260 likes | 386 Views
Will Your Cloud Be Compliant?. Scott Carlson – PayPal Evgeniya Shumakher - Mirantis. OpenStack Cloud Compliance. Evgeniya Shumakher Business Analyst. What is ‘Compliance’?.
E N D
Will Your Cloud Be Compliant? Scott Carlson – PayPal EvgeniyaShumakher - Mirantis
OpenStack Cloud Compliance EvgeniyaShumakherBusiness Analyst
What is ‘Compliance’? Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organisations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations. http://en.wikipedia.org/wiki/Regulatory_compliance
It’s all about information Example: The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
Enterprise ecosystem Regulations Business Processes People
Who is responsible? Cloud user Cloud builder
Standards • PCI DSS • HIPAA / HITECH • SOX • FedRAMP/FISMA • ISO/IEC 27001-2005 • NIST SP800-53
Controls are very similar • CLOUD CONTROLS MATRIX VERSION 3.0
Cloud Guidelines • PCI DSS Virtualization Guidelines • PCI DSS Cloud Computing Guidelines • NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing
PCI DSS Cloud Guidelines Don’t store, process or transmit payment card data in the cloud.
PCI DSS Virtualization Guidelines • Requirement 3: Protect stored cardholder data • As well as being present in known locations, cardholder data could exist in archived, off-line or dormant VM images, or be unknowingly moved between virtual systems via dynamic mechanisms such as live migration or storage migration tools. • Sensitive data, such as unencrypted PAN, sensitive authentication data, and cryptographic keys, could be inadvertently captured in active memory and replicated via VM imaging and snapshot functions...
OpenStack Security Guidelines • OpenStack Security Guide • Securing OpenStackfor compliance
Q&A • email: eshumakher@mirantis.com • irc: eshumakher
Private Cloud Compliance Scott Carlson - @relaxed137
26 EUROPEANUNION EURO TAIWAN NEW DOLLAR MEXICAN PESO AUSTRALIAN DOLLAR CHINESE RMB TURKISH LIRA CURRENCIES SUPPORTED CANADIAN DOLLAR SWEDISH KRONA SWISS FRANC NEW ZEALAND DOLLAR SINGAPORE DOLLAR 148M CZECH KORUNA HUNGARIAN FORINT PHILIPPINE PESO ACTIVE REGISTERED ACCOUNTS ISRAELI NEW SHEKEL MALAYSIAN RINGGIT BRAZILIAN REAL 193 DANISH KRONE UNITEDKINGDOM POUNDS STERLING RUSSIAN RUBLE MARKETS OFFER PAYPAL THAI BAHT HONGKONG DOLLAR NORWEGIAN KRONE 80 UNITEDSTATES DOLLAR JAPANESE YEN POLISH ZLOTY LOCALIZED MARKETING SITES GLOBALLY
Q1 2014FinancialMetrics 148M ACTIVE ACCOUNTS1 $6,688 9M +6M $1.8B $52B INPAYMENTSPROCESSED EVERYSECOND2 PAYMENTSPROCESSED EVERYDAY3 NEWACTIVE ACCOUNTS1 1. Active Registered Accounts: All registered accounts that successfully sent or received at least one payment or payment reversal through our PayPal payments networks, including Bill Me Later and Venmo, and excluding users of Braintree’s unbranded payment checkout solutions, within the last 12 months and which are currently able to transact., 2. Total Payment Volume: Total dollar volume of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. 3. Net Total Number of Payments: Total number of payments, net of payment reversals, successfully completed through our PayPal payments networks, including Bill Me Later, Venmo, and payments processed through Braintree’s full stack payments platform during the period; excludes payments sent or received through PayPal and Braintree’s payment gateway businesses. PAYPALREVENUES TPV2 20% YOY 26% YOY
PayPal Cloud & Software Defined Data Center Agility with Security Cloud Design Principals Deploy from Templates Any Image, Anywhere VIRTUAL Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC PCI-DSS 2.0 and 3.0 Local Country Requirements SECURE
Compliance requirements Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations Compliance Statement: http://www.visa.com/splisting/viewSPDetail.do?coName=PayPal
Basic Methodology Just pretend its infrastructure OpenStack has servers in it Hardware Configured and dedicated to the cloud Hypervisor/Build Image meeting NIST/CIS standard templates Vulnerability Scanning with third party tooling Patching 7, 30, 90 day windows with vendor provided patches to OS Configuration Management for important system files Password Management – non-default, complex and unique! OpenStack has Users in it Do not use shared accounts for anything. Just don’t Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time.
Basic Methodology Just pretend its infrastructure Hypervisor Components Its Just Linux. Treat it like hardened Linux and lock it down to standards (CIS, NIST) Have a separate management interface from your production traffic (physical or virtual) Do not combine security zones within a single hypervisor because then it’s ALL “in-scope” Audit Access, Audit changes, be ready to show your work Be ready to defend decisions to share ports for components OpenStack Software Stack Limited vulnerability scanning in a programmatic way, have to build our own (Fortify, AppScan) Getting code from Trunk = Open Source Happiness, but have your licenses reviewed! You still need to code review if CDE passes through here Avoid Avoid Avoid Actual data getting put in your cloud stack (not guest VM’s, those are ok)
Basic Methodology Just pretend its infrastructure Physical Network Components? Yep Firewall rules around the cloud to limit ingress and egress Monitor what happens on your firewalls, send it somewhere, keep it a LONG time Make sure the person building your network isn’t the person building your cloud (SOD) Configuration Guidelines exist for most physical installations (avoid virtual for now…) Automation is fine, but make sure you log it, and auto-ticket it. Virtual Network Components? Nope Too early in the testing process to rely on virtual versions of components at scale Okay for intra-tenant traffic with minimal rule set Same rules for physical apply to virtual. Has your third party pen-tested and certified their thing?
Basic Methodology Just pretend its infrastructure Data? If its Card-holder data, controls become interesting very quickly Storing things encrypted at rest in VM’s mean you can’t use OpenStack components HSM, crypto, key management required User management, controls over data, logging, all of the standard stuff needed
For more information, please contact: Scott Carlson sccarlson@paypal.com @relaxed137