"What's the Cost of Non-PCI Compliance in the Cloud?" - Patrick Pushor, Director of Sales & Field Engineering at Dome9 // @CloudChronicle Businesses that handle customer credit card information are required to meet the Payment Credit Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to protect merchants and financial institutions from security breaches and theft of cardholder data. Some organization find meeting PCI requirements overwhelming and choose to forgo the process and suffer the consequence of being fined if caught. However, the true cost of non-compliance goes far beyond being monetarily punishable by law with up to a 50% greater chance of being breached, negative brand publicity and loss of business.

1. Dome9 Security
THE LEADING CLOUD INFRASTRUCTURE SECURITY PLATFORM
Patrick Pushor, Director Sales & Field Engineering
patrick@dome9.com
Dome9 Security
What’s the Cost of Non-PCI Compliance
in the Cloud? (and what can I do about it?)

2. It Happened … Again
1
“Macy's confirmed that some customers shopping
online at Macys.com and Bloomingdales.com
between April 26 and June 12 could have had their
personal information and credit card details
exposed to a third party.”

3. What Is The PCI DSS Standard?
The Payment Card Industry Data Security Standard (PCI-DSS) is
not a law, but rather a regulatory requirement enforced by banks.
What are the noncompliance fines?
• $5,000-100,000 fine for noncompliance, based on forensic audit
• Fines accumulate monthly for noncompliance
• $50-90 fine per breached record
• Fines can be negotiable
2

4. Why Do People Hate PCI-DSS?
3

5. Why Do People Hate PCI-DSS? (and most other standards)
4
• Merchants want an delightful user experience. Security,
or the perception of it, is that it adds complexity and
friction for the customer
• It costs a lot of money. “I will have to hire, train, or pay
consultants”
• ”I’ll take the risk, and pay the fine if something happens”
• Lack of full understanding and visibility of the network,
compute
• “It’s just a nuisance that doesn’t really make me secure”
• Not associating the requirements and controls with real-
life operations and rules
• “Let’s hide it. Let’s not even talk about it. It will be OK”

6. Equifax Breach: The Risks Of A Careless Arrogant Attitude
Patching Process
Apache Struts
CVE-2017-5638 Aug,
2012
Bug
Introduced
Nov,
2012
Struts 2.3
Released
May,
2016
Struts 2.5
Released
March
6
2017
Patch
Available
Mar 14
2017
NVD Details
May 13,
2017
Equifax
hacked
Jul 29,
2017
Breach
discovered
Sep
15,
2017
Equifax
Press Release
via eSecurity Planet: ”It’s no surprise that Web application attacks are the
leading cause of large breaches. The *average* Web application or API
has 26.7 serious vulnerabilities. And organizations often have hundreds,
thousands, or even tens of thousands of applications.”
Question : Was Equifax PCI Compliant?

7. Equifax Breach: The Risks Of A Careless Arrogant Attitude
Equifax Regulatory Landscape:
● Fair Credit Reporting Act
● Gramm-Leach-Bliley Act
● Unfair Deceptive and Abusive Acts and Practices
● Service Provider relationships
● No PCI compliance. No real security practices
What can we learn?
● Encrypt like there's no tomorrow
● Patch like your life depend on it
● Incident response procedures. Because head-in-
the-sand will not make it go away
● Advocate for a national cybersecurity standard
"Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was
that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith [ex
Equifax CEO]. Smith pointed out that encryption at rest is just one method of security, but eventually
confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision
was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.

8. How Much Does A Breach Cost?
The 2017 Cost of Data Breach Study from the Ponemon
Institute, sponsored by IBM, puts the global average cost
at $3.6 million ($7.3M in the US), or $141 per data record.
7
$7.3 Million USD

9. It’s Much More Than The Cost of Data
8
The breakdown of the cost of an Enterprise security breach

10. Embarrassingly Easy: Grab Cloud Credentials From GitHub
Why?
• Gain access
• Steal data, CC, PIN
• Host spamming,
Phishing, etc.
• Spin expensive mining
servers
9

11. Embarrassingly Easy: Find Open S3 Buckets
10
IaaS platforms are massive targets for
those with malicious intent
Security vulnerabilities are actively
being searched for and exploited
systematically
Your open vulnerability, especially if in
a common cloud service, will be found
by ‘bad guys’ before you find it.
The race is on – who will find your
security deviations first?

12. What Does The PCI DSS Standard Require?
It covers 12 requirements around information security controls and
processes that fall into the following areas:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Maintain an information security policy
• Regularly monitor and test networks
11

13. You Have To Be Compliant, and Stay Compliant
*Source: Verizon 2017 Payment Security Report
58.4% of controls declined in
compliance!
Requirement 3 (Protect stored cardholder data) saw the
greatest control gap increase widened from 4.3% in 2015 to
21.5% in 2016.
Requirement 11 (Regularly Test security)
was the least well-sustained, with only 71.9%
of organizations achieving full compliance.

