Cloudstack with PCI compliance

[Upendra Moturi <up...@sungardas.com>]

Hello Team,

Has anyone worked on making cloudstack PCI compliant.
Can you please point me some documentation.

Re: Cloudstack with PCI compliance

[ilya musayev <il...@gmail.com>]

In previous company, we had to design SOX and PCI compliant environment 
that leverage CloudStack.

Cant go into greater details as it was sometime back, but here several 
things i recall

1) Only open communication to specific hosts on specific ports (yes i 
know it was obvious), we have documentation that describes what ports 
are used, i have a slide that breaksdown the communication - i can try 
to find it
2) Only specific group of people (admin) could access cloudstack 
management server only (via vpn profile). CloudStack management server 
resides on separate VLAN and could only talk to its system vms and 
management hosts.
3) Dual homed nics for sysvms usually had multiple interfaces, the 
solution was to put them all on 1 isolated network
4) Abstract frontend with another in home dashboard and have 2 form auth
5) Use router VM only for dhcp listening on port 67udp, metadata is 
served by another services (small custom written java app)

etc...

Regards
ilya


On 4/22/14, 2:52 AM, Uwe Kastens wrote:
> Hi there,
>
>
> That would be interesting for me as well
>
> Kind Regards
>
> Uwe
>
>
>
> 2014-04-21 19:31 GMT+02:00 Upendra Moturi <up...@sungardas.com>:
>
>> Hello Team,
>>
>> Has anyone worked on making cloudstack PCI compliant.
>> Can you please point me some documentation.
>>

RE: Cloudstack with PCI compliance

[Adrian Lewis <ad...@alsiconsulting.co.uk>]

"the auditors are different in their understanding of the guidelines" -
that's the tricky bit. PCI DSS is more of a guidance than a rigid and
defined set of rules. True, there are rules but many are open to
interpretation. There have been many arguments over whether or not shared
infrastructure can be truly segmented and this extends not only to
hypervisors but also to networking technologies such as VLANs and MPLS
where multiple organisations share a common medium. The PCI Council have
tried to address some of these issues with what they call 'information
supplements' but they're still not 100% prescriptive.

There is also the concept of a 'compensating control' where, should you
not be able to satisfy a requirement, you may be able to put other
controls in place which satisfy the intent of the original control. This
is not a good way to do it but could help as a last resort.

If you are acting as a service provider, you should probably work with a
QSA to put together your AOC and to document as much as possible so that
should a client's QSA come calling, you have everything in place to hand
over.

Basically, there's little to stop Cloudstack being part of an in-scope
cardholder data environment but how you do it may be. As has already been
mentioned, there no silver bullet to certify a technology as compliant,
only the company can be compliant and this is ultimately the end customer,
not the service provider.

-----Original Message-----
From: Chip Childers [mailto:chipchilders@apache.org]
Sent: 24 April 2014 14:57
To: users@cloudstack.apache.org
Subject: Re: Cloudstack with PCI compliance

CloudStack itself can never be PCI *compliant*...  only a company can be.
CloudStack can certainly be part of the technical architecture for an IT
environment (or service provider environment) that is being audited for
overall organizational compliance.

A service provider that offers a CloudStack-based cloud is also,
similarly, unable to really offer "compliance" for their customers.
They are only able to fulfill certain aspects of the required set of
controls, and support their customers during the PCI audit process *of
their customers*.

There really isn't a silver bullet here...  you have to have your own
answers for how the required controls are implemented (and for many, there
is an infinite number of possible implementation designs).

As for the docs for a "cloud" environment, check out:
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

Keep in mind that it will absolutely depend on how things are being
audited.  Is the "CloudStack Cloud" external to the org trying for
compliance?  If so, the doc above would be the right choice for where to
start.  Is the CloudStack environment controlled by the org attempting
compliance?  If so, it's likely a combination of the Cloud Guidelines and
the Virtualization supplemental info.

Your best bet is to work with someone that knows the PCI process, and gets
how the controls are typically evaluated by the various auditors.
I've been through this before, and I can tell you that even the auditors
are different in their understanding of the guidelines.

