Scott Carlson, profile picture
Uploaded byScott Carlson
PDF, PPTX379 views

RSA 2015 Realities of Private Cloud Security

The document discusses the security methodologies and compliance requirements for private cloud environments, particularly in relation to PayPal's operations. It emphasizes creating a secure architecture, responsive management practices, and adhering to various compliance standards like PCI-DSS and HIPAA. Additionally, it recommends continuous monitoring, vulnerability scanning, and a proactive approach to patching and security assessments to ensure robust cloud security.

Embed presentation

Download as PDF, PPTX
SESSION ID: #RSAC Scott Carlson – PayPal Realities of Private Cloud Security CSV-F03 @relaxed137
#RSAC Cloud Design Principals, traditional Data Center Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country RequirementsSECURE PayPal Cloud & Software Defined Data Center 2
#RSAC Compliance <> Security Secure Compliant PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC 27001-2005 NIST SP800-53
#RSAC @ http://xkcd.com used with permission under Creative commons License 4
#RSAC Compliance Requirements of PayPal ✔ ✔ 5 Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations
#RSAC Be patched, be compliant, be hardened, be layered, don’t let data leave your network Log it all; parse it all; sesame street logic; leave no stone unturnedDETECT PREVENT Quarantine; active defense; mitigate; high priority patches; bug fixes; block ports; kill data streams; sever connections RESPOND What is Secure 6
#RSAC Are there any Private Cloud Standards? … Hardly … Cloud Controls Matrix 3.0.1 – release date 7/2015 https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ PCI DSS Virtualization Guidelines https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf PCI DSS Cloud Computing Guidelines https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf NIST Special Publication 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf 7
#RSAC What about Public Cloud? A lot of vendors have been upping their game with security in the public cloud. If your organization does not have an Information Security organization, you do not run your own data center, or you just flat out don’t know where to begin, there are public cloud solutions that can meet most information security requirements today. … This talk is not about the Public Cloud … 8
#RSAC Our Methodology – Private Cloud Security 9  Don’t make it too hard – it’s just mostly infrastructure  Adapt FAST  Developers & “AAS” Washing changes the access paradigm (2FA + RBAC anyone?)  3rd-party applications sitting on a cloud are still just 3rd-party applications  Home-grown application sitting on a cloud are still just home-grown applications  Cross-managing “in-scope” and “out-of-scope” environments is fraught with peril. Tread Lightly…  The minute something is created in the cloud, it is subject to the requirements. Existence = production because it could be compromised, attacked, …
#RSAC Agile Quick and well-coordinated in movement; marked by an ability to think quickly; intellectual acuity  Consider everything dirty… examine it… spray the bad parts… clean it… use machines to do the dirty work  Run traffic over it… verify assumptions… send it back to the wash if needed… deliver to customer… use it yourself  Check your work… check new versions… talk to new people… find all of the new and exciting ways people are doing things 10
#RSAC Basic Methodology Just pretend it is infrastructure OpenStack has servers in it  Hardware configured and dedicated to the cloud  Hypervisor/Build Image meeting NIST/CIS standard templates  Vulnerability Scanning with third-party tooling  Patching 7-, 30-, 90-day windows with vendor provided patches  Configuration Management for important system files  Password Management – non-default, complex and unique! OpenStack has users in it  Do not use shared accounts for anything. Just don’t  Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time  Define a Role, Add People to the Role, Attest the Role  Multi-Factor Tokens!!!!  All cloud actions tied back to an individual user 11
#RSAC Basic Methodology Just pretend it is infrastructure Hypervisor Components  It’s just “Linux”. Treat it like hardened “Linux” and lock it down to standards (CIS, NIST)  Have a separate management interface from your production traffic (physical or virtual)  Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”  Audit access, audit changes, be ready to show your work  Be ready to defend decisions to share ports for components OpenStack Software Stack  Limited vulnerability scanning in a programmatic way, have to build your own (Fortify, AppScan)  Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!  You still need to code review if CDE passes through here  Avoid Avoid Avoid actual data getting put in your cloud stack (not guest VMs, those are ok) 12
#RSAC Basic Methodology Just pretend it is infrastructure Physical Network Components  Firewall rules around the cloud to limit ingress and egress (is iptables a firewall?)  Monitor what happens on your firewalls, send it somewhere, keep it a LONG time  Make sure the person building your network isn’t the person building your cloud (SOD)  Configuration guidelines exist for most physical installations (avoid virtual for now…)  Automation is fine, but make sure you log it and auto-ticket it Virtual Network Components  Too early in the testing process to rely on virtual versions of components at scale [ No standards, Auditor Support ]  Okay for intra-tenant traffic with minimal rule set  Same rules for physical apply to virtual. Has your third-party pen-tested and certified their thing? 13
#RSAC @ http://xkcd.com used with permission under Creative commons License 14
#RSAC Basic Methodology Just pretend it is infrastructure Data  If it’s card-holder data, controls become interesting very quickly  Encrypt your data PRIOR to writing it to databases/repositories  Storing things encrypted at rest in VMs mean you can’t use OpenStack components  HSM, crypto, key management required  User management, controls over data, logging, all of the standard stuff needed 15
#RSAC Basic Methodology Just pretend it is infrastructure “As a Service” Tooling  Role-based access  2FA to “in-scope” environments  TLS on EVERYTHING  Don’t pass your tokens around, expire them quickly  Don’t rely on credentials from the wrong environment!  Always check for software vulnerabilities in your code  NOTHING goes into production without passing the sanity test… NOTHING 16
#RSAC Basic Methodology Just pretend it is infrastructure Central Management Considerations  Make all of your management control planes trusted  It is NEVER okay to talk from a lower-trust environment into a higher-trust environment  It is better to expose a protected web front-end than keep the “manager” in an untrusted zone  If your control plane is compromised, your cloud is toast. Cloud expands the cascade of compromise across your whole environment depending on your control plane and availability zones  Deleting your cloud as an attack is just the same as a compromise sometimes 17
#RSAC Secure is not a permanent state 18
#RSAC Security can not work effectively unless you have agility 19
#RSAC How to apply this to your own environment?  Look into how you are using your cloud today  Verify the security controls and regulatory controls you need  Do the basics discussed here  Pen Test your cloud  Resolve the findings, and then start iterating and making more secure!  Get involved to fix industry standards so that private clouds are people too! 20
#RSAC For more information, please contact: Scott Carlson sccarlson@paypal.com @relaxed137

