Operations Model www www www ! ! ! Gold Master Capacity is highly dynamic Servers are short lived Copyright © 2012 IANS. All rights reserved. 35
Cloud Operations Model www www www www www ! ! ! Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally Copyright © 2012 IANS. All rights reserved. 36
Cloud Operations Model www-1 www www-2 www www www www ! ! ! What does server security mean Gold Master in this environment? Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally Copyright © 2012 IANS. All rights reserved. 37
Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ! Copyright © 2012 IANS. All rights reserved. 38
Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! Scan for misconfigurations due to deployment or debugging issues Copyright © 2012 IANS. All rights reserved. 39
Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! ? ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Copyright © 2012 IANS. All rights reserved. 40
Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! ? ! ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Monitor business code for unintended or malicious changes Copyright © 2012 IANS. All rights reserved. 41
Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 ? ?! ! Automate ! ! management and monitoring of these critical Scan for misconfigurations duepoints operational security to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Monitor business code for unintended or malicious changes Copyright © 2012 IANS. All rights reserved. 42
Lessons to Learn Embrace the flexibility of the cloud; re-think operations Secure your server integrity by keeping images up-to-date and monitor closely for changes Know what areas of security you are responsible for and automate them heavily Copyright © 2012 IANS. All rights reserved. 43
Best Practices • Read and understand what your provider does, and what you are responsible for, with regards to PCI • When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public • Start with public cloud, PCI everywhere else is relatively easy! • Focus on securing the tenets of PCI that you can control Copyright © 2012 IANS. All rights reserved. 44
Thank You & Questions Dave Shackleford CTO, IANS Follow us on Twitter: dshackleford@iansresearch.com twitter.com/ians_security twitter.com/cloudpassage Andrew Hay Chief Evangelist, CloudPassage andrew@cloudpassage.com www.cloudpassage.com/pci-kit Copyright © 2012 IANS. All rights reserved. 45

Recommended

Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs EliteJon G. Hall
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the CloudSpiceworks
 
Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)rachgregs
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeCloudPassage
 
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott Davis
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott DavisMassTLC Cloud summit keynote presentation from CTO of VMWare, Scott Davis
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott DavisMassTLC
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
Day 3 p4 - cloud strategy
Day 3 p4 - cloud strategyDay 3 p4 - cloud strategy
Day 3 p4 - cloud strategyLilian Schaffer
 

Recommended

Deadly Sins Bcs Elite
Deadly Sins Bcs EliteDeadly Sins Bcs Elite
Deadly Sins Bcs EliteJon G. Hall
 
Building a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementBuilding a Strong Foundation for Your Cloud with Identity Management
Building a Strong Foundation for Your Cloud with Identity ManagementNishant Kaushik
 
Making Sense of the Cloud
Making Sense of the CloudMaking Sense of the Cloud
Making Sense of the CloudSpiceworks
 
Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)Oracle Cloud Computing Strategy (EMO)
Oracle Cloud Computing Strategy (EMO)rachgregs
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeCloudPassage
 
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott Davis
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott DavisMassTLC Cloud summit keynote presentation from CTO of VMWare, Scott Davis
MassTLC Cloud summit keynote presentation from CTO of VMWare, Scott DavisMassTLC
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
Day 3 p4 - cloud strategy
Day 3 p4 - cloud strategyDay 3 p4 - cloud strategy
Day 3 p4 - cloud strategyLilian Schaffer
 
SIOS Private Cloud
SIOS Private CloudSIOS Private Cloud
SIOS Private CloudJim Kaskade
 
Emc keynote 0945 1030
Emc keynote 0945 1030Emc keynote 0945 1030
Emc keynote 0945 1030Chiou-Nan Chen
 
Intel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntelAPAC
 
Intel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntelAPAC
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud José Ferreiro
 
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр... "Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...Cisco Russia
 
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS Amazon Web Services
 
Cisco tec de beer, andersen, o'sullivan - video & collaboration
Cisco tec de beer, andersen, o'sullivan - video & collaborationCisco tec de beer, andersen, o'sullivan - video & collaboration
Cisco tec de beer, andersen, o'sullivan - video & collaborationCisco Public Relations
 
Cisco tec rob soderbery - core enterprise networking
Cisco tec rob soderbery - core enterprise networkingCisco tec rob soderbery - core enterprise networking
Cisco tec rob soderbery - core enterprise networkingCisco Public Relations
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerLew Tucker
 
Cisco Presentation 1
Cisco Presentation 1Cisco Presentation 1
Cisco Presentation 1changcai
 
