Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Usage Based Metering in the Cloud (Subscribed13)


Published on

CloudPassage - Rand Wacker, VP Products …

CloudPassage - Rand Wacker, VP Products
Link Bermuda - Winston Morton, VP Technology

Want to move to a usage-based pricing model but afraid of how to accurately measure and bill your customers? Come and learn about the processes and technology used to manage this advanced pricing model from two leading cloud service providers.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. PCI for Cloud Applications Securing the Subscription Economy Rand Wacker VP of Products @randwacker | #subscribed13
  • 2. CloudPassage  Overview   CloudPassage  provides   security  and  compliance     for  your  cloud,     so9ware-­‐defined,  and   tradi<onal  data  center   infrastructure  
  • 3. Our  PCI  Story   1.  We  use  Zuora  for  metered  usage  billing   2.  Since  we  accept  CCs  in  mul;ple  ways,  had  to  do  a  full  PCI  cert   for  ourselves   3.  We  also  provide  PCI  security  controls  to  our  customers   4.  Here’s  what  we  learned…     I T S   N E V E R   J U S T   T H A T   S I M P L E  
  • 4. Your  Architecture  Drives  PCI  Scope   1.  PCI  “in-­‐scope”  systems  are  anything  that  accept,  store,  process,   or  transmit  CC  info   2.  Zuora  can  handle  much  (maybe  all?)  of  this,  depending  on   architecture/features  you’re  using   3.  If  (like  us)  you  take  CCs  in  your  app  (or  by  other  means),  then   you’re  responsible  for  PCI  for  those  in-­‐scope  systems     E V E R Y O N E   H E R E   L I K E L Y   P C I   L I A B L E  
  • 5. Its  Not  All  Doom  and  Gloom   1.  Yes,  you  can  be  PCI  compliant  using  cloud!   2.  You  will  likely  need  some  different  tools  and   processes   3.  Not  all  stacks/providers  are  created  equal!   4.  There  is  no  “silver  bullet”  –  but  the   responsibility  is  s;ll  yours   P L E N T Y   O F   F . U . D .   R E   P C I   A N D   C L O U D  
  • 6. YES  IT  IS  POSSIBLE   P C I   I N   T H E   C L O U D   •  CloudPassage  is  Cer;fied  Level  1  Service  Provider   –  First  en;rely  cloud-­‐based  vendor  cer;fied  across  mul;ple  CSPs   –  Hosted  in  Rackspace  Cloud  &  AWS,  with  full  DevOps  automa;on   •  Mul;ple  customers  have  successfully  cleared  QSA  audits  
  • 7. PCI  Responsbility  
  • 8. Cloud  Responsibility  Model   Y O U ’ R E   O N   T H E   H O O K ,   W H E R E V E R   H O S T E D   Physical  Facili;es   Hypervisor   Compute  &  Storage   Shared  Network   Virtual  Machine   Data   App  Code   App  Framework   Opera;ng  System   Physical  Facili;es   Hypervisor   Compute  &  Storage   Shared  Network   Virtual  Machine   Data   App  Code   App  Framework   Opera;ng  System   Private  Cloud   Public  IaaS  Provider   Customer   Responsibility   Provider   Responsibility  
  • 9. Recent  Guidance  Changes   1.  Use  VM-­‐to-­‐VM  firewalling  (host-­‐based)  in  cloud/virtual   environments   2.  Ensure  integrity  of  VM  OS,  Apps,  and  Data  to  isolate  from   hypervisor-­‐based  access   3.  CSP  (Cloud  Service  Provider)  PCI  compliance  helps,  but  is  not   mandatory   4.  If  you’re  in  a  private  data  center,  all  your  stack  is  in-­‐scope     P C I   C L O U D   S I G   C L A R I F I E S   R U L E S  
  • 10. PCI  Shared  Responsibility  
  • 11. PCI  in  any  Cloud/Infrastructure   •  Security  (if  done  correctly)  begets  compliance   –  Not  the  other  way  around   •  What  worked  in  your  datacenter  might  not  work  in  cloud   environments   •  Need  technical  controls  that  work  like  the  cloud  does   –  Dynamic,  elas;c,  scalable  
  • 12. Compliance  Design  
  • 13. Cloud  PCI  Founda<ons   Cloud  Stack/Provider     Assessor     Applica;on  design     Harden  the  systems   ! ! !