More Related Content

PDF
Aspirin as a Service: Using the Cloud to Cure Security Headaches
byPriyanka Aash
 
PPTX
How to Implement Snowflake Security Best Practices with Panther
byPanther Labs
 
PDF
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
PDF
Realities of Data Security
byPriyanka Aash
 
PDF
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
PDF
Attacks on Critical Infrastructure: Insights from the “Big Board”
byPriyanka Aash
 
PDF
Applying Auto-Data Classification Techniques for Large Data Sets
byPriyanka Aash
 
PDF
Smart Megalopolises. How Safe and Reliable Is Your Data?
byPriyanka Aash
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
byPriyanka Aash
 
How to Implement Snowflake Security Best Practices with Panther
byPanther Labs
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
byPriyanka Aash
 
Realities of Data Security
byPriyanka Aash
 
Take It to the Cloud: The Evolution of Security Architecture
byPriyanka Aash
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
byPriyanka Aash
 
Applying Auto-Data Classification Techniques for Large Data Sets
byPriyanka Aash
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
byPriyanka Aash
 

What's hot

PPTX
QRadar, ArcSight and Splunk
byM sharifi
 
PDF
Incident response-in-the-cloud
byPriyanka Aash
 
PDF
Security Breakout Session
bySplunk
 
PPTX
Modern Security Operations & Common Roles/Competencies
byHarry McLaren
 
PDF
BeyondCorp and Zero Trust
byIvan Dwyer
 
PDF
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
PDF
SAP Cloud security overview 2.0
byRasmi Swain
 
PPTX
Customer Story: Scaling Security With Detections-as-Code
byPanther Labs
 
PPTX
Log management principle and usage
byBikrant Gautam
 
PDF
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
byPriyanka Aash
 
PPTX
SBRC'17 discussion panel about NFV and SDN
bySébastien Tandel
 
PPTX
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
byRightScale
 
PDF
How Google Protects Its Corporate Security Perimeter without Firewalls
byPriyanka Aash
 
PDF
Annual OktCyberfest 2019
byFahad Al-Hasan
 
PDF
ITrust Security Operating Center (SOC) - Datasheet EN
byITrust - Cybersecurity as a Service
 
PDF
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
bycentralohioissa
 
PDF
BeyondCorp: Closing the Adherence Gap
byIvan Dwyer
 
PDF
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
byLancope, Inc.
 