Cloud Application Platforms – Reality & Promise
Cloud Application Platforms – Reality & PromiseCloud Application Platforms – Reality & Promise
Cloud Application Platforms – Reality & PromiseIntel Corporation
 
Cisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco Public Relations
 
Alta 3-2013
Alta 3-2013Alta 3-2013
Alta 3-2013HartVidaRaffo
 
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"troyangrignon
 
Simplificando el Contact Center en una sola plataforma de Colaboración
Simplificando el Contact Center en una sola plataforma de ColaboraciónSimplificando el Contact Center en una sola plataforma de Colaboración
Simplificando el Contact Center en una sola plataforma de ColaboraciónMundo Contact
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Infrastructure Consolidation and Virtualization
Infrastructure Consolidation and VirtualizationInfrastructure Consolidation and Virtualization
Infrastructure Consolidation and VirtualizationBob Rhubart
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingCloudPassage
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4EnterpriseGRC Solutions, Inc.
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 

More Related Content

What's hot

SIOS Private Cloud
SIOS Private CloudSIOS Private Cloud
SIOS Private CloudJim Kaskade
 
Intel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntelAPAC
 
Intel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntelAPAC
 
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр... "Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...Cisco Russia
 
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS Amazon Web Services
 
Cisco tec de beer, andersen, o'sullivan - video & collaboration
Cisco tec de beer, andersen, o'sullivan - video & collaborationCisco tec de beer, andersen, o'sullivan - video & collaboration
Cisco tec de beer, andersen, o'sullivan - video & collaborationCisco Public Relations
 
Cisco tec rob soderbery - core enterprise networking
Cisco tec rob soderbery - core enterprise networkingCisco tec rob soderbery - core enterprise networking
Cisco tec rob soderbery - core enterprise networkingCisco Public Relations
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerLew Tucker
 
Cisco Presentation 1
Cisco Presentation 1Cisco Presentation 1
Cisco Presentation 1changcai
 
Cloud Application Platforms – Reality & Promise
Cloud Application Platforms – Reality & PromiseCloud Application Platforms – Reality & Promise
Cloud Application Platforms – Reality & PromiseIntel Corporation
 
Cisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco Public Relations
 
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"troyangrignon
 
Simplificando el Contact Center en una sola plataforma de Colaboración
Simplificando el Contact Center en una sola plataforma de ColaboraciónSimplificando el Contact Center en una sola plataforma de Colaboración
Simplificando el Contact Center en una sola plataforma de ColaboraciónMundo Contact
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Infrastructure Consolidation and Virtualization
Infrastructure Consolidation and VirtualizationInfrastructure Consolidation and Virtualization
Infrastructure Consolidation and VirtualizationBob Rhubart
 

What's hot (18)

SIOS Private Cloud
SIOS Private CloudSIOS Private Cloud
SIOS Private Cloud
 
Emc keynote 0945 1030
Emc keynote 0945 1030Emc keynote 0945 1030
Emc keynote 0945 1030
 
Intel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NABIntel Cloud Summit 2012 ODCA + NAB
Intel Cloud Summit 2012 ODCA + NAB
 
Intel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentationIntel Cloud Summit ODCA - NAB Customer presentation
Intel Cloud Summit ODCA - NAB Customer presentation
 
Going to the Cloud
Going to the Cloud Going to the Cloud
Going to the Cloud
 
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр... "Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
"Преимущества облачных решений от Cisco" (Обзор облачной стратегии Cisco, Пр...
 
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
How Enterprises are using the AWS Cloud, Dan Powers, VP, AWS
 
Cisco tec de beer, andersen, o'sullivan - video & collaboration
Cisco tec de beer, andersen, o'sullivan - video & collaborationCisco tec de beer, andersen, o'sullivan - video & collaboration
Cisco tec de beer, andersen, o'sullivan - video & collaboration
 
Cisco tec rob soderbery - core enterprise networking
Cisco tec rob soderbery - core enterprise networkingCisco tec rob soderbery - core enterprise networking
Cisco tec rob soderbery - core enterprise networking
 
OpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew TuckerOpenStack: Time is Now - Lew Tucker
OpenStack: Time is Now - Lew Tucker
 
Cisco Presentation 1
Cisco Presentation 1Cisco Presentation 1
Cisco Presentation 1
 
Cloud Application Platforms – Reality & Promise
Cloud Application Platforms – Reality & PromiseCloud Application Platforms – Reality & Promise
Cloud Application Platforms – Reality & Promise
 
Cisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operationsCisco tec chris young - security intelligence operations
Cisco tec chris young - security intelligence operations
 
Alta 3-2013
Alta 3-2013Alta 3-2013
Alta 3-2013
 
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
MAY 6, 2012: Interop Las Vegas "Why Open Clouds Are Winning"
 
Simplificando el Contact Center en una sola plataforma de Colaboración
Simplificando el Contact Center en una sola plataforma de ColaboraciónSimplificando el Contact Center en una sola plataforma de Colaboración
Simplificando el Contact Center en una sola plataforma de Colaboración
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Infrastructure Consolidation and Virtualization
Infrastructure Consolidation and VirtualizationInfrastructure Consolidation and Virtualization
Infrastructure Consolidation and Virtualization
 

Similar to PCI and the Cloud

BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingCloudPassage
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4EnterpriseGRC Solutions, Inc.
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...IndicThreads
 
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...Eucalyptus Systems, Inc.
 
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...Eucalyptus Systems, Inc.
 
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...Eucalyptus Systems, Inc.
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudnooralmousa
 
Oracle cloud computing strategy
Oracle cloud computing strategyOracle cloud computing strategy
Oracle cloud computing strategyjameskenney
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...IndicThreads
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy ArchitectureBob Rhubart
 
The PaaS Landscape
The PaaS LandscapeThe PaaS Landscape
The PaaS LandscapeJim O'Neil
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012ProductCamp Boston
 
RTView - Monitoring Service for SmartCloud Applications
RTView - Monitoring Service for SmartCloud ApplicationsRTView - Monitoring Service for SmartCloud Applications
RTView - Monitoring Service for SmartCloud ApplicationsSL Corporation
 
Becloud hybrid cloud
Becloud hybrid cloudBecloud hybrid cloud
Becloud hybrid cloudBecloud
 
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid CloudsBe Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid CloudsEucalyptus Systems, Inc.
 
Be Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid CloudsBe Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid CloudsEucalyptus Systems, Inc.
 
Cloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasyCloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasySamantha James
 
Apptio up cloud conference 2012 [final].pptx
Apptio up cloud conference 2012 [final].pptxApptio up cloud conference 2012 [final].pptx
Apptio up cloud conference 2012 [final].pptxKhazret Sapenov
 

Similar to PCI and the Cloud (20)

BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes Everything
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
 
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...Cloud lockin and interoperability v2 indic threads cloud computing conferen...
Cloud lockin and interoperability v2 indic threads cloud computing conferen...
 
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
 
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
 
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
How to Transform Enterprise Applications to On-premise Clouds with Wipro and ...
 
Taiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloudTaiye Lambo - Auditing the cloud
Taiye Lambo - Auditing the cloud
 
Oracle cloud computing strategy
Oracle cloud computing strategyOracle cloud computing strategy
Oracle cloud computing strategy
 
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
Cloud Lock-in vs. Cloud Interoperability - Indicthreads cloud computing conf...
 
Security in a Cloudy Architecture
Security in a Cloudy ArchitectureSecurity in a Cloudy Architecture
Security in a Cloudy Architecture
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Security
 
The PaaS Landscape
The PaaS LandscapeThe PaaS Landscape
The PaaS Landscape
 
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
The Cloud and Next Gen IT Gordon Haff - p camp-boston2012
 
RTView - Monitoring Service for SmartCloud Applications
RTView - Monitoring Service for SmartCloud ApplicationsRTView - Monitoring Service for SmartCloud Applications
RTView - Monitoring Service for SmartCloud Applications
 
Becloud hybrid cloud
Becloud hybrid cloudBecloud hybrid cloud
Becloud hybrid cloud
 
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid CloudsBe Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast Great Chance of Hybrid Clouds
 
Be Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid CloudsBe Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid Clouds
Be Prepared for Tomorrow's IT Forecast: Great Chance of Hybrid Clouds
 
Cloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasyCloud computing in south africa reality or fantasy
Cloud computing in south africa reality or fantasy
 
Apptio up cloud conference 2012 [final].pptx
Apptio up cloud conference 2012 [final].pptxApptio up cloud conference 2012 [final].pptx
Apptio up cloud conference 2012 [final].pptx
 

More from CloudPassage

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage CareersCloudPassage
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessCloudPassage
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityCloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsCloudPassage
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage OverviewCloudPassage
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest SlidesCloudPassage
 

More from CloudPassage (20)

