David Ross

Dr David Ross is the Chief Information Security Officer for Bridge Point Communications. He is a Chartered Professional Engineer, Payment Card Industry Qualified Security Assessor, Founding Director of the Cloud Security Alliance Australian Chapter, IT security consultant, part-time university lecturer, private aircraft pilot, husband and father of five. 

David completed a PhD in wireless network security, with the Information Security Institute at QUT. He has worked in the computer industry for 20 years and specifically in IT security for over half of that. He also undertakes casual teaching with The University of Queensland and the Queensland University of Technology from time to time. 

His consulting roles typically involve security infrastructure development and review, enterprise architecture and information security policy development for the finance, resources and government sectors, as well as consulting in specialist areas of government and enterprise PKI, 802.1X and 802.11 networking security.

AusCERT2012 Presentation

Moving Credit Card Data into the Cloud

Cloud security is a burgeoning area of current research, with the Australian Defence Signals Directorate (DSD), the US National Institute of Standards and Technology (NIST), and the global Cloud Security Alliance (CSA) releasing research papers, guidelines, and tools to support information security in the cloud on an almost weekly basis. This is coupled with the equally regular commentaries on cloud security from other operational organisations such as the US National Security Agency (NSA), Central Intelligence Agency (CIA), and the Australian Federal Police (AFP).

On top of all of this, specialist areas, such as the Payment Card Industry Security Standards Council’s (PCI SSC) Data Security Standard (PCI DSS), also provide their own special take on cloud security threats, requirements, and challenges.
The author is a Founding Director of the Cloud Security Alliance Australian Chapter and also a Payment Card Industry Qualified Security Assessor (PCI QSA), and so brings a unique perspective to the emerging debates in the area.

This presentation looks at the nuances of using virtualisation and cloud computing resources for the transmission, processing and storage of credit card data. It details the considerations, not only for general virtualisation cases or extensions into a private cloud, and for the commercially available public cloud options that are certified for PCI compliance at a premium, but indeed the use of cardholder data (CHD) with general inexpensive cloud computing resources, be they private, public, or hybrid.

While Australia has yet to go the path of the majority of the US states, and force disclosure of security breaches including payment card compromises, it is still the case even in Australia that company directors are vicariously liable for the performances of their companies and the payment card industry itself is very active in both threatening and applying financial penalties to Australian organisations not only for actual breaches, but for failures to act on non-compliance with the PCI DSS.

Unlike a majority of cloud and PCI compliance presentations that will emerge this year focusing on the negative aspects and digital terror induced in the name of PCI compliance, this presentation provides an actual PCI QSA auditors view point of just what cardholder data can be processed with various cloud offerings, and what particular threats, caveats and requirements apply in each case, along with real practical examples of what can be achieved in virtualisation in general and cloud computing in particular, while still maintaining a company’s PCI compliant standing.

By the end of this presentation, the audience will have gained an understanding of the particular implications of credit card data combined with virtualisation technologies and cloud computing services.

The PCI DSS does have companion guidelines for virtualisation security, including cloud security. However these guidelines provide little insight into the PCI SSC's, or indeed your QSA's, requirements and expectations in regards to cloud security. Most merchants and organisations dealing face-to-face with cardholders do not realise that using a "PCI-certified" cloud service does not solve their PCI responsibilities and does not in fact make them PCI compliant. As always, the devil is in the detail - and in the case of cloud services there is a lot of detail to be considered.

In fact, it may even be the case that appropriately protected CHD can be transmitted and even stored in generic public cloud services with no requirement for the provider to have any form of PCI certification at all. The question remains just what CHD can a cloud service customer store in the various private and public cloud offerings.

One of the major concerns of storing card data in the cloud is the control and ownership of that data and even the various locations in the world where it is stored. This introduces numerous problems not only from a security standpoint, but also from legal jurisdiction arrangements and their resulting implications.
The principal challenge of posting card data in the cloud is the control of the data itself and the data owners ability to validate any security controls being applied, or indeed essential, to the provision of such data within cloud services. While many would assume that credit card data could not possibly be stored, processed, or transmitted, in a public cloud service that was not already certified as PCI compliant, this presentation will show that this is not always the case and indeed, there are ways of transmitting and storing cardholder data within the various public cloud offerings.

The PCI DSS does not inhibit the use of payment card data with cloud services per se, it merely imposes limitations on the manner in which cardholder data can be used with such services, in order to attempt to maintain control and security over the CHD that is the company's responsibility.

This presentation provides examples of acceptable architectures from a QSA standpoint, of virtualisation implementations, as well as private and public cloud services, and illustrates these with real real-world cases of both acceptable and non-compliant solutions by organisations operating both inside and outside Australia.

In summary, the presentation walks the audience through the peculiarities moving a cardholder environment (CDE) from physical networks, devices, and servers into virtualised networks, devices, and servers, with the added complexities of loss of physical separation of environments, the loss of various physical protection mechanisms, the hypervisor itself, and also RBAC to the virtualisation consoles; through expansion to private cloud services, with the added complexities of the separation of responsibilities between the service provision and the service consumers across the various offerings; to deployment into public cloud services with the added complexities of multi-tenancies, physical locations, legal jurisdictions, contractual agreements and foreign powers.
The presentation concludes with a succinct set of recommendations and further reading, with an update on the activities in the Cloud Security Alliance Australia Chapter.

AusCERT2012 Presentation in PDF format