PPTX
The Threat Is Real. Protect Yourself.
by2nd Sight Lab
 
PPTX
Getting Started with Splunk Enterprise
bySplunk
 
QRadar, ArcSight and Splunk
byM sharifi
 
Incident response-in-the-cloud
byPriyanka Aash
 
Security Breakout Session
bySplunk
 
Modern Security Operations & Common Roles/Competencies
byHarry McLaren
 
BeyondCorp and Zero Trust
byIvan Dwyer
 
BeyondCorp - Google Security for Everyone Else
byIvan Dwyer
 
SAP Cloud security overview 2.0
byRasmi Swain
 
Customer Story: Scaling Security With Detections-as-Code
byPanther Labs
 
Log management principle and usage
byBikrant Gautam
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
byPriyanka Aash
 
SBRC'17 discussion panel about NFV and SDN
bySébastien Tandel
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
byRightScale
 
How Google Protects Its Corporate Security Perimeter without Firewalls
byPriyanka Aash
 
Annual OktCyberfest 2019
byFahad Al-Hasan
 
ITrust Security Operating Center (SOC) - Datasheet EN
byITrust - Cybersecurity as a Service
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
bycentralohioissa
 
BeyondCorp: Closing the Adherence Gap
byIvan Dwyer
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
byLancope, Inc.
 
The Threat Is Real. Protect Yourself.
by2nd Sight Lab
 
Getting Started with Splunk Enterprise
bySplunk
 

Viewers also liked

PPTX
Yet Another Dan Kaminsky Talk (Black Ops 2014)
byDan Kaminsky
 
PPTX
Security Configuration Management for Dummies
byTripwire
 
PDF
AusCERT - Mikko Hypponen
byMikko Hypponen
 
PPTX
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
byTripwire
 
PDF
Tactical Edge - How Much Security Do You Really Need?
byWendy Nather
 
PPTX
Just Trust Everyone and We Will Be Fine, Right?
byScott Carlson
 
ODP
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
PDF
Distributed Denial Of Service Introduction
bywremes
 
PDF
Neira jones pci london january 2013 pdf ready
byNeira Jones
 
PDF
RDF and other linked data standards — how to make use of big localization data
byDave Lewis
 
PPTX
The dark side of the internet
byBrian Honan
 
PPTX
Data security brian honan
byBrian Honan
 
PPTX
How to Make a Decent PowerPoint
byAdam Fowler
 
PDF
The InfoSec Avengers
byTripwire
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
byDan Kaminsky
 
Security Configuration Management for Dummies
byTripwire
 
AusCERT - Mikko Hypponen
byMikko Hypponen
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
byTripwire
 
Tactical Edge - How Much Security Do You Really Need?
byWendy Nather
 
Just Trust Everyone and We Will Be Fine, Right?
byScott Carlson
 
Break it while you make it: writing (more) secure software
byLeigh Honeywell
 
Distributed Denial Of Service Introduction
bywremes
 
Neira jones pci london january 2013 pdf ready
byNeira Jones
 
RDF and other linked data standards — how to make use of big localization data
byDave Lewis
 
The dark side of the internet
byBrian Honan
 
Data security brian honan
byBrian Honan
 
How to Make a Decent PowerPoint
byAdam Fowler
 
The InfoSec Avengers
byTripwire
 

Similar to RSA 2015 Realities of Private Cloud Security

PPTX
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
2024_USA24_CLS-W08_01_Breaking-the-Cloud-to-Rebuild-it-A-Tale-of-3-☁️-Breache...
byArvind Yadav
 
PDF
Cloud Breach – Preparation and Response
byPriyanka Aash
 
PDF
Cloud Breach – Preparation and Response
byPriyanka Aash
 
PDF
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
PDF
Cloud security : Automate or die
byPriyanka Aash
 
PDF
Pragmatic Security Automation for Cloud
byPriyanka Aash
 
PPTX
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
bySymantec
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
PDF
Whose Cloud is It Anyway - Data Security in the Cloud
bySafeNet
 
PDF
Secure Cloud Development Resources with DevOps
byCloudPassage
 
PDF
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
PPTX
Will Your Cloud Be Compliant? OpenStack Security
byScott Carlson
 
PPTX
Rik Ferguson
byCloudExpoEurope
 
PPTX
Key Design Considerations Private and Hybrid Clouds - RightScale Compute 2013
byRightScale
 
PPTX
API Security: Assume Possible Interference
byJulie Tsai
 
PPTX
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
byKhazret Sapenov
 
PDF
Cloud Security Summit - InfoSec World 2014
byBill Burns
 
Cloud Security Essentials 2.0 at RSA
byShannon Lietz
 
DevSecOps in Baby Steps
byPriyanka Aash
 
DevSecOps in Baby Steps
byPriyanka Aash
 
2024_USA24_CLS-W08_01_Breaking-the-Cloud-to-Rebuild-it-A-Tale-of-3-☁️-Breache...
byArvind Yadav
 