  • 14. Assessor   •  Find  one  …  that  knows  cloud  technology   –  A  good  default  choice  is  the  QSA  who  did  the  assessment  for  your  CSP   •  If  you  don’t  want/need  to  use  an  external  auditor,  then  … determine  if  you  have  the  knowledge  internally   –  You  need  to  make  sure  you  have  the  depth  of  knowledge  on  the  PCI  DSS,  as   you  will  likely  get  it  wrong  if  not  
  • 15. Applica<on  Design   ! ! ! MASTER DB SLAVE DB! •  Ability  to  achieve  PCI  compliance  is  primarily  based  on   forethought  given  to  applica;on  design   •  Most  providers,  and  all  cloud-­‐based  OS’s  can  be  PCI   compliant*   •  Ask:   –  What  data  am  I  storing?  Why?   –  What  is  communica;on  flow  of  the  applica;on?  Is  it  restricted?   –  Is  my  crypto  public  veled  standards?   This  is  where  Zuora  can  help  limit  your  systems  “in-­‐scope”  
  • 16. Harden  the  Systems   •  Protect  the  system   –  Firewalls  (remember  ingress  and  egress)   –  Change  defaults   –  Install  patches   –  Watch  the  system  for  odd  behavior  or  changes   •  You  need  to  automate  this.  Trying  to  do  this  by  hand  in  a  cloud   environment  is  error-­‐prone.  
  • 17. Summary  
  • 18. How  Zuora  Can  Help   L I M I T I N G   P C I   S C O P E   •  Zuora  is  a  PCI  Level  1  cer;fied  vendor   •  Your  applica;on  architecture  determines  how  much  PCI  you’ll   be  exposed  to   •  Inves;gate  Zuora  HPM  (iFrames,  etc),  APIs,  and  other   mechanisms  to  accept/handle  CC  info   •  Scrub  everywhere  else  in  your  business  process  for  ways  CCs   are  managed  (ie  faxes,  POs,  sales  emails)  
  • 19. Best  Prac<ces   •  Read  and  understand  what  your  provider  does,  and  what  you  are  responsible   for,  with  regards  to  PCI   •  When  moving  servers  outside  your  data  center,  ensure  that  they  are  hardened   and  compliant  before  they  are  exposed  to  the  public   •  Start  with  public  cloud,  PCI  everywhere  else  is  rela;vely  easy!   •  Focus  on  securing  the  tenets  of  PCI  that  you  can  control  –  partners  (CSPs,   vendors)  are  key  to  success   !
  • 20. Cloud  Security  Resources­‐kit  
  • 21. Q&A   Thank  You!­‐kit  
  • 22. Winston Morton Vice President, Technology Enabling Usage Based Metering Cloud Services
  • 23. Agenda   1.  LinkBermuda  Company  Introduc<on   2.  Business  Model  and  Metered  Cloud  Services   3.  Cloud  Services  Billing  and  Challenges   4.  Drivers  to  use  a  cloud  based  Recurring     5.  How  Zuora  Helped  ?   6.  Lessons  Learned   7.  Wrap  Up  &  QA  
  • 24. LinkBermuda  -­‐  Introduc<on  
  • 25. LinkBermuda  Service  Por^olio  
  • 26. LinkBermuda  Network  Facili<es   §  On-­‐net  connec;vity  in  mul;ple   undersea  and  terrestrial  cable   systems     §  Direct  ownership  of  undersea  cable   landing  sta;ons   §  Extensive  Bermuda  domes;c  fiber   network   §  Mul;ple  interconnects  with  network   providers  for  global  reach   §  7x24  redundant  network  opera;ons   centers  
  • 27. LinkBermuda  Data  Center  Facili<es   §  Bermuda’s  largest  data  center   complex   §  Hos;ng  many  of  the  largest  compute   nodes  in  Bermuda   §  Designated  as  a  Cri%cal   Infrastructure  by  the  Bermudian   Government  (Keypoint-­‐1)  for  priority   security  and  fuel  delivery.   §  7x24  Network  Opera;ons  Center   §  SSAE  16  SOC  2  Cer;fica;on  (in   Process)   §  Strategic  na;onal  and  interna;onal   network  connec;vity   Key  Specifica;ons:   § Site  is  deployed  on  one  of  the  highest  eleva;ons  in   Bermuda  to  military  specifica;ons   §   Designed  to  withstand  hurricane  force  winds       §   Fully  Redundant  4160V  U;lity  Feeds   §   N+1  Redundant  Diesel  Generators  (3x1000kW)   §   N+1  UPS  (2x1000kW)   §   N+1  Cooling  (2x300  Ton  Air  Cooled  Chillers)  
  • 28. Understanding  Metered  Cloud  Services   and  Design  
