"What's the Cost of Non-PCI Compliance in the Cloud?" - Patrick Pushor, Director of Sales & Field Engineering at Dome9 // @CloudChronicle
Businesses that handle customer credit card information are required to meet the Payment Credit Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards designed to protect merchants and financial institutions from security breaches and theft of cardholder data. Some organization find meeting PCI requirements overwhelming and choose to forgo the process and suffer the consequence of being fined if caught. However, the true cost of non-compliance goes far beyond being monetarily punishable by law with up to a 50% greater chance of being breached, negative brand publicity and loss of business.
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
Chicago AWS Solutions Architect Scott Hewitt recaps the non-GenAI updates from AWS re:Invent 2023. Updates range from storage, networking, compute and developer tools.
AWS reInvent 2023 recaps from Chicago AWS user groupAWS Chicago
Chicago AWS Solutions Architect Scott Hewitt recaps the non-GenAI updates from AWS re:Invent 2023. Updates range from storage, networking, compute and developer tools.
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...AWS Chicago
Mark Gamble
AWS Communtity Day Midwest 2023
ASC For Really Remote Edge Computing: How AWS Snowball + SpaceX Starlink + Couchbase Capella = more uptime, lower latency and better bandwidth usage for apps at the edge
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
MARK GAMBLE_ASC For Really Remote Edge Computing - AWS Community Day Chicago ...AWS Chicago
Mark Gamble
AWS Communtity Day Midwest 2023
ASC For Really Remote Edge Computing: How AWS Snowball + SpaceX Starlink + Couchbase Capella = more uptime, lower latency and better bandwidth usage for apps at the edge
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
AWS Chicago user group - Patrick Pushor - whats the cost of non-pci compliance in the cloud
1. Dome9 Security
THE LEADING CLOUD INFRASTRUCTURE SECURITY PLATFORM
Patrick Pushor, Director Sales & Field Engineering
patrick@dome9.com
Dome9 Security
What’s the Cost of Non-PCI Compliance
in the Cloud? (and what can I do about it?)
2. It Happened … Again
1
“Macy's confirmed that some customers shopping
online at Macys.com and Bloomingdales.com
between April 26 and June 12 could have had their
personal information and credit card details
exposed to a third party.”
3. What Is The PCI DSS Standard?
The Payment Card Industry Data Security Standard (PCI-DSS) is
not a law, but rather a regulatory requirement enforced by banks.
What are the noncompliance fines?
• $5,000-100,000 fine for noncompliance, based on forensic audit
• Fines accumulate monthly for noncompliance
• $50-90 fine per breached record
• Fines can be negotiable
2
5. Why Do People Hate PCI-DSS? (and most other standards)
4
• Merchants want an delightful user experience. Security,
or the perception of it, is that it adds complexity and
friction for the customer
• It costs a lot of money. “I will have to hire, train, or pay
consultants”
• ”I’ll take the risk, and pay the fine if something happens”
• Lack of full understanding and visibility of the network,
compute
• “It’s just a nuisance that doesn’t really make me secure”
• Not associating the requirements and controls with real-
life operations and rules
• “Let’s hide it. Let’s not even talk about it. It will be OK”
6. Equifax Breach: The Risks Of A Careless Arrogant Attitude
Patching Process
Apache Struts
CVE-2017-5638 Aug,
2012
Bug
Introduced
Nov,
2012
Struts 2.3
Released
May,
2016
Struts 2.5
Released
March
6
2017
Patch
Available
Mar 14
2017
NVD Details
May 13,
2017
Equifax
hacked
Jul 29,
2017
Breach
discovered
Sep
15,
2017
Equifax
Press Release
via eSecurity Planet: ”It’s no surprise that Web application attacks are the
leading cause of large breaches. The *average* Web application or API
has 26.7 serious vulnerabilities. And organizations often have hundreds,
thousands, or even tens of thousands of applications.”
Question : Was Equifax PCI Compliant?