Cloud Breach – Preparation and Response
byPriyanka Aash
 
Cloud Breach – Preparation and Response
byPriyanka Aash
 
Building and Adopting a Cloud-Native Security Program
byPriyanka Aash
 
Cloud security : Automate or die
byPriyanka Aash
 
Pragmatic Security Automation for Cloud
byPriyanka Aash
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
bySymantec
 
Red team-view-gaps-in-the-serverless-application-attack-surface
byPriyanka Aash
 
Whose Cloud is It Anyway - Data Security in the Cloud
bySafeNet
 
Secure Cloud Development Resources with DevOps
byCloudPassage
 
Hardening the cloud : Assuring agile security in high-growth environments
byPriyanka Aash
 
Will Your Cloud Be Compliant? OpenStack Security
byScott Carlson
 
Rik Ferguson
byCloudExpoEurope
 
Key Design Considerations Private and Hybrid Clouds - RightScale Compute 2013
byRightScale
 
API Security: Assume Possible Interference
byJulie Tsai
 
Yes, you can be pci compliant using a public iaas cloud a case study by phi...
byKhazret Sapenov
 
Cloud Security Summit - InfoSec World 2014
byBill Burns
 

More from Scott Carlson

PPTX
You Can't Correlate what you don't have - ArcSight Protect 2011
byScott Carlson
 
PPTX
DCD Converged Brazil 2016
byScott Carlson
 
PDF
What are Blockchain & Tokens and are they useful ?
byScott Carlson
 
PDF
RSA 2016 Realities of Data Security
byScott Carlson
 
PPTX
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
byScott Carlson
 
PDF
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
byScott Carlson
 
PPTX
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
byScott Carlson
 
PPTX
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
byScott Carlson
 
PPTX
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
byScott Carlson
 
PDF
HP Enterprise Security Customer Case Study - Apollo Group
byScott Carlson
 
PPTX
Trust But Control: Managing Privileges without killing productivity
byScott Carlson
 
PPTX
Can Security & Agility Co-Exist
byScott Carlson
 
PDF
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
byScott Carlson
 
You Can't Correlate what you don't have - ArcSight Protect 2011
byScott Carlson
 
DCD Converged Brazil 2016
byScott Carlson
 
What are Blockchain & Tokens and are they useful ?
byScott Carlson
 
RSA 2016 Realities of Data Security
byScott Carlson
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
byScott Carlson
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
byScott Carlson
 
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
byScott Carlson
 
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
byScott Carlson
 
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
byScott Carlson
 
HP Enterprise Security Customer Case Study - Apollo Group
byScott Carlson
 
Trust But Control: Managing Privileges without killing productivity
byScott Carlson
 
Can Security & Agility Co-Exist
byScott Carlson
 
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
byScott Carlson
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
GenAI GraphTalk - Kuala Lumpur - 4 Nov 2025
bygourisachdeva2
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 

