PCI Compliance and Cloud Reference Architecture


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI Compliance and Cloud Reference Architecture

  1. 1. PCI Compliance and Cloud Reference Architecture A Best Practices Discussion with Authors Moderator: Hemma Prafullchandra, HyTrust Brought to you by: Panelists: George Gerchow, VMware Christian Janoff, Cisco Allan MacPhee, Trend Micro Kennet Westby, Coalfire Ken Owens, Savvis© HyTrust, Inc. All rights reserved. 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 1
  2. 2. Speakers George Gerchow Hemma Prafullchandra Director, VMware Center for CTO/SVP Products Policy and Compliance HyTrust VMware Ken Owens Allan MacPhee Vice President of Security Senior Product Manager & Virtualization Technologies, Trend Micro Savvis Kennet Westby Christian Janoff CEO Industry Enterprise Architect Coalfire Cisco 2
  3. 3. Hemma Prafullchandra  Founded in Fall 2007 and Headquartered in Mountain View, CA.  Venture backed by Cisco, Epic, Granite, and Trident with strategic partners including VMware, CA, Cisco, Symantec, Intel, and VCE  HyTrust provides centralized control for virtual infrastructure, administrative access, policy management, and compliance.  HyTrust product addresses multiple requirements set forth in PCI. Outlined in Reference architecture doc (will be emailed after webinar)  HyTrust serves as co-leader in development and organization of PCI Cloud Reference Architecture team and content 3
  4. 4. George GerchowAbout VMwareVMware, the virtualization and cloud infrastructure leader, delivers themost customer-proven, reliable, secure and complete platform to buildthe enterprise cloud.VMware has more than 250,000 customers, including 99% of theFortune 1000 and 97% of the Fortune Global 500.VMware customers have experienced unmatched results with VMwaresolutions. • Financial: 50-60% CapEx savings • Human: Average of 33 percent cumulative time savings for day-to-day administrative activities. • Energy: Up to 80%, leveraging consolidationand distributed power management. 4
  5. 5. Christian Janoff  Christian Janoff  Vertical Solutions Architect at Cisco  Has led Ciscos participation on the PCI Security Standards Council since 2007 as a member of their Board of Advisors  Cisco virtual technology  Virtual servers, switching, routing, firewalling and intrusion detection systems for public and private clouds  For more information on Cisco and PCI: http://www.cisco.com/go/pci2. 5
  6. 6. Who is Savvis Hosting Track Cloud Track Savvis Symphony VPDC Enterprise features, multi-tier QoS Reduced Opex Savvis Symphony Open Multi-Tenant virtual infrastructure Savvis Symphony Dedicated Dedicated, virtual infrastructure Utility Compute Multi-tenant Stateless Bladeframe Managed Hosting Dedicated physical infrastructure Colocation Enterprise-Grade Space & Power Service Standardization, Virtualization & Automation 6
  7. 7. Allan MacPhee© 2011, HyTrust, Inc. www.hytrust.com 7
  8. 8. Kennet Westby© 2011, HyTrust, Inc. www.hytrust.com 8
  9. 9. Audience Poll - Let’s Get to Know Each Other  How many are virtualizing or have virtualized cardholder data?  How many of you are looking at cloud services?  How many feel your QSA is comfortable with your virtualized environment? 9
  10. 10. Panel DiscussionWhat are the characteristics of a cloud that make PCI compliancedifficult?Can a shared cloud environment even be PCI compliant?What does it mean when your cloud provider tells you that they are PCIcertified?  What areas should your cloud provider be responsible for?  What are the key questions you should ask your cloud provider to understand the scope of PCI certification achieved?  How does a merchant figure out what the shared responsibility split is in detail? 10
  11. 11. Panel DiscussionIf my environment is already PCI compliant and I want to just extend asingle tier to a public cloud, what should I be concerned about?What is the best way to involve my QSA in these discussions?What resources can I use to help me plan for and use cloud computingfor my CDE?  Policy, People, Process, Technology 11
  12. 12. Key Takeaways and GuidancePCI Compliance in Virtualized environments (on-premise)  Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process  Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls)  View virtualization as an opportunity to improve your current processes – i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure  Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation 12
  13. 13. Key Takeaways and GuidancePCI Compliance in the Cloud Compliance is possible, but it takes the right cloud provider Compliance is a shared responsibility, there is no magic bullet  Understand the details & scope of your cloud provider’s PCI certification  Work with your QSA to create a strategy for addressing the remaining required PCI controls Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics Create a strategy for Cloud compliance  Start with virtualized on premise and dedicated hosting environments  Evolve and apply these controls to cloud environments 13
  14. 14. Additional Resources  www.pcisecuritystandards.org  www.coalfiresystems.com  www.hytrust.com/pci  www.savvis.net  http://us.trendmicro.com/us/solutions/enterprise/security-solutions/ compliance/  http://www.vmware.com/solutions/datacenter/cloud-security- compliance/unified-framework.html  www.cisco.com Just Published: PCI-compliant Cloud Reference Architecture 14
  15. 15. Thank You 15