Presentation is loading. Please wait.

Presentation is loading. Please wait.

Will Your Cloud Be Compliant? Scott Carlson – PayPal Evgeniya Shumakher - Mirantis.

Published byNeal Sims Modified over 9 years ago

Similar presentations

Presentation on theme: "Will Your Cloud Be Compliant? Scott Carlson – PayPal Evgeniya Shumakher - Mirantis."— Presentation transcript:

1 Will Your Cloud Be Compliant? Scott Carlson – PayPal Evgeniya Shumakher - Mirantis

2 © MIRANTIS 2013 OpenStack Cloud Compliance Evgeniya Shumakher Business Analyst

3 What is ‘Compliance’? Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations. http://en.wikipedia.org/wiki/Regulatory_compliance

4 Compliance <> Security SecurityCompliance

5 It’s all about information ConfidentialityIntegrityAvailability Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

6 Enterprise ecosystem DataApplicationsOperating SystemsOpenStackProcessing and Memory, Data Storage, NetworkPhysical facilities People Business Processes Regulations

7 Who is responsible? CloudStackIaaSPaaSSaaS Data Applications Operating Systems OpenStack Processing and Memory, Data Storage, Network Physical facilities Cloud user Cloud builder

8 Standards PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC 27001-2005 NIST SP800-53

9 Typical structure Standard Requirement #1 Control #1.1 Control #1.2 Control #1.NRequirement #2 Requirement #N

10 CLOUD CONTROLS MATRIX VERSION 3.0 Controls are very similar

11 Standards are pretty generic: PCI DSS Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor- supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti- virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

12 Cloud Guidelines PCI DSS Virtualization Guidelines PCI DSS Cloud Computing Guidelines NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing

13 PCI DSS Cloud Guidelines Don’t store, process or transmit payment card data in the cloud.

14 PCI DSS Virtualization Guidelines Requirement 3: Protect stored cardholder data – As well as being present in known locations, cardholder data could exist in archived, off-line or dormant VM images, or be unknowingly moved between virtual systems via dynamic mechanisms such as live migration or storage migration tools. – Sensitive data, such as unencrypted PAN, sensitive authentication data, and cryptographic keys, could be inadvertently captured in active memory and replicated via VM imaging and snapshot functions...

15 OpenStack Security Guidelines OpenStack Security Guide Securing OpenStack for compliance

16 Q&A email: eshumakher@mirantis.comeshumakher@mirantis.com irc: eshumakher

17 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Private Cloud Compliance Scott Carlson - @relaxed137

18 2626 CURRENCIES SUPPORTED 148M ACTIVE REGISTERED ACCOUNTS 193193 MARKETS OFFER PAYPAL 8080 LOCALIZED MARKETING SITES GLOBALLY EUROPEAN UNION EURO AUSTRALIAN DOLLAR CANADIAN DOLLAR NEW ZEALAND DOLLAR HUNGARIAN FORINT MALAYSIAN RINGGIT UNITED KINGDOM POUNDS STERLING HONG KONG DOLLAR UNITED STATES DOLLAR TAIWAN NEW DOLLAR CHINESE RMB SWEDISH KRONA SINGAPORE DOLLAR PHILIPPINE PESO BRAZILIAN REAL RUSSIAN RUBLE NORWEGIAN KRONE JAPANESE YEN MEXICAN PESO TURKISH LIRA SWISS FRANC CZECH KORUNA ISRAELI NEW SHEKEL DANISH KRONE THAI BAHT POLISH ZLOTY

19 148M ACTIVE ACCOUNTS 1 $ 6,688 IN PAYMENTS PROCESSED EVERY SECOND 2 9M PAYMENTS PROCESSED EVERY DAY 3 +6M+6M NEW ACTIVE ACCOUNTS 1 1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. Q1 2014 Financial Metrics $ 1.8B PAYPAL REVENUES 20% YOY TPV 2 26% YOY $52B$52B

20 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. PayPal Cloud & Software Defined Data Center Agility with Security Cloud Design Principals Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country Requirements SECURE 20

21 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Compliance requirements Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations 21 Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal

22 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure OpenStack has servers in it Hardware Configured and dedicated to the cloud Hypervisor/Build Image meeting NIST/CIS standard templates Vulnerability Scanning with third party tooling Patching 7, 30, 90 day windows with vendor provided patches to OS Configuration Management for important system files Password Management – non-default, complex and unique! OpenStack has Users in it Do not use shared accounts for anything. Just don’t Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time. 22

23 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure Hypervisor Components Its Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST) Have a separate management interface from your production traffic (physical or virtual) Do not combine security zones within a single hypervisor because then it’s ALL “in-scope” Audit Access, Audit changes, be ready to show your work Be ready to defend decisions to share ports for components OpenStack Software Stack Limited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan) Getting code from Trunk = Open Source Happiness, but have your licenses reviewed! You still need to code review if CDE passes through here Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok) 23

24 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure Physical Network Components? Yep Firewall rules around the cloud to limit ingress and egress Monitor what happens on your firewalls, send it somewhere, keep it a LONG time Make sure the person building your network isn’t the person building your cloud (SOD) Configuration Guidelines exist for most physical installations (avoid virtual for now…) Automation is fine, but make sure you log it, and auto-ticket it. Virtual Network Components? Nope Too early in the testing process to rely on virtual versions of components at scale Okay for intra-tenant traffic with minimal rule set Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing? 24

25 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Basic Methodology Just pretend its infrastructure Data? If its Card-holder data, controls become interesting very quickly Storing things encrypted at rest in VM’s mean you can’t use OpenStack components HSM, crypto, key management required User management, controls over data, logging, all of the standard stuff needed 25

26 © 2014 PayPal Inc. All rights reserved. Confidential and proprietary. For more information, please contact: Scott Carlson sccarlson@paypal.com @relaxed137

Download ppt "Will Your Cloud Be Compliant? Scott Carlson – PayPal Evgeniya Shumakher - Mirantis."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
CONFIDENTIAL Copyright © 2010 Constant Contact, Inc. 1.

CONFIDENTIAL Copyright © 2010 Constant Contact, Inc. 1.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
E-Business Technologies Changzhe Yin 2010/12/17. Contents  Introduction  Concept  Process  Business Usage  Conclusion.

E-Business Technologies Changzhe Yin 2010/12/17. Contents  Introduction  Concept  Process  Business Usage  Conclusion.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
PMS 307 00/134/182 HEX 0886B6 PMS 511 94/39/80 HEX 5E2750 PMS 7467 00/168/180 HEX 00A8B4 PMS 368 105/190/40 HEX 66CC33 Commission Payment Process.

PMS /134/182 HEX 0886B6 PMS /39/80 HEX 5E2750 PMS /168/180 HEX 00A8B4 PMS /190/40 HEX 66CC33 Commission Payment Process.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Security Controls – What Works

Security Controls – What Works
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.

Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google