-chip

On Thu, Apr 24, 2014 at 08:49:30AM -0400, Tim Mackey wrote:
> The real problem is in defining what is "in-scope" and "out-of-scope",
> and avoiding "mixed-mode".  This document (
> https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp
> _v2.pdf) provides a pretty good read of the suggested rules of the
> road for virtualization, but I'm not aware of a similar doc covering
> cloud.  Things like network typologies can mess stuff up quite
> quickly, and its probably best to involve the customer's PCI QSA in
> the design.  A couple months back I was asked to comment on a pure
> XenServer environment for mixed-mode operations and the customer
> accepted solution required both VLANs and OVS policy definition to
> secure cardholder data and meet the QSA goals.  Read that as "it's
> quite complicated and prone to opinions rather than hard standards"
>
> -tim
>
>
> On Thu, Apr 24, 2014 at 8:34 AM, Sebastien Goasguen
<ru...@gmail.com>wrote:
>
> >
> > On Apr 22, 2014, at 5:52 AM, Uwe Kastens <ki...@googlemail.com>
wrote:
> >
> > > Hi there,
> > >
> > >
> > > That would be interesting for me as well
> > >
> > > Kind Regards
> > >
> > > Uwe
> > >
> > >
> > >
> > > 2014-04-21 19:31 GMT+02:00 Upendra Moturi
> > ><upendra.moturi@sungardas.com
> > >:
> > >
> > >> Hello Team,
> > >>
> > >> Has anyone worked on making cloudstack PCI compliant.
> > >> Can you please point me some documentation.
> > >>
> >
> > Haven't worked on it and over my head, but that's a big question. I
> > actually asked a friend on twitter :) The answer was interesting
> > "CloudStack can facilitate PCI compliance but not *be* PCI
> > compliant"
> >
> > -sebastien
> >
> >

Re: Cloudstack with PCI compliance

[Shanker Balan <sh...@shapeblue.com>]

Hi Chip,


On 24-Apr-2014, at 7:26 pm, Chip Childers <ch...@apache.org> wrote:

> CloudStack itself can never be PCI *compliant*...  only a company can
> be.  CloudStack can certainly be part of the technical architecture for
> an IT environment (or service provider environment) that is being
> audited for overall organizational compliance.


Your comments are very timely and spot on as I just completed a
PCI DSS compliance exercise for a AWS VPC deployment.

Regards.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/>
28th-29th May 2014, Bangalore. Classromm<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
15th-20th September 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
22nd-27th September 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
1st-6th December 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
8th-12th December 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Cloudstack with PCI compliance

[Chip Childers <ch...@apache.org>]

CloudStack itself can never be PCI *compliant*...  only a company can
be.  CloudStack can certainly be part of the technical architecture for
an IT environment (or service provider environment) that is being
audited for overall organizational compliance.

A service provider that offers a CloudStack-based cloud is also,
similarly, unable to really offer "compliance" for their customers.
They are only able to fulfill certain aspects of the required set of
controls, and support their customers during the PCI audit process *of
their customers*.

There really isn't a silver bullet here...  you have to have your own
answers for how the required controls are implemented (and for many,
there is an infinite number of possible implementation designs).

As for the docs for a "cloud" environment, check out:
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

Keep in mind that it will absolutely depend on how things are being
audited.  Is the "CloudStack Cloud" external to the org trying for
compliance?  If so, the doc above would be the right choice for where to
start.  Is the CloudStack environment controlled by the org attempting
compliance?  If so, it's likely a combination of the Cloud Guidelines
and the Virtualization supplemental info.

Your best bet is to work with someone that knows the PCI process, and
gets how the controls are typically evaluated by the various auditors.
I've been through this before, and I can tell you that even the auditors
are different in their understanding of the guidelines.

