45 Minutes to PCI Compliance in the Cloud


Published on

Join CloudPassage CEO, Carson Sweet and Sumo Logic Founding VP of Product & Strategy, Bruno Kurtic, for a webinar on “45 minutes to PCI Compliance in the Cloud”.

What You Will Learn:

-Understand the typical challenges faced by enterprises for achieving PCI on cloud infrastructure
-Learn how purpose-built SaaS-based cloud security solutions can save you tens of thousands in audit costs by speeding your time to compliance
-Get a quick demo of the CloudPassage Halo and Sumo Logic solutions that provide the telemetry and query/reporting engines respectively for cloud PCI

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ----- Meeting Notes (1/13/14 14:01) -----They are doing hosting in the cloud, some test-dev and some production; this is very early, may not make sense for them.
  • ----- Meeting Notes (7/17/13 16:11) -----™ next to trademarksindex and data store
  • ----- Meeting Notes (7/17/13 16:11) -----™ next to trademarksindex and data store
  • 45 Minutes to PCI Compliance in the Cloud

    1. 1. 45 Minutes to Achieving PCI Compliance in the Cloud Bruno Kurtic Carson Sweet Founding VP, Product & Strategy Sumo Logic Chief Executive Officer CloudPassage
    2. 2. What Today’s Webinar Is About • If you’re here, you care about PCI in the cloud. • You know (or need to know) the new parameters for success with PCI in the cloud. • You want to understand how the new parameters impact how you can approach PCI compliance. • You’re going to learn how cloud and big data can be combined to power a startlingly fast, easy solution to PCI compliance in any cloud.
    3. 3. Quick Review of PCI • A dozen high-level control categories with ~200 specific control requirements • Audit conducted annually by a Qualified Security Assessor (QSA) anointed by the PCI Counsel • Often includes a lookback period for some controls • PCI DSS v3 pending, v2 still the norm “in the wild” • Yes, you can be PCI compliant when using public, private or hybrid cloud infrastructure
    4. 4. PCI Can Be Complex & Expensive • • Merchants pay an average of $225,000 per audit each year • – Initial scope - $250,000 – Becoming compliant - $550,000 – Annual audit cost - $250,000 10% are paying $500,000 or more annually • • 2% fail these audits • 54% respondents say PCI DSS is too costly Level 2 Merchant (1-6M tx/year) – Initial scope - $125,000 – Becoming compliant - $260,000 – Annual audit cost - $100,000 • • Level 1 Merchant (6M tx/year) 52% respondents are not proactively managing data privacy and security in their environments Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html http://www.campuscommerce.com/page.cfm?p=398 http://www.darkreading.com/management/10-ways-to-fail-a-pci-audit/240004877?pgno=1 Level 3, 4 Merchants (<1M tx/year) – Initial scope - $50,000 – Becoming compliant - $81,000 – Annual audit cost - $35,000
    5. 5. PCI Requires Ongoing Effort Initial Control Deployment Huge amounts of data must be collected, verified, and accessible Compliance Established Controls Verified or Updated Changes Detected & Evaluated
    6. 6. Cloud Changes the Security Situation • Infrastructure more distributed and dynamic than ever • Rate of change higher than ever • Legacy security solutions neither dynamic nor distributed • Perimeters, hardware appliances, network-deployed controls, endpoint security solutions highly marginalized in dynamic cloud environments • New set of data needs to be integrated – IaaS / provider activities, and your admins’ activities on cloud systems
    7. 7. Who’s Responsible for PCI in Clouds? AWS Shared Responsibility Model “…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...” “it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host Amazon Web Services: Overview of Security Processes App Framework Operating System Guest VM Hypervisor Compute & Storage Shared Network Physical Facilities Provider Responsibility based firewalls, host based intrusion detection/prevention, encryption and key management…” App Code Your Responsibility Data
    8. 8. New complexity, high rate of change
    9. 9. Existing security tools don’t work, even higher RoC
    10. 10. Agile software development further increases RoC