7. Equifax Breach: The Risks Of A Careless Arrogant Attitude
Equifax Regulatory Landscape:
● Fair Credit Reporting Act
● Gramm-Leach-Bliley Act
● Unfair Deceptive and Abusive Acts and Practices
● Service Provider relationships
● No PCI compliance. No real security practices
What can we learn?
● Encrypt like there's no tomorrow
● Patch like your life depend on it
● Incident response procedures. Because head-in-
the-sand will not make it go away
● Advocate for a national cybersecurity standard
"Was the fact that [customer] data remained unencrypted at rest the result of an oversight, or was
that a decision that was made to manage that data unencrypted at rest?" Gardner asked Smith [ex
Equifax CEO]. Smith pointed out that encryption at rest is just one method of security, but eventually
confirmed that a decision was made to leave customer data unencrypted at rest. "So, a decision
was made to leave it unencrypted at rest?" Gardner pushed. "Correct," Smith responded.
8. How Much Does A Breach Cost?
The 2017 Cost of Data Breach Study from the Ponemon
Institute, sponsored by IBM, puts the global average cost
at $3.6 million ($7.3M in the US), or $141 per data record.
7
$7.3 Million USD
9. It’s Much More Than The Cost of Data
8
The breakdown of the cost of an Enterprise security breach
10. Embarrassingly Easy: Grab Cloud Credentials From GitHub
Why?
• Gain access
• Steal data, CC, PIN
• Host spamming,
Phishing, etc.
• Spin expensive mining
servers
9
11. Embarrassingly Easy: Find Open S3 Buckets
10
IaaS platforms are massive targets for
those with malicious intent
Security vulnerabilities are actively
being searched for and exploited
systematically
Your open vulnerability, especially if in
a common cloud service, will be found
by ‘bad guys’ before you find it.
The race is on – who will find your
security deviations first?
12. What Does The PCI DSS Standard Require?
It covers 12 requirements around information security controls and
processes that fall into the following areas:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Maintain an information security policy
• Regularly monitor and test networks
11
13. You Have To Be Compliant, and Stay Compliant
*Source: Verizon 2017 Payment Security Report
58.4% of controls declined in
compliance!
Requirement 3 (Protect stored cardholder data) saw the
greatest control gap increase widened from 4.3% in 2015 to
21.5% in 2016.
Requirement 11 (Regularly Test security)
was the least well-sustained, with only 71.9%
of organizations achieving full compliance.
14. Being PCI DCC Certified Does Not Mean You Are Secure
13
• Audits are performed periodically
• You are exposed in-between
audits
• Audits are often remote
vulnerability scans and might not
identify all breaches
• CI/CD & DevOps environments
change all the time and need to be
continuously compliant
15. We Solved One Problem … And Created Another!
Public Cloud
VPC
In the cloud, a single configuration change
could expose an asset to the public
Problem: The traditional
gateway-centric
approach doesn’t work
Solution: Native Cloud Network Segmentation
Gateway
FW
Gateway
FW
Security
Group
Security
Group
Security
Group
Security
Group
Internal
VM
16. PCI In IaaS: If You Can, Start With A Clean Slate
15
https://aws.amazon.com/quickstart/architecture/accelerator-pci/
• AWS PCI DSS Templates
• Reference architecture
• Build guide
• It takes 30 minutes to build
a WordPress app with a
fully PCI DSS compliant
architecture
But then you add more apps using different technology…
and you hire new staff or acquire new companies…
and a new business unit wants to do things differently…
17. I’m Convinced, But How Do I Get There From Here?
16
What AWS features,
capabilities, and best
practices can help us
achieve and maintain PCI
compliance?
18. Enable and Use All Monitoring Capabilities of AWS
Enable & Use AWS CloudWatch (system monitoring) and
CloudTrail (API monitoring). AWS CloudTrail logs all actions
taken and is heavily recommended for the management of
security groups. Event streams can be created from AWS
CloudTrail that are very flexible thanks in part to AWS
Lambda.
