Will Your Cloud Be Compliant? Scott Carlson – PayPal Evgeniya Shumakher - Mirantis
© MIRANTIS 2013 OpenStack Cloud Compliance Evgeniya Shumakher Business Analyst
What is ‘Compliance’? Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations.
Compliance <> Security SecurityCompliance
It’s all about information ConfidentialityIntegrityAvailability Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
Enterprise ecosystem DataApplicationsOperating SystemsOpenStackProcessing and Memory, Data Storage, NetworkPhysical facilities People Business Processes Regulations
Who is responsible? CloudStackIaaSPaaSSaaS Data Applications Operating Systems OpenStack Processing and Memory, Data Storage, Network Physical facilities Cloud user Cloud builder
Standards PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC NIST SP800-53
Typical structure Standard Requirement #1 Control #1.1 Control #1.2 Control #1.NRequirement #2 Requirement #N
CLOUD CONTROLS MATRIX VERSION 3.0 Controls are very similar
Standards are pretty generic: PCI DSS Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor- supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti- virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Cloud Guidelines PCI DSS Virtualization Guidelines PCI DSS Cloud Computing Guidelines NIST Special Publication Guidelines on Security and Privacy in Public Cloud Computing NIST Special Publication Guidelines on Security and Privacy in Public Cloud Computing
PCI DSS Cloud Guidelines Don’t store, process or transmit payment card data in the cloud.
PCI DSS Virtualization Guidelines Requirement 3: Protect stored cardholder data – As well as being present in known locations, cardholder data could exist in archived, off-line or dormant VM images, or be unknowingly moved between virtual systems via dynamic mechanisms such as live migration or storage migration tools. – Sensitive data, such as unencrypted PAN, sensitive authentication data, and cryptographic keys, could be inadvertently captured in active memory and replicated via VM imaging and snapshot functions...
OpenStack Security Guidelines OpenStack Security Guide Securing OpenStack for compliance
Q&A irc: eshumakher
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Private Cloud Compliance Scott Carlson
2626 CURRENCIES SUPPORTED 148M ACTIVE REGISTERED ACCOUNTS MARKETS OFFER PAYPAL 8080 LOCALIZED MARKETING SITES GLOBALLY EUROPEAN UNION EURO AUSTRALIAN DOLLAR CANADIAN DOLLAR NEW ZEALAND DOLLAR HUNGARIAN FORINT MALAYSIAN RINGGIT UNITED KINGDOM POUNDS STERLING HONG KONG DOLLAR UNITED STATES DOLLAR TAIWAN NEW DOLLAR CHINESE RMB SWEDISH KRONA SINGAPORE DOLLAR PHILIPPINE PESO BRAZILIAN REAL RUSSIAN RUBLE NORWEGIAN KRONE JAPANESE YEN MEXICAN PESO TURKISH LIRA SWISS FRANC CZECH KORUNA ISRAELI NEW SHEKEL DANISH KRONE THAI BAHT POLISH ZLOTY
148M ACTIVE ACCOUNTS 1 $ 6,688 IN PAYMENTS PROCESSED EVERY SECOND 2 9M PAYMENTS PROCESSED EVERY DAY 3 +6M+6M NEW ACTIVE ACCOUNTS 1 1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. Q Financial Metrics $ 1.8B PAYPAL REVENUES 20% YOY TPV 2 26% YOY $52B$52B
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. PayPal Cloud & Software Defined Data Center Agility with Security Cloud Design Principals Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country Requirements SECURE 20
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Compliance requirements Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations 21 Compliance Statement:
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure OpenStack has servers in it Hardware Configured and dedicated to the cloud Hypervisor/Build Image meeting NIST/CIS standard templates Vulnerability Scanning with third party tooling Patching 7, 30, 90 day windows with vendor provided patches to OS Configuration Management for important system files Password Management – non-default, complex and unique! OpenStack has Users in it Do not use shared accounts for anything. Just don’t Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time. 22
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure Hypervisor Components Its Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST) Have a separate management interface from your production traffic (physical or virtual) Do not combine security zones within a single hypervisor because then it’s ALL “in-scope” Audit Access, Audit changes, be ready to show your work Be ready to defend decisions to share ports for components OpenStack Software Stack Limited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan) Getting code from Trunk = Open Source Happiness, but have your licenses reviewed! You still need to code review if CDE passes through here Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok) 23
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure Physical Network Components? Yep Firewall rules around the cloud to limit ingress and egress Monitor what happens on your firewalls, send it somewhere, keep it a LONG time Make sure the person building your network isn’t the person building your cloud (SOD) Configuration Guidelines exist for most physical installations (avoid virtual for now…) Automation is fine, but make sure you log it, and auto-ticket it. Virtual Network Components? Nope Too early in the testing process to rely on virtual versions of components at scale Okay for intra-tenant traffic with minimal rule set Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing? 24
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure Data? If its Card-holder data, controls become interesting very quickly Storing things encrypted at rest in VM’s mean you can’t use OpenStack components HSM, crypto, key management required User management, controls over data, logging, all of the standard stuff needed 25
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. For more information, please contact: Scott