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage Careers
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business Enabler
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated Approach
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud Security
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS Products
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 

PCI and the Cloud

  • 1. PCI and the Cloud Dave Shackleford, CTO, IANS Andrew Hay, Chief Evangelist, CloudPassage Hashtag - #PCIcloud 8/29/2012
  • 2. Who We Are Dave Shackleford Andrew Hay SVP of Research & Chief Evangelist at CTO at IANS CloudPassage, Inc. Interact with us on Twitter using the #PCIcloud hashtag Copyright © 2012 IANS. All rights reserved. 2
  • 3. Introduction • There are lots of questions about PCI in cloud environments…but few answers to date How will compliance be affected with What should we How can I various cloud look for in PCI- satisfy the configurations? compliant security and providers? control What does requirements? a ‘PCI Compliant’ Can I even What am I cloud even Will my be PCI responsible for mean? existing compliant in in technical the cloud? Private/Public/H controls work ybrid clouds? in cloud? Copyright © 2012 IANS. All rights reserved. 3
  • 4. It’s Not All Doom and Gloom • Yes, you can be PCI compliant in the cloud! • You will likely need some different tools and processes • Not all providers are created equal! • There is no “silver bullet” – but the responsibility is still yours Copyright © 2012 IANS. All rights reserved. 4
  • 5. Survey Results: Compliance & Standards • What standards or regulatory compliance mandates apply to your cloud project(s)? PCI DSS 84.2% HIPAA 42.1% SOX 36.8% ISO 31.6% CoBIT 15.8% CIPA 5.3% Cloud Audit 5.3% COPPA 5.3% FISMA 5.3% GLBA 5.3% 0.0% 20.0% 40.0% 60.0% 80.0% 100.0% Copyright © 2012 IANS. All rights reserved. 5
  • 6. A Little About Cloud Types US Public Cloud Provider EU Public Cloud Provider DB App App App Server Server Server DB App App App Auth Server Server Server Server Auth Server DB App Load App Load Auth DB DB App Server Balancer Server Balancer Server Server Legacy Datacenter / Colo Private Cloud / Hybrid Staging Copyright © 2012 IANS. All rights reserved. 6
  • 7. Survey Results - Environments • Which of the following cloud hosting environments are leveraged by your project(s)? A private cloud hosted and/or operated by an 44.4% external provider A public, multi-tenant cloud provider 38.9% A public, multi-tenant Platform-as-a-Service 33.3% (PaaS) A private cloud hosted in your own data 27.8% center A private Platform-as-a-Service (PaaS) 16.7% Copyright © 2012 IANS. All rights reserved. 7
  • 8. Who is responsible for Security? AWS Shared Responsibility Model Data “…the customer should assume Responsibility Customer responsibility and management App Code of, but not limited to, the guest operating system…and associated App Framework application software...” Operating System “it is possible for customers to enhance security and/or meet more Virtual Machine stringent compliance requirements with the addition of… host based Responsibility Hypervisor firewalls, host based intrusion Provider detection/prevention, encryption and Compute & Storage key management.” Amazon Web Services: Shared Network Overview of Security Processes Physical Facilities Copyright © 2012 IANS. All rights reserved. 8
  • 9. General Notes on Cloud Service Providers (CSPs) • Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaS • CSPs should be on the card brands’ “approved list” • PCI compliance should be in contract Copyright © 2012 IANS. All rights reserved. 9
  • 10. What Else to Look For: CSPs • Evidence of audit and attestation – combination of “PCI Compliance” and perhaps SSAE 16 • Cloud SLAs and contract provisions • Who is responsible for what? This should be clear! • You cannot outsource your compliance status! • But you CAN take steps to secure the requirements under your control Copyright © 2012 IANS. All rights reserved. 10
  • 11. Requirement Areas 1-3 PCI DSS Requirement Cloud Concerns and Comments 1: Install/maintain firewall configs 1. Data flow is important 2. Host-based firewalls may make the most sense Protect the perimeter, internal, and wireless networks. 3. Hardware and some network may be up to the CSP 2: Vendor defaults 1. Virtualization templates can help (once they are secured properly) 2. CSP audit data may be needed Secure payment card applications. 3. Always check for inappropriate settings 3: Protect stored data 1. Options will depend on data storage type Protect stored cardholder data. 2. Cloud storage platforms may have their own options Copyright © 2012 IANS. All rights reserved. 11
