|By Application Security||
|February 27, 2013 11:00 AM EST||
This month the Cloud SIG of the PCI Security Standards Council released supplemental guidelines covering cloud computing. We’re happy to see APIs included as a recognized attack surface. As this document makes clear, responsibility for compliance for cloud-hosted data and services is shared between the client and the provider. API providers moving to the cloud should pay close attention to this document: Section 6.5.5 covers Security of Interfaces and APIs, while Appendix D covers implementation considerations that include API-related topics. For cloud-hosted systems, an API gateway can simplify implementation, secure PII and PAN data in motion, provide compliance and ensure auditability in these areas.
The last paragraph of Section 6.5.5 reads:
APIs and other public interfaces should be designed to prevent both accidental misuse and malicious attempts to bypass security policy. Strong authentication and access controls, strong cryptography, and real-time monitoring are examples of controls that should be in place to protect these interfaces.
While Appendix D: PCI DSS Implementation Considerations asks:
- Are API interfaces standardized?
- Are APIs configured to enforce strong cryptography and authentication?
- How are APIs and web services protected from vulnerabilities?
- Are standardized interfaces and coding languages used?
- How is user authentication applied at different levels?
Using a service gateway can ensure that access controls, PII and PAN encryption, and monitoring are consistently applied and enforced for all APIs. This in turn reduces the likelihood that a single poorly-coded or overlooked API will compromise the entire system. Enhanced vulnerability protection is provided by a centralized point to turn away malicious exploits such as SQL injection or Cross-site scripting (XSS) attempts. This control point also provides data leak protection for data leaving the enterprise. The use of a gateway also allows the API provider to construct a consistent façade with standardized interfaces to be utilized for all exposed APIs and web services.
Another area where a gateway can help with PCI-DSS compliance is in containing audit scope via tokenization. One of the design considerations for protecting cardholder data asks:
Where are the “known” data storage locations?
Using a gateway that supports tokenization can limit PCI scope to the gateway device itself. The gateway can then be hosted on a higher-tier hosting platform (e.g. a Virtual Private Cloud) while allowing logic servers without access to cardholder data to be hosted on a more cost-effective, multi-tenant platform. A common model here is to tokenize PAN data as it enters the datacenter, minimizing scope impact, which can be done using proxy tokenization in the API gateway. This usage model is ideal for ecommerce retailers that accept credit card data over an HTML form post or other HTTP interface.
For help assessing tokenization option options, we have made available a Buyer’s Guide: Tokenization for PCI DSS. For the broader view covering other security gateway usage models, we are also sharing the Buyer’s Guide: Gateway Security. Finally, we’d refer readers to the Cloud Builders program’s Cloud Security Reference Architecture for some ready-made blueprints and cloud software management platforms.
The post New PCI DSS Cloud Computing Guidelines – Are you compliant? appeared first on Security [email protected].
In his session at Cloud Expo, Robert Cohen, an economist and senior fellow at the Economic Strategy Institute, will provide economic scenarios that describe how the rapid adoption of software-defined everything including cloud services, SDDC and open networking will change GDP, industry growth, productivity and jobs. This session will also include a drill down for several industries such as finance, social media, cloud service providers and pharmaceuticals.
Oct. 27, 2016 10:30 AM EDT Reads: 2,073
We are always online. We access our data, our finances, work, and various services on the Internet. But we live in a congested world of information in which the roads were built two decades ago. The quest for better, faster Internet routing has been around for a decade, but nobody solved this problem. We’ve seen band aid approaches like CDNs that attack a niche's slice of static content part of the Internet, but that’s it. It does not address the dynamic services-based Internet of today. It doe...
Oct. 27, 2016 10:15 AM EDT Reads: 2,007
Ask someone to architect an Internet of Things (IoT) solution and you are guaranteed to see a reference to the cloud. This would lead you to believe that IoT requires the cloud to exist. However, there are many IoT use cases where the cloud is not feasible or desirable. In his session at @ThingsExpo, Dave McCarthy, Director of Products at Bsquare Corporation, will discuss the strategies that exist to extend intelligence directly to IoT devices and sensors, freeing them from the constraints of ...
Oct. 27, 2016 10:15 AM EDT Reads: 3,198
[session] Business Disruptions with Intelligent Machines By @SuJamthe | @ThingsExpo #AI #IoT #M2M #MachineLearning
Intelligent machines are here. Robots, self-driving cars, drones, bots and many IoT devices are becoming smarter with Machine Learning. In her session at @ThingsExpo, Sudha Jamthe, CEO of IoTDisruptions.com, will discuss the next wave of business disruption at the junction of IoT and AI, impacting many industries and set to change our lives, work and world as we know it.
Oct. 27, 2016 10:02 AM EDT Reads: 111
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
Oct. 27, 2016 09:15 AM EDT Reads: 2,155
By now most people have either created their configuration management solution or are just embarking on this journey. In his session at @DevOpsSummit at 19th Cloud Expo, Marco Ceppi, a DevOps Engineer working at Canonical, will discuss how to take configuration management to the next level with modelling and orchestration. He will also discuss how and why people are moving from a machine-centric view to a service/application-oriented view of deployments, and how you can leverage the knowledge a...