    11. 11. Example of Automation & Big Data Needs CloudPassage’s PCI scope included over 12,500,000 individual data points • Assurance of initial and ongoing compliant state – 6,285,300 infrastructure data points – 1,628,000 code data points • Assurance of control adjustments as environment changed – 6,400 infrastructure data points – 4,598,000 code data points • Monitoring of access management & behaviors – Over 28,000 access control / behavioral data points
    12. 12. Option 1 Stick head in sand. Cross fingers. Option 2 Hire a small army. Cross fingers. Option 3 Automate with cloud-native security solutions.
    14. 14. What You’ll Want In A Solution Control & Telemetry • Portable, built-in, automated control consolidation – – – Monitoring & Validation • Flexible Collection – – Automated, consolidated controls (defense-in-depth) Transparent across heterogeneous clouds Supports your part of shared security responsibility – • Efficiently deployed controls & telemetry – – – – • Aware and capable within ephemeral infrastructure Automated collector deployment that works with common tools (Chef, Puppet, etc.) Ability to collect from cloud data sources S3, CDN, IaaS/SaaS/PaaS Audit Security built directly into the stack Changes instantly detected Adjustments instantly deployed Integrations for SIEM, GRC, LDAP, AD, etc. • Rapid and Flexible Deployment – – – Technically, financially, operationally scalable – – – – Rapidly deployed, low system impact Transparent capacity scalability Metered usage & billing Built-in controls & telemetry, zero provisioning • Out of the box reports, searches, alerts and dashboards No servers, no software, no storage, no appliances Ability to seamlessly collect across cloud and physical environments Big Data with Elastic Scale – – – Ability to analyze terabytes of data per day in nearreal time Support for bursting in data and seasonal spikes without adding infrastructure Ability to handle unstructured formats of custom logs
    15. 15. The Halo security automation platform secures workloads anywhere, at any scale, as-a-service • One platform, many functions – Centrally automates dozens of controls critical to security and compliance • Efficiency through automation – Eliminates extensive manual effort of deploying and managing many legacy solutions • Broad compliance support – E.g. 75% of PCI DSS, 83% of HIPAA requirements* within a single solution • Easily deployed security-as-a-service – No hardware to deploy or network changes – Typically fully operational within hours * Remaining requirements related to documentation, application development, or end-user computing practices.
    16. 16. Halo ties security directly to workloads and devices to achieve portability and scalability CUSTOMER CLOUD / DATACENTER HOSTING ENVIRONMENTS www node1,2,(n) mysql node1,2,(n) mongo-db node1,2,(n) HALO HALO HALO • Micro-agents with minimal system overhead • Highly scalable centralized security analytics • Agnostic to platform or provider – runs on any hardware, cloud, virtualized environment
    17. 17. Sumo Logic: Machine Data Intelligence CIO Security IT Operations Application Development • Collect logs from any source • Integrate on-premise and Cloud environments with minimal overhead • Scale to multi-terabytes of data per day • Supports bursting and seasonality with no impact on deployment • Rapidly discover data patterns • Reduce time to identifying compliance gaps by 50% or more • Uncover data anomalies in real-time • Proactively address symptoms before issues hit your organization Sumo Logic Applications BI Operational Intelligence Console Tableau Cognos SAS SAP Jasper etc. Analytics Engine APIs Enterprise Class SaaS Anomaly/Event Console Analytic s Scalable Index and Data Store Managed Collection Hadoop AWS EMR MapR Cloudera etc.
    18. 18. Sumo Logic: Deployment Model Primary Datacenter Acquisition Datacenter Private Cloud Collector Collector Hosted Collector Collector Hosted Collector
    19. 19. Mapping Halo + Sumo Logic to PCI
    20. 20. Rapid and Easy Deployment • Instant account provisioning – No software, hardware, storage • Out-of-the-box PCI specific content – Requirement specific controls, reports, dashboards • Collection & agents support cloud deployment model – Scripted mode, chef/puppet/etc, ephemeral model • Architecture supports bursting and seasonality – No changes required to increase or decrease capacity
    21. 21. How To Learn More • CloudPassage PCI Compliance Kit – www.cloudpassage.com/pci-kit • Sumo Logic Compliance Technical Brief – www.sumologic.com/product/use-cases/enforce-compliance/ • Stay tuned for future cloud security webinars!