  • 12. Requirement Areas 4-6 PCI DSS Requirement Cloud Concerns and Comments 4: Encrypt data in transit 1. VPN connections to/from cloud Protect stored cardholder data. environment 2. Leverage SSL connections 5: Use and update anti-malware 1. Ensure anti-malware is built into Monitor and control access to your templates for deployment systems. 6: Develop/maintain secure systems and 1. Build security into apps and VM apps templates in the cloud Secure payment card applications. 2. Be wary of provisioning and “cloud bursting” Copyright © 2012 IANS. All rights reserved. 12
  • 13. Requirement Areas 7-9 PCI DSS Requirement Cloud Concerns and Comments 7: Restrict access to Cardholder Data 1. Leverage any role-based controls (e.g. (CHD) by “Need to Know” Amazon IAM and others) Monitor and control access to your 2. Build controls into cloud systems and systems. manage normally (if possible) 8: Use unique IDs for accessing PCI 1. Proper configuration management systems and role/group management are Monitor and control access to your required systems. 9: Restrict physical access 1. This is entirely on the CSP – similar to Monitor and control access to your a hosting environment systems. Copyright © 2012 IANS. All rights reserved. 13
  • 14. Requirement Areas 10-12 PCI DSS Requirement Cloud Concerns and Comments 10: Track and monitor access to CHD 1. Will your CSP provide any logs? If so, which ones? Monitor and control access to your 2. Send your own logs to a central log systems. server in the cloud or elsewhere 11: Test PCI systems and processes 1. Test your cloud assets – this may require a different coordination level Monitor and control access to your with the CSP systems. 2. Ask for CSP test reports if relevant 12: Maintain information security policies 1. Update any/all policies that may have Finalize remaining compliance ties to the new cloud-based assets. efforts, and ensure all controls are in place. Copyright © 2012 IANS. All rights reserved. 14
  • 15. Survey Results: Audit • How many times has your cloud project been audited for adherence to the compliance standards above? 23.8% Never Once 9.5% More than three 66.7% times Copyright © 2012 IANS. All rights reserved. 15
  • 16. Survey Results: Controls • What cloud security technologies did your auditors expect you to have deployed? Firewalls & Access Patch management 57.1% 78.6% control SIEM/LM 71.4% Disk encryption 42.9% WAF 71.4% HIDS 35.7% Multi-factor Configuration 64.3% 35.7% authentication monitoring Database encryption 57.1% FIM 35.7% Network encryption 57.1% NIDS 57.1% Code scanning 35.7% Copyright © 2012 IANS. All rights reserved. 16
  • 17. Survey Results: Who Audited? • Who performed your cloud compliance audit (big four, small firm, QSA)? A LARGE ACCOUNTING FIRM (E.G. ONE OF 6.7% THE “BIG FOUR”) 6.7% 6.7% A LARGE TECHNOLOGY INTEGRATOR OR TECHNICAL CONSULTING FIRM 13.3% A SMALLER FIRM SPECIALIZING IN 66.7% INFORMATION SECURITY TECHNOLOGY A SMALLER FIRM SPECIALIZING IN GENERAL RISK MANAGEMENT, GOVERNANCE AND COMPLIANCE INTERNAL/SELF AUDIT Copyright © 2012 IANS. All rights reserved. 17
  • 18. How Do I Secure Servers in the Cloud? Servers in hybrid and public clouds must be self-defending with highly automated controls like… Dynamic firewall & Server compromise & access control intrusion alerting Configuration and Server forensics and package security security analysis Server account Integration & automation visibility & control capabilities Copyright © 2012 IANS. All rights reserved. 18
  • 19. Mapping Compliance to the Cloud Copyright © 2012 IANS. All rights reserved. 19
  • 20. Firewalling Without Network Control Copyright © 2012 IANS. All rights reserved. 20
  • 21. Traditional Datacenter (DC) Firewalling Auth DB DB DB Server core core Firewal l Load App Load www-4 App Balancer Server Balancer Server ! dmz dmz Firewal l Copyright © 2012 IANS. All rights reserved. 21
  • 22. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l Copyright © 2012 IANS. All rights reserved. 22
  • 23. Moving to the Cloud Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l public cloud Copyright © 2012 IANS. All rights reserved. 23
  • 24. Moving to the Cloud Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud Copyright © 2012 IANS. All rights reserved. 24
  • 25. Moving to the Cloud Load Balancer App App Server Server ! DB Master ! public cloud Copyright © 2012 IANS. All rights reserved. 25
  • 26. Dynamic Cloud Firewalling Load Balancer FW App App Server Server FW FW DB Master FW public cloud Copyright © 2012 IANS. All rights reserved. 26
  • 27. Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 27
  • 28. Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App App Server Server App Server FW FW FW Server IP DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 28