RSA 2015 Realities of Private Cloud Security

  • 1.
    SESSION ID: #RSAC Scott Carlson– PayPal Realities of Private Cloud Security CSV-F03 @relaxed137
  • 2.
    #RSAC Cloud Design Principals,traditional Data Center Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country RequirementsSECURE PayPal Cloud & Software Defined Data Center 2
  • 3.
    #RSAC Compliance <> Security SecureCompliant PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC 27001-2005 NIST SP800-53
  • 4.
  • 5.
    #RSAC Compliance Requirements ofPayPal ✔ ✔ 5 Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations
  • 6.
    #RSAC Be patched, becompliant, be hardened, be layered, don’t let data leave your network Log it all; parse it all; sesame street logic; leave no stone unturnedDETECT PREVENT Quarantine; active defense; mitigate; high priority patches; bug fixes; block ports; kill data streams; sever connections RESPOND What is Secure 6
  • 7.
    #RSAC Are there anyPrivate Cloud Standards? … Hardly … Cloud Controls Matrix 3.0.1 – release date 7/2015 https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ PCI DSS Virtualization Guidelines https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf PCI DSS Cloud Computing Guidelines https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf NIST Special Publication 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf 7
  • 8.
    #RSAC What about PublicCloud? A lot of vendors have been upping their game with security in the public cloud. If your organization does not have an Information Security organization, you do not run your own data center, or you just flat out don’t know where to begin, there are public cloud solutions that can meet most information security requirements today. … This talk is not about the Public Cloud … 8
  • 9.
    #RSAC Our Methodology –Private Cloud Security 9  Don’t make it too hard – it’s just mostly infrastructure  Adapt FAST  Developers & “AAS” Washing changes the access paradigm (2FA + RBAC anyone?)  3rd-party applications sitting on a cloud are still just 3rd-party applications  Home-grown application sitting on a cloud are still just home-grown applications  Cross-managing “in-scope” and “out-of-scope” environments is fraught with peril. Tread Lightly…  The minute something is created in the cloud, it is subject to the requirements. Existence = production because it could be compromised, attacked, …
  • 10.
    #RSAC Agile Quick and well-coordinatedin movement; marked by an ability to think quickly; intellectual acuity  Consider everything dirty… examine it… spray the bad parts… clean it… use machines to do the dirty work  Run traffic over it… verify assumptions… send it back to the wash if needed… deliver to customer… use it yourself  Check your work… check new versions… talk to new people… find all of the new and exciting ways people are doing things 10
  • 11.
    #RSAC Basic Methodology Just pretendit is infrastructure OpenStack has servers in it  Hardware configured and dedicated to the cloud  Hypervisor/Build Image meeting NIST/CIS standard templates  Vulnerability Scanning with third-party tooling  Patching 7-, 30-, 90-day windows with vendor provided patches  Configuration Management for important system files  Password Management – non-default, complex and unique! OpenStack has users in it  Do not use shared accounts for anything. Just don’t  Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time  Define a Role, Add People to the Role, Attest the Role  Multi-Factor Tokens!!!!  All cloud actions tied back to an individual user 11
  • 12.
    #RSAC Basic Methodology Just pretendit is infrastructure Hypervisor Components  It’s just “Linux”. Treat it like hardened “Linux” and lock it down to standards (CIS, NIST)  Have a separate management interface from your production traffic (physical or virtual)  Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”  Audit access, audit changes, be ready to show your work  Be ready to defend decisions to share ports for components OpenStack Software Stack  Limited vulnerability scanning in a programmatic way, have to build your own (Fortify, AppScan)  Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!  You still need to code review if CDE passes through here  Avoid Avoid Avoid actual data getting put in your cloud stack (not guest VMs, those are ok) 12
  • 13.
    #RSAC Basic Methodology Just pretendit is infrastructure Physical Network Components  Firewall rules around the cloud to limit ingress and egress (is iptables a firewall?)  Monitor what happens on your firewalls, send it somewhere, keep it a LONG time  Make sure the person building your network isn’t the person building your cloud (SOD)  Configuration guidelines exist for most physical installations (avoid virtual for now…)  Automation is fine, but make sure you log it and auto-ticket it Virtual Network Components  Too early in the testing process to rely on virtual versions of components at scale [ No standards, Auditor Support ]  Okay for intra-tenant traffic with minimal rule set  Same rules for physical apply to virtual. Has your third-party pen-tested and certified their thing? 13
  • 14.
  • 15.
    #RSAC Basic Methodology Just pretendit is infrastructure Data  If it’s card-holder data, controls become interesting very quickly  Encrypt your data PRIOR to writing it to databases/repositories  Storing things encrypted at rest in VMs mean you can’t use OpenStack components  HSM, crypto, key management required  User management, controls over data, logging, all of the standard stuff needed 15
  • 16.
    #RSAC Basic Methodology Just pretendit is infrastructure “As a Service” Tooling  Role-based access  2FA to “in-scope” environments  TLS on EVERYTHING  Don’t pass your tokens around, expire them quickly  Don’t rely on credentials from the wrong environment!  Always check for software vulnerabilities in your code  NOTHING goes into production without passing the sanity test… NOTHING 16
  • 17.
    #RSAC Basic Methodology Just pretendit is infrastructure Central Management Considerations  Make all of your management control planes trusted  It is NEVER okay to talk from a lower-trust environment into a higher-trust environment  It is better to expose a protected web front-end than keep the “manager” in an untrusted zone  If your control plane is compromised, your cloud is toast. Cloud expands the cascade of compromise across your whole environment depending on your control plane and availability zones  Deleting your cloud as an attack is just the same as a compromise sometimes 17
  • 18.
    #RSAC Secure is nota permanent state 18
  • 19.
    #RSAC Security can notwork effectively unless you have agility 19
  • 20.
    #RSAC How to applythis to your own environment?  Look into how you are using your cloud today  Verify the security controls and regulatory controls you need  Do the basics discussed here  Pen Test your cloud  Resolve the findings, and then start iterating and making more secure!  Get involved to fix industry standards so that private clouds are people too! 20
  • 21.
    #RSAC For more information,please contact: Scott Carlson [email protected] @relaxed137