Clouds and the VPN

Question:
Do I need VPNs in the cloud?

Answer:
There are several questions regarding the necessity of VPNs in the cloud.

I think the first step is to clear the concept of cloud. Currently the word “cloud” is used interchangeably for TelCo service provider transport clouds (Network Clouds) (e.g.MPLS) and Cloud computing web services that provide resizable compute capacity as a cloud (like Amazon EC2).. We can also define private service providers like SaaS providers, managed service providers MSPs) as cloud/utility providers (like force.com from salesforce.com, webroot SaaS). Here are some articles defining cloud and transport options.
http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
http://mediaproducts.gartner.com/reprints/f5networks/vol3/article4/article4.html


When the necessity of VPNs in the clouds are analyzed, it is obvious that encryption is indeed one of the key pillars of modern information security. And VPNs do provide confidentiality and integrity for data at transit. When cloud networks do transport the data they should provide integrity and confidentiality of data. That being said this does not have to be at layer 3 (IPSEC) or layer 6 (SSL). So focusing on an IPSEC client does not help to address the issue. Confidentiality and integrity services can also be provided via applications themselves. When data is critical you may certainly encrypt data at application layer. (e.g. rights management solutions)

Here is the high level satus for VPNs in the cloud

1- TelCo Network Clouds (Service Provider) – This is the most interesting part. TelCos claim that their shared infrastructure and MPLS VPNs are secure. This is questionable (see article below) but the answer depends on the security needed.
If service provider cloud is not trusted enough you always encrypt at another layer (usually with the application).I personally believe that cloud service provider (TelCos) must be subject to heavier inspection when they are transporting almost all of the intersite traffic. Here are some articles discussing the issue
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rey-up.pdf
http://www.techworld.com/networking/features/index.cfm?featureid=3360

I also do not understand why TelCos are exempt from security regulations. (PCI is a good example) TelCos (and their admins, applications, helpdesk people, servers, cable guys…) do have access to almost all interoffice data traffic when MPLS type of TelCo backbone is used. And when the MPLS cloud is compromised, all clear text (yes even the tunneled ones) will be compromised. Real encryption is rarely used. TelCos have been promoting themselves as secure service providers while promoting layered tunnels as segmentation, but I believe they must seal these claims with 3rd party certifications and allowing encryption friendly (where keys are held by the data custodians) clouds.

2- Cloud Computing providers: These providers addressed encryption at their inception thanks to their security aware generation. Before encryption there are several other questions. Here is my post on generic cloud computing security issues: http://security.24kasim.org/2009/02/cloud-computing-security.html

3- SaaS providers. SSL looks like the king at these providers. Segregation of customer data, and customer driven/controlled encrpytion for data at rest and data at transit is required. For data at transit, SSL is secure enough when proper authentication/cert management is provided.

I am still following the following basic principles when I evaluate a platform. Regardless of the nature of technology, all platforms (clouds and others) should answer properly to following areas of information security:
1- Authentication
2- Authorization
3- Confidentiality
4- Integrity
5- Non-Repudiation

cheers,
- yinal

PCI Levels and Validation Requirements for Merchants 2009

This topic is always in the air so here are the official numbers for 2009 from PCI Security Standards Council the official governing body on the PCI requirements for merchants:

Facts:

- Payment Brands determine Merchant PCI levels. Payment Brands are Visa, Mastercard, Discover , Amex etc. They do have the last word on this topic

- Transaction volume is determined by Acquirer

- Transaction volume is aggregate number of transactions (chain stores do count if cards are processed centrally)

Amex

Level 1- Over 2.5 Million Amex card transactions/year, or any merchant who is Level 1 according to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 50000-2.5Million Amex transactions/year, or any merchant who is Level 2 according to another Payment Brand

Action: EU only annual SAQ, Quarterly ASV scans

Level 3- Less than 50000 AMEX transactions/year

Action Quarterly ASV scans (recommended) , EU only SQA (recommended)

Level 4- N/A

Action: None

Discover

Level 1 - Over 6 Million Discover card transactions/year, anybody who Discover thinks that they level 1 (discretionary) or any merchant who is validated/reported as Level-1 to another Payment Brand

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Discover transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Discover transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- Everybody else with Discover card processing

Action: Determined by Acquirer, Annual SAQ, Quarterly ASV recommended

JCB

Level 1 - Over 1 Million JCB card transactions/year or anybody who is compromised

Action: Annual Onsite QSA audit, Quarterly ASV scans

Level 2- Less than 1 Million JCB transactions/year

Action: Annual SAQ, Quarterly ASV scans

Level 3- N/A

Action: none

Level 4- N/A

Action: None

MasterCard

Level 1- Over 6 Million Mastercard card transactions/year, or any merchant who is Level 1 according to another Payment Brand or anybody who is compromised

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans

Level 2- 1-6 Million Mastercard transactions/year, or any merchant who is validated/reported as Level-2 to another Payment Brand

Action: Annual SAQ, Quarterly ASV scans

Level 3- 20000-1 Million Mastercard “e-commerce” transactions/year, or any merchant who is validated/reported as Level-3 to another Payment Brand

Action: Annual SAQ, Quarterly ASV

Level 4- All other Mastercard merchants

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Inc

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or any global merchant who is identified as Level 1 by Visa by any Visa Region

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 20000-1 Million Visa “e-commerce” transactions/year

Action: Action: Annual SAQ (In Canada SAQs require QSA reviews), Quarterly ASV

Level 4- Merchants processing less than 20000 e-commerce transactions/year or merchants processing up to 1M any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Visa Europe

Level 1- Over 6 Million Visa card transactions/year (all transactions not just e-commerce), or compromised merchants

Action: Annual Onsite QSA or Internal Audit signed by Merchant Co, Quarterly ASV scans and attestation of compliance form

Level 2- 1 Million to 6 Million Visa card transactions/year (all transactions not just e-commerce),

Action: Annual SAQ, Quarterly ASV scans and attestation of compliance form

Level 3- 1 (one) to 1 Million Visa “e-commerce” transactions/year

Action: Annual SAQ, Quarterly ASV or use PCI DSS certified processor for all transactions

Level 4- Merchants processing up to 1 Million any channel Visa transactions/year

Action: Compliance validation is at discretion of acquirer: Annual SAQ, Quarterly ASV recommended

Of course all parties who process store or transmit credit cards must follow PCI requirements (PCI-DSS) regardless of their levels.

I will cover reporting requirements for merchants in another post.