  • 29. Dynamic Cloud Firewalling Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW public cloud Copyright © 2012 IANS. All rights reserved. 29
  • 30. Lessons to Learn Whatever firewall options you have, use them Make sure your firewall rules are updated quickly and automatically Plan for the future, because you will be multi-cloud Copyright © 2012 IANS. All rights reserved. 30
  • 31. Securing Highly Dynamic Servers Copyright © 2012 IANS. All rights reserved. 31
  • 32. Traditional DC Operations Model www-1 www-2 www-3 www-4 ! ! ! ! private datacenter Capacity is mostly static Servers are long-lived Security risk on servers is mitigated by network defenses Copyright © 2012 IANS. All rights reserved. 32
  • 33. Cloud Operations Model www www www www www Gold Master Capacity is highly dynamic Copyright © 2012 IANS. All rights reserved. 33
  • 34. Cloud Operations Model www www-2 www www www www ! public cloud Gold Master Capacity is highly dynamic Servers are short lived Copyright © 2012 IANS. All rights reserved. 34
  • 35. Cloud Operations Model www www www ! ! ! Gold Master Capacity is highly dynamic Servers are short lived Copyright © 2012 IANS. All rights reserved. 35
  • 36. Cloud Operations Model www www www www www ! ! ! Gold Master Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally Copyright © 2012 IANS. All rights reserved. 36
  • 37. Cloud Operations Model www-1 www www-2 www www www www ! ! ! What does server security mean Gold Master in this environment? Capacity is highly dynamic Servers are short lived Gold Master updates are rolled out incrementally Copyright © 2012 IANS. All rights reserved. 37
  • 38. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ! Copyright © 2012 IANS. All rights reserved. 38
  • 39. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! Scan for misconfigurations due to deployment or debugging issues Copyright © 2012 IANS. All rights reserved. 39
  • 40. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! ? ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Copyright © 2012 IANS. All rights reserved. 40
  • 41. Ensuring Cloud Server Integrity www-1 www www-2 www www www ! ? ! ? ! ! Scan for misconfigurations due to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Monitor business code for unintended or malicious changes Copyright © 2012 IANS. All rights reserved. 41
  • 42. Ensuring Cloud Server Integrity www-1 www-2 www-3 www-4 ? ?! ! Automate ! ! management and monitoring of these critical Scan for misconfigurations duepoints operational security to deployment or debugging issues Ensure software packages are up-to-date and watch for remote exploits that must be patched quickly Monitor business code for unintended or malicious changes Copyright © 2012 IANS. All rights reserved. 42
  • 43. Lessons to Learn Embrace the flexibility of the cloud; re-think operations Secure your server integrity by keeping images up-to-date and monitor closely for changes Know what areas of security you are responsible for and automate them heavily Copyright © 2012 IANS. All rights reserved. 43
  • 44. Best Practices • Read and understand what your provider does, and what you are responsible for, with regards to PCI • When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public • Start with public cloud, PCI everywhere else is relatively easy! • Focus on securing the tenets of PCI that you can control Copyright © 2012 IANS. All rights reserved. 44
  • 45. Thank You & Questions Dave Shackleford CTO, IANS Follow us on Twitter: dshackleford@iansresearch.com twitter.com/ians_security twitter.com/cloudpassage Andrew Hay Chief Evangelist, CloudPassage andrew@cloudpassage.com www.cloudpassage.com/pci-kit Copyright © 2012 IANS. All rights reserved. 45

Editor's Notes

  1. Many organizations are looking to outsource systems, applications, and data into the cloudSome of these may fall under the helm of PCI complianceThere are lots of questions about this, but few answers to dateHow will compliance be affected with various cloud configurations?What should we look for in PCI-compliant providers?How can security be improved for cloud infrastructure?We’ll explore all these topics
  2. Can you be PCI compliant in the cloud?Absolutely.Depends on the model and your architectureYou will likely need some different tools and processes.Not all providers are created equal!Be sure to check claims of compliance very carefullyLook for any additional audit data, as wellThere is no “silver bullet” – the responsibility is still yours.
  3. Compliance concerns will vary depending on whether CSP is SaaS, PaaS, IaaSResponsibility and control levels differCSPs should be on the card brands’ “approved list” if at all possiblePCI Compliance shouldbe in contractDelineate which partsof the “stack” you areresponsible for