14. Being PCI DCC Certified Does Not Mean You Are Secure
13
• Audits are performed periodically
• You are exposed in-between
audits
• Audits are often remote
vulnerability scans and might not
identify all breaches
• CI/CD & DevOps environments
change all the time and need to be
continuously compliant

15. We Solved One Problem … And Created Another!
Public Cloud
VPC
In the cloud, a single configuration change
could expose an asset to the public
Problem: The traditional
gateway-centric
approach doesn’t work
Solution: Native Cloud Network Segmentation
Gateway
FW
Gateway
FW
Security
Group
Security
Group
Security
Group
Security
Group
Internal
VM

16. PCI In IaaS: If You Can, Start With A Clean Slate
15
https://aws.amazon.com/quickstart/architecture/accelerator-pci/
• AWS PCI DSS Templates
• Reference architecture
• Build guide
• It takes 30 minutes to build
a WordPress app with a
fully PCI DSS compliant
architecture
But then you add more apps using different technology…
and you hire new staff or acquire new companies…
and a new business unit wants to do things differently…

17. I’m Convinced, But How Do I Get There From Here?
16
What AWS features,
capabilities, and best
practices can help us
achieve and maintain PCI
compliance?

18. Enable and Use All Monitoring Capabilities of AWS
Enable & Use AWS CloudWatch (system monitoring) and
CloudTrail (API monitoring). AWS CloudTrail logs all actions
taken and is heavily recommended for the management of
security groups. Event streams can be created from AWS
CloudTrail that are very flexible thanks in part to AWS
Lambda.
For example : When an instance is created, an event is
captured with details via CloudTrail. Next, a response can be
triggered via Lambda (via CloudWatch Events) that could, for
example, measure conditions of the new workload (tags,
attributes, network port exposure) and take action if
required. Without the use of lambda you can still process
CloudTrail logs stored in S3 buckets on a regular interval and
increase your visibility into key changes on your network.

19. Leverage CloudWatch Metric Filters & Alarms
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms.
It is recommended that metric filters and alarms be established for detecting changes and conditions in your cloud
accounts including:
Monitoring changes to AWS Config
AWS Management Console authentication failures
IAM Policy Changes
S3 Bucket Policy Changes
Management Console sign-in without MFA
… and much more!

20. Use Broad Port Permissions Very Sparingly
Avoid creating security policy with least
restrictive port access permissions like 0.0.0.0/0
(which is open to all).
For load balancers and/or web servers this can
make sense, but all other app tiers need to only
accept traffic from the other tiers expected to be
involved in the transaction.
Automation to alert when overly permissive port
conditions exist – (this may include more than
just 0.0.0.0/0) is recommended. Don’t wait for
regular audits.
0.0.0.0/0

21. Security Group Assignment Strategies
How many security groups for a standard multi tiered web app is
normal or preferred to balance manageability and security?
1) One security group cutting across multiple tiers is easy to
configure, but creates too much exposure and is not recommended
for production apps.
2) One Security group for every resource is too cumbersome and
tough to manage operationally – especially at scale.
3) Individual Security groups for unique application tiers. For
example - separate security groups for ELB, Web , App, DB and Cache
tiers of your stack.

22. AWS S3 Security – Don’t Become Another Statistic!
• Assigned To Resources, Not Users
• Both Buckets and Objects
• No Explicit Denies
• XML
Access
Control
List
• Assigned To Resources, Not Users
• Only Buckets, Not Objects Inside
• Explicit Denies
• JSON
S3 Bucket
Policy
•Assigned To Users, Not Resources
•Both Buckets and Objects
•Can’t Be Used For Anonymous Access
•Explicit Denies
•JSON
IAM Policy
Three access control methods
means more complexity, and
more complexity means more
governance required.
The most restrictive privilege
“wins”, which is the opposite of
security groups.
Which access control method is
right for you?

23. What S3 Access Control Option Is Right For You?
Requirement Access Control Option
Anonymous Access Bucket Policy or ACL*
Explicitly Deny Access by Resource Bucket Policy
Explicitly Deny Access by User IAM Policy
Provide Cross-Account Access A Combo Of (bucket & IAM policy) or ACL*
Lots of policy detail/definition IAM Policy or ACL*
Set Permissions On Specific Objects IAM Policy or ACL*
* ACL is consistently listed as the second option as AWS recommends bucket and IAM policy over ACL

24. Plan for Exceptions – Plan For Reality
Plan for exceptions – a network port needs to be
opened for maintenance, or a file has to be
retrieved from an S3 bucket. A well designed
change management process can help ease the
pain of “swiss cheese firewall/bucket syndrome”.
If a port must be opened, or an ACL changed,
ensure your change management process
accounts for this – and follows up on the
exception!

25. Bonus Best Practices
If you are using 3rd party tools to achieve any of the goals we have
covered in our webinar session thus far - ensure that they are flexible
enough to fit into your existing workflow instead of demanding
organizational change. This means ensuring that you can control and
pass data to and from the tool/solution in a non-interactive way –
usually by leveraging the API of the toolset.
According to a supplement to the PCI DSS standard published by the PCI
Standards Council in December 2016, the scope of PCI coverage has
been expanded to include “connected-to or security-impacting systems”
This includes 3rd party tools and system components that impact
configuration or security of the Cardholder Data Environment (CDE)

26. Resources
• Verizon 2017 Payment Security Report - An in-depth look at PCI DSS
compliance
• Deloitte 2016 Compliance Trends Survey
• Standardized Architecture for PCI DSS on the AWS Cloud - Quick
Start Reference Deployment (AWS Quick Start Reference Team)
25

27. Thank you!
www.dome9.com
Patrick Pushor, Director of Sales & Field Engineering
patrick@dome9.com