For example : When an instance is created, an event is
captured with details via CloudTrail. Next, a response can be
triggered via Lambda (via CloudWatch Events) that could, for
example, measure conditions of the new workload (tags,
attributes, network port exposure) and take action if
required. Without the use of lambda you can still process
CloudTrail logs stored in S3 buckets on a regular interval and
increase your visibility into key changes on your network.
19. Leverage CloudWatch Metric Filters & Alarms
Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing
corresponding metric filters and alarms.
It is recommended that metric filters and alarms be established for detecting changes and conditions in your cloud
accounts including:
Monitoring changes to AWS Config
AWS Management Console authentication failures
IAM Policy Changes
S3 Bucket Policy Changes
Management Console sign-in without MFA
… and much more!
20. Use Broad Port Permissions Very Sparingly
Avoid creating security policy with least
restrictive port access permissions like 0.0.0.0/0
(which is open to all).
For load balancers and/or web servers this can
make sense, but all other app tiers need to only
accept traffic from the other tiers expected to be
involved in the transaction.
Automation to alert when overly permissive port
conditions exist – (this may include more than
just 0.0.0.0/0) is recommended. Don’t wait for
regular audits.
0.0.0.0/0
21. Security Group Assignment Strategies
How many security groups for a standard multi tiered web app is
normal or preferred to balance manageability and security?
1) One security group cutting across multiple tiers is easy to
configure, but creates too much exposure and is not recommended
for production apps.
2) One Security group for every resource is too cumbersome and
tough to manage operationally – especially at scale.
3) Individual Security groups for unique application tiers. For
example - separate security groups for ELB, Web , App, DB and Cache
tiers of your stack.
22. AWS S3 Security – Don’t Become Another Statistic!
• Assigned To Resources, Not Users
• Both Buckets and Objects
• No Explicit Denies
• XML
Access
Control
List
• Assigned To Resources, Not Users
• Only Buckets, Not Objects Inside
• Explicit Denies
• JSON
S3 Bucket
Policy
•Assigned To Users, Not Resources
•Both Buckets and Objects
•Can’t Be Used For Anonymous Access
•Explicit Denies
•JSON
IAM Policy
Three access control methods
means more complexity, and
more complexity means more
governance required.
The most restrictive privilege
“wins”, which is the opposite of
security groups.
Which access control method is
right for you?
23. What S3 Access Control Option Is Right For You?
Requirement Access Control Option
Anonymous Access Bucket Policy or ACL*
Explicitly Deny Access by Resource Bucket Policy
Explicitly Deny Access by User IAM Policy
Provide Cross-Account Access A Combo Of (bucket & IAM policy) or ACL*
Lots of policy detail/definition IAM Policy or ACL*
Set Permissions On Specific Objects IAM Policy or ACL*
* ACL is consistently listed as the second option as AWS recommends bucket and IAM policy over ACL
24. Plan for Exceptions – Plan For Reality
Plan for exceptions – a network port needs to be
opened for maintenance, or a file has to be
retrieved from an S3 bucket. A well designed
change management process can help ease the
pain of “swiss cheese firewall/bucket syndrome”.
If a port must be opened, or an ACL changed,
ensure your change management process
accounts for this – and follows up on the
exception!
25. Bonus Best Practices
If you are using 3rd party tools to achieve any of the goals we have
covered in our webinar session thus far - ensure that they are flexible
enough to fit into your existing workflow instead of demanding
organizational change. This means ensuring that you can control and
pass data to and from the tool/solution in a non-interactive way –
usually by leveraging the API of the toolset.
According to a supplement to the PCI DSS standard published by the PCI
Standards Council in December 2016, the scope of PCI coverage has
been expanded to include “connected-to or security-impacting systems”
This includes 3rd party tools and system components that impact
configuration or security of the Cardholder Data Environment (CDE)
26. Resources
• Verizon 2017 Payment Security Report - An in-depth look at PCI DSS
compliance
• Deloitte 2016 Compliance Trends Survey
• Standardized Architecture for PCI DSS on the AWS Cloud - Quick
Start Reference Deployment (AWS Quick Start Reference Team)
25