-chip

On Thu, Apr 24, 2014 at 08:49:30AM -0400, Tim Mackey wrote:
> The real problem is in defining what is "in-scope" and "out-of-scope", and
> avoiding "mixed-mode".  This document (
> https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf)
> provides a pretty good read of the suggested rules of the road for
> virtualization, but I'm not aware of a similar doc covering cloud.  Things
> like network typologies can mess stuff up quite quickly, and its probably
> best to involve the customer's PCI QSA in the design.  A couple months back
> I was asked to comment on a pure XenServer environment for mixed-mode
> operations and the customer accepted solution required both VLANs and OVS
> policy definition to secure cardholder data and meet the QSA goals.  Read
> that as "it's quite complicated and prone to opinions rather than hard
> standards"
> 
> -tim
> 
> 
> On Thu, Apr 24, 2014 at 8:34 AM, Sebastien Goasguen <ru...@gmail.com>wrote:
> 
> >
> > On Apr 22, 2014, at 5:52 AM, Uwe Kastens <ki...@googlemail.com> wrote:
> >
> > > Hi there,
> > >
> > >
> > > That would be interesting for me as well
> > >
> > > Kind Regards
> > >
> > > Uwe
> > >
> > >
> > >
> > > 2014-04-21 19:31 GMT+02:00 Upendra Moturi <upendra.moturi@sungardas.com
> > >:
> > >
> > >> Hello Team,
> > >>
> > >> Has anyone worked on making cloudstack PCI compliant.
> > >> Can you please point me some documentation.
> > >>
> >
> > Haven't worked on it and over my head, but that's a big question. I
> > actually asked a friend on twitter :)
> > The answer was interesting "CloudStack can facilitate PCI compliance but
> > not *be* PCI compliant"
> >
> > -sebastien
> >
> >

Re: Cloudstack with PCI compliance

[Tim Mackey <tm...@gmail.com>]

The real problem is in defining what is "in-scope" and "out-of-scope", and
avoiding "mixed-mode".  This document (
https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf)
provides a pretty good read of the suggested rules of the road for
virtualization, but I'm not aware of a similar doc covering cloud.  Things
like network typologies can mess stuff up quite quickly, and its probably
best to involve the customer's PCI QSA in the design.  A couple months back
I was asked to comment on a pure XenServer environment for mixed-mode
operations and the customer accepted solution required both VLANs and OVS
policy definition to secure cardholder data and meet the QSA goals.  Read
that as "it's quite complicated and prone to opinions rather than hard
standards"

-tim


On Thu, Apr 24, 2014 at 8:34 AM, Sebastien Goasguen <ru...@gmail.com>wrote:

>
> On Apr 22, 2014, at 5:52 AM, Uwe Kastens <ki...@googlemail.com> wrote:
>
> > Hi there,
> >
> >
> > That would be interesting for me as well
> >
> > Kind Regards
> >
> > Uwe
> >
> >
> >
> > 2014-04-21 19:31 GMT+02:00 Upendra Moturi <upendra.moturi@sungardas.com
> >:
> >
> >> Hello Team,
> >>
> >> Has anyone worked on making cloudstack PCI compliant.
> >> Can you please point me some documentation.
> >>
>
> Haven't worked on it and over my head, but that's a big question. I
> actually asked a friend on twitter :)
> The answer was interesting "CloudStack can facilitate PCI compliance but
> not *be* PCI compliant"
>
> -sebastien
>
>

Re: Cloudstack with PCI compliance

[Sebastien Goasguen <ru...@gmail.com>]

On Apr 22, 2014, at 5:52 AM, Uwe Kastens <ki...@googlemail.com> wrote:

> Hi there,
> 
> 
> That would be interesting for me as well
> 
> Kind Regards
> 
> Uwe
> 
> 
> 
> 2014-04-21 19:31 GMT+02:00 Upendra Moturi <up...@sungardas.com>:
> 
>> Hello Team,
>> 
>> Has anyone worked on making cloudstack PCI compliant.
>> Can you please point me some documentation.
>> 

Haven't worked on it and over my head, but that's a big question. I actually asked a friend on twitter :)
The answer was interesting "CloudStack can facilitate PCI compliance but not *be* PCI compliant"

-sebastien

Re: Cloudstack with PCI compliance

[Uwe Kastens <ki...@googlemail.com>]

Hi there,


That would be interesting for me as well

Kind Regards

Uwe



2014-04-21 19:31 GMT+02:00 Upendra Moturi <up...@sungardas.com>:

> Hello Team,
>
> Has anyone worked on making cloudstack PCI compliant.
> Can you please point me some documentation.
>