Category Archives: Security

Food, Security

Amazon and PCI DSS Level 1 Compliance

Leave a comment

Although I have panned Gartner for hyping Amazon standards in the past, congratulations might be in order for Amazon’s recent PCI DSS certification announcement.

Maybe.

Amazon has a PCI DSS Level 1 Compliance FAQ that has been written in an odd way — to convince us of several key points.

They say they did not have to get certified, but they did it anyway. Good for them.

AWS, as a service provider, does not directly manage cardholder environment (and therefore, unlike merchants, does not require certification). AWS provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant.

Got that? AWS is “unlike merchants”. They did not get certified beyond a minimum level of infrastructure that you would have to certify yourself, which also theoretically makes them far less cloud-ish. Cloud-esque? Cloud-y? They are just a service provider. The ball of responsibility (to establish a secure cardholder environment) will be thrown by Amazon into your court when you say PCI-me. In other words, you say hot potato, they say…”have confidence in your potato”.

The bottom line appears to be that you are going to do the same work you would have done before, even as an Amazon customer, but now they want you to feel that you can do it with confidence because they have allowed a QSA to certify them. This could have value (i.e. less paperwork, reduced audit time) but from where does it really come, this confidence?

Maybe you want to read their report. AWS’ compliance validation was completed and submitted on November 30, 2010 but is not yet public let alone approved by the Security Standards Council (SSC). That’s a tough start.

…customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification…. All merchants must manage their own PCI certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements that don’t deal with the technology infrastructure, including how you manage the cardholder environment that you host with AWS.

Perhaps you only wanted to use Amazon infrastructure as a service (IaaS), but that kind of begs the question of why go to Amazon instead of a competitor who specializes in infrastructure.

Amazon says in their FAQ over and over that you can rely on them. It really seems to mean that if you need PCI they will downgrade you to an infrastructure-only customer (e.g. uncloud-able) rather than treat you like a full platform or even software customer.

With that in mind it is hard not to notice how Amazon infrastructure customers must face a certain exception.

They will not give you physical access to assess their security.

Do QSAs for Level 1 merchants require a physical walkthrough of a service provider’s data center?

No. A merchant can obtain certification without a physical walkthrough of a service provider’s data center if the service provider is a Level 1 validated service provider (such as AWS). A merchant’s QSA can rely on the work performed by our QSA, which included an extensive review of the physical security of our data centers.

I get confidence from the word extensive. Another good word is thorough. Exhaustive? Comprehensive? But I digress…customers of Amazon do not get to verify the work performed by the Amazon QSA, and do not get to review the physical security of their data centers (at least not directly).

Requirement 9.1 of PCI DSS 2.0 says “Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.” Perhaps it soon will add “…unless you have a service provider who has been certified, and then you should just rely on them”

There will be no merchant verification of the existence of physical security controls at Amazon. The one option offered is to rely on the work of their QSA, but we have to keep in mind that their QSA’s review was limited in nature because AWS positions itself to be only a service provider for PCI customers.

All that being said, on the one hand I can see why infrastructure providers ask for sympathy. They argue that it is exhausting to have every customer come on-site to demand access and time for compliance reviews. It may be a burden with thousands of customers. On the other hand, if they had controls working properly the reviews would require very little resources on their part. In fact, I have spent many hours in on-site audits helping providers see things that their auditors did not catch. Some were appreciative because one customer ends up paying for an assessment that benefits all their customers. The burden becomes proportional to how well security is managed; those that complain and refuse access most likely have the most to worry about.

Amazon’s position thus sounds a lot like a restaurant that tells customers they are not allowed to see or ask anything about the kitchen because a food inspector has that role. Does that give you confidence?

Maybe it’s just me, but I find it hard under those terms to give congratulations to the chef.

Update: The McKeay blog has a prior official statement from Amazon in August of 2009:

We are excited to hear about your interest in moving to EC2. We do not and will not provide a written agreement attesting compliance and assuming responsibility for cardholder data.

That is a reference to the PCI DSS 2.0 Requirement, that a service provider must acknowledge responsibility for cardholder data security.

12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data.

Security

Shredder Fails to Ruin Cash

Leave a comment

A heart-warming story from Taiwan is that a “jigsaw expert” was able to piece back together a large amount of accidentally shredded paper

The man, surnamed Lin, dropped a bag containing T$200,000 (S$8,708) in T$1,000 bills into his plastics factory’s shredding machine last month.

With the help of a local official, Lin had the shredded notes passed on to the forensics division of the Justice Ministry’s special investigations unit, which offers a free service repairing damaged cash.

There 30-year veteran forensic scientist Liu Hui-fen put all the notes back together in seven days, a task, she was quoted as saying, that was “difficult” and “required patience”.

Lin must feel grateful, but also the need to upgrade his shredding machine.

Security

Mapping Social Networks to Geography

Leave a comment

The BBC reports that a group has used telephone calls to illustrate social networks on a map of the UK

[Carlo Ratti of the Massachusetts Institute of Technology’s] team used records of more than 12 billion anonymised landline telephone calls, to model who Britons frequently spoke to.

These records allowed the team identify the the local telephone exchanges used in the calls.

Where people spoke frequently and for extended periods, they were treated as having a stronger connection, Mr Ratti told BBC News.

A map created using those connections showed that people tended to communicate most with people that we geographically close to them, he added.

Colorful map but I see no mention of toll rates. This study seems to confirm that since it costs more to communicate by phone over distance, people prefer geographical closeness (e.g. not paying additional fees). The very least they could do is include a map of the boundary for local toll fees to correlate with closeness of callers.

Calls are anonymous, which also suggests there is no differentiation between social communication versus non-social (business?). A retailer that has to call various warehouses to make an order might be represented in a social map with equal weight as two friends that like to stay in touch because they belong to a social network.

I also wonder about a single telephone number that represents many social networks and sharing (such as a village phone-box, a dormitory, hotel, etc.), as I have mentioned before. How does a call-center get factored into this map (no inbound but many outbound)? It is so technology specific that a rural community where people walk and talk in person daily, if not hourly, could be non-existent on the social networking map versus an industrial park with only a telemarketing presence.

Are we really looking at social networks? My guess is that the map gets called “social” because it is an area of funding/interest, even though it looks more like a generic utilization heat map for land lines.

It would be far more interesting if the map tried to bring forward social network elements. Take football, for example. Where are conversations about football preferred, urban or rural areas? Privacy would be an issue, of course, but this map begs the question whether social groups can be assumed from anonymous data. My fax would argue no.

The NSA might argue yes, but they also like to route phone calls through American switches and make the US look very popular as a call destination.

Source: Wired