  • 29. I N F R A S T R U C T U R E   A S   A   S E R V I C E   §  Bundled  Virtual  Servers,  Storage,   Security,  and  Network  Connec;vity   §  Flexible  On-­‐Demand  Self  Service   §  Geographically  Aware   -­‐  Customers  can  select  as  well  as   guarantee  primary  and  secondary  VDC   loca;ons  (Bermuda  and/or  Canada   today)   IaaS  High  Level  Features   §  Predictable  Performance   -­‐  IaaS  bundled  with  Interna;onal   MPLS  QOS  features.     -­‐  Broadband  local  loop   -­‐  SLA  guarantees   §  Highly  Secure   -­‐  Embedded  VLAN  Security   -­‐  Embedded  offsite  D/R     §  Ease  of  Management   -­‐  Customer  Self  Service  Module   Metered  Cloud  Services  
  • 30. •   Communica<on  as  a  Service   •   Value  Added  Apps   •   $$/Mth  Fixed  +  Usage   •   Backup  as  a  Service   •   Value  Added  Apps   •   $$/Mb/Mth   •   Infrastructure  as  a  Service     •   Virtual  Servers   •   Value  Added  Apps   •   $$/Server/Hr   Cloud  Services  Billing   H i g h   L e v e l   D e s i g n   Cloud   Management   Pla^orm  (IaaS)   Exported   Cumula<ve  Usage   Report   Cloud   Management   Pla^orm  (BaaS)   Cloud   Management   Pla^orm  (CaaS)   Billing  Pla^orm   IaaS  Product   Catalogue   Product   Catalogue   Exported   Cumula<ve  Usage   Report   BaaS  Product   Catalogue   Product   Catalogue   Exported   Cumula<ve  Usage   Report   CaaS  Product   Catalogue   Product   Catalogue  
  • 31. Cloud  Services  Billing   F u n c ; o n a l   A p p r o a c h   §   Ini;al  launched  with  a  IaaS  model  with   interfaces  as  straight  forward  as  possible.   §   Most  of  our  cloud  systems  have  their  own   sophis;cated  self  service  provisioning   interface.   §   We  choose  to  leverage  the  provisioning   systems  embedded  in  each  cloud  system  to   minimized  development     Upside:       One  way  usage  based  interfaces  are  more   cost  effect  and  quicker  to  launch   Downside:       Mul;ple  product  catalogues  need  to  be   synchronized   Cloud   Management   Pla^orm   Product   Catalogue   Billing   Pla^orm   Product   Catalogue   Usage   Report   Customer   Portal  
  • 32. Business  Drivers  to  use  Recurring  Billing  Solu<on   § LinkBermuda  was  looking  to  out-­‐source  billing,  we  did  not  want  to  build  our  own   system  because  of  the  complexity  involved  in  recurring  billing.     §   We  evaluated  several  different  recurring  billing  systems  –  Zuora  was  the  quickest   to  deploy  and  most  cost  effec;ve.   § We  needed  a  system  which  would  enable  to  Price  and  Package  our  services   efficiently  and  be  able  to  rapidly  iterate  on  Pricing  when  needed.  
  • 33. Why  Zuora  ?   § The  Ra;ng  and  Billing  Engine  in  Zuora  understands  our  subscrip;on  business   model  and  is  ideally  suited  to  do  the  job.     §   Zuora  provided  out  of  box  solu;on  (Zforce)  for  integra;ng  with  our  CRM  system   (Salesforce).  We  took  advantage  of  both  ZQuotes  and  Z360.   § Looking  forward  to  u;lize  Zuora  Billing  and  Financial  Reports  and  Forward   Looking  Metrics  like  MRR,  ARR  etc.     §   As  LinkBermuda  grows  we  are  confident  that  Zuora  can  scale  and  accommodate   our  business  growth.  
  • 34. How  LinkBermuda  Uses  Zuora   Background   Business  Model   The  Challenge   Moving  from  tradi;onal  Telco  services   to  cloud  services  for  interna;onal  financial,   insurance  and  eCommerce  markets     B2B  +  B2C  =  B2Any   Direct:  Self-­‐service  and  sales  assisted   Channels:  Cloud  Marketplace,  Resellers   We  needed  to  develop  a  self  service  cloud  capability  with  usage  based   billing.  Legacy  billing  system  limited  customiza;on  and  product   catalogue  capabili;es.  
  • 35. Lessons  Learned   Plan.  Plan.  Plan   B E S T   P R A C T I C E S   Limit  Ini<al  Scope   Learn.  Launch.  Repeat   Business  strategy  changes  during  market  launch     Best  Prac;ce:    -­‐  Clear  defini;on  of  business  goals.        -­‐  Phase  1  launch  should  be  limited  to  base            services,  add  func;onality  as  use  cases             become  more  evident    Avoid  big  bang  cutovers     Best  Prac;ce:        -­‐  Flexible  architecture        -­‐  Repeatable  Interfaces  (If  possible)     Deploy,  measure,  iterate     Best  Prac;ce:          -­‐  Be  data  driven    
  • 36. Q&A   Thank  You!