Oct. 27, 2016 09:00 AM EDT Reads: 2,046
@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the...
Oct. 27, 2016 08:45 AM EDT Reads: 11,585
In the 21st century, security on the Internet has become one of the most important issues. We hear more and more about cyber-attacks on the websites of large corporations, banks and even small businesses. When online we’re concerned not only for our own safety but also our privacy. We have to know that hackers usually start their preparation by investigating the private information of admins – the habits, interests, visited websites and so on. On the other hand, our own security is in danger bec...
Oct. 27, 2016 08:15 AM EDT Reads: 522
Enterprises have been using both Big Data and virtualization for years. Until recently, however, most enterprises have not combined the two. Big Data's demands for higher levels of performance, the ability to control quality-of-service (QoS), and the ability to adhere to SLAs have kept it on bare metal, apart from the modern data center cloud. With recent technology innovations, we've seen the advantages of bare metal erode to such a degree that the enhanced flexibility and reduced costs that cl...
Oct. 27, 2016 07:45 AM EDT Reads: 520
Fact: storage performance problems have only gotten more complicated, as applications not only have become largely virtualized, but also have moved to cloud-based infrastructures. Storage performance in virtualized environments isn’t just about IOPS anymore. Instead, you need to guarantee performance for individual VMs, helping applications maintain performance as the number of VMs continues to go up in real time. In his session at Cloud Expo, Dhiraj Sehgal, Product and Marketing at Tintri, wil...
Oct. 27, 2016 07:30 AM EDT Reads: 1,951
As software becomes more and more complex, we, as software developers, have been splitting up our code into smaller and smaller components. This is also true for the environment in which we run our code: going from bare metal, to VMs to the modern-day Cloud Native world of containers, schedulers and microservices. While we have figured out how to run containerized applications in the cloud using schedulers, we've yet to come up with a good solution to bridge the gap between getting your conta...
Oct. 27, 2016 07:30 AM EDT Reads: 1,612
19th Cloud Expo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterpri...
Oct. 27, 2016 07:00 AM EDT Reads: 5,020
Amazon has gradually rolled out parts of its IoT offerings, but these are just the tip of the iceberg. In addition to optimizing their backend AWS offerings, Amazon is laying the ground work to be a major force in IoT - especially in the connected home and office. In his session at @ThingsExpo, Chris Kocher, founder and managing director of Grey Heron, explained how Amazon is extending its reach to become a major force in IoT by building on its dominant cloud IoT platform, its Dash Button strat...
Oct. 27, 2016 07:00 AM EDT Reads: 4,935
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Oct. 27, 2016 06:45 AM EDT Reads: 1,066
SYS-CON Events announced today that Streamlyzer will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Streamlyzer is a powerful analytics for video streaming service that enables video streaming providers to monitor and analyze QoE (Quality-of-Experience) from end-user devices in real time.
Oct. 27, 2016 06:45 AM EDT Reads: 1,092
Cloud based infrastructure deployment is becoming more and more appealing to customers, from Fortune 500 companies to SMEs due to its pay-as-you-go model. Enterprise storage vendors are able to reach out to these customers by integrating in cloud based deployments; this needs adaptability and interoperability of the products confirming to cloud standards such as OpenStack, CloudStack, or Azure. As compared to off the shelf commodity storage, enterprise storages by its reliability, high-availabil...
Oct. 27, 2016 05:45 AM EDT Reads: 1,270
The IoT industry is now at a crossroads, between the fast-paced innovation of technologies and the pending mass adoption by global enterprises. The complexity of combining rapidly evolving technologies and the need to establish practices for market acceleration pose a strong challenge to global enterprises as well as IoT vendors. In his session at @ThingsExpo, Clark Smith, senior product manager for Numerex, will discuss how Numerex, as an experienced, established IoT provider, has embraced a ...
Oct. 27, 2016 05:30 AM EDT Reads: 1,216
“Media Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. CloudBerry Backup is a leading cross-platform cloud backup and disaster recovery solution integrated with major public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform.
Oct. 27, 2016 03:45 AM EDT Reads: 1,514
In the next forty months – just over three years – businesses will undergo extraordinary changes. The exponential growth of digitization and machine learning will see a step function change in how businesses create value, satisfy customers, and outperform their competition. In the next forty months companies will take the actions that will see them get to the next level of the game called Capitalism. Or they won’t – game over. The winners of today and tomorrow think differently, follow different...
Oct. 27, 2016 03:45 AM EDT Reads: 1,115
@DevOpsSummit has been named the ‘Top DevOps Influencer' by iTrend. iTrend processes millions of conversations, tweets, interactions, news articles, press releases, blog posts - and extract meaning form them and analyzes mobile and desktop software platforms used to communicate, various metadata (such as geo location), and automation tools. In overall placement, @DevOpsSummit ranked as the number one ‘DevOps Influencer' followed by @CloudExpo at third, and @MicroservicesE at 24th.
Oct. 27, 2016 03:45 AM EDT Reads: 4,130