Peer Stories: How RightScale Achieved PCI on Cloud Infrastructure


Published on

In this webinar, Phil Cox, Director of Security and Compliance at RightScale, and a certified Qualified Security Assessor (QSA) from an earlier role, will explain how his organization went about the task of meeting PCI compliance in their cloud deployment. Phil will share his best practice recommendations for PCI, identify potential pitfalls to watch out for and discuss what benefits RightScale has experienced with CloudPassage Halo. Rand Wacker, VP of Products at CloudPassage will join him.

Who Should Attend:

Security Directors and Practitioners
Compliance Managers
What You Will Learn:

Why static security architectures break Software-as-a-Service business models
RightScale’s process for meeting PCI Compliance on cloud servers
Best practices to leverage and pitfalls to watch out for
Why CloudPassage Halo was the right choice for RightScale
What benefits RightScale saw in their Halo deployment

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Peer Stories: How RightScale Achieved PCI on Cloud Infrastructure

  1. 1. Peer Stories: How RightScale Achieved PCI Compliance on Cloud Infrastructure Phil Cox Rand Wacker Director, Security & Compliance RightScale VP, Products CloudPassage 1
  2. 2. About The Presenters Phil Cox Rand Wacker • RightScale, Director of Security and Compliance • CloudPassage, VP of Products • Multiple PCI SIGs • Cisco Security, IronPort, UC Berkeley Security/Network Ops • 20+ years InfoSec Twitter: @randwacker Twitter: @sec_prof 2
  3. 3. Introducing RightScale RightScale pioneered IaaS cloud management • Enables organizations to manage all of their cloud infrastructure • Established in 2006, partners with all major cloud providers • Has launched nearly 6 million servers with the RightScale management platform 3
  4. 4. RightScale’s PCI Challenge • Payment processing servers are in scope for PCI DSS • Built and runs on Amazon Web Services (AWS) for the Infrastructure-asa-Service (IaaS) benefits • Required PCI DSS compliance on AWS servers With background as a Qualified Security Assessor, confident PCI DSS compliance could be achieved in an IaaS environment 4
  5. 5. PCI Shared Responsibility (IaaS) Data – OS, application, and data – And the compliance of these components App Code App Framework Operating System Virtual Machine – Infrastructure, networking, storage, and virtualization mechanism – And the compliance of these components Hypervisor Compute & Storage Shared Network Physical Facilities 5 Provider Responsibility • Service provider responsibility Customer Responsibility • Customer responsibility
  6. 6. One Approach From the CSA 1. Plan PCI DSS controls for as though your IaaS infrastructure is your on-premise network 2. Realize which elements you do not control since it is really not an on-premise network (e.g. physical facilities) 3. Talk with a service provider on whether they can and will cover the elements they control for compliance 4. Realize which controls don’t apply verbatim to the cloud environment and figure out how to compensate 6
  7. 7. Options for Achieving PCI DSS Compliance • RightScale used its own proven cloud management platform to deploy the PCI cloud servers in the AWS • Still needed ongoing visibility and intrusion detection capabilities in an IaaS environment. Either: – Build it themselves using traditional security tools – Buy a cloud security and compliance product RightScale chose CloudPassage Halo to speed up efforts 7
  8. 8. Why RightScale Picked Halo • Purpose-built for cloud environments, requiring no development resources • Visibility into servers running within an IaaS infrastructure • Real-time monitoring and enforcement • Support for any cloud platform 8
  9. 9. Benefits Experienced with Halo • Saved Time and Resources – Saved 6 months of development time with a part-time staff person – Takes 1/5 the management time (2 hours a week with Halo versus ¼ FTE for other tools) 9
  10. 10. Benefits Experienced with Halo • Established RightScale as a Trusted Advisor with Customers – Used as part of RightScale’s reference architecture for PCI DSS compliance – Runs on any virtual or cloud platform, protecting various customer environments 10
  11. 11. Benefits Experienced with Halo • Helped Enable Sales – Went to market faster – Enabled sales to pitch Halo along with RightScale for compliance 11
  12. 12. Best Practices for PCI DSS Compliance in IaaS • Select from PCI Approved Service Provider with the IaaS features you need • Avoid storing the Primary Account Numbers (PANs) • Use purpose-built cloud security products (we recommend CloudPassage Halo) 12
  13. 13. Poll: PCI Status • What is the status of your PCI initiative (IaaShosted or otherwise)? – – – – We have passed our audits and are fully operational We have an audit planned within the next year We are investigating what it will take to be PCI compliant No plans to go through PCI audits 13
  14. 14. Using CloudPassage Halo for PCI Compliance 14
  15. 15. Halo is a security-as-a-service that enables cloud adoption. • Software-as-a-Service delivery • Private cloud / SDDC / IaaS • Elastic application hosting • Big data analytics 15
  16. 16. Halo consolidates multiple critical security & compliance controls. Cloud Firewall Automation File Integrity Monitoring Multi-Factor Authentication Server Account Managements Security Event Alerting System & Application Config Security Vulnerability & Patch Scanning REST API Integrations 16
  17. 17. Halo architecture is highly scalable, automated, and is rapidly deployed. www-1 mysql-1 bigdata-1 Halo Halo Halo Halo Admin Web Portal Halo REST API gateway 17 Halo Security Analytics Engine
  18. 18. Halo works in any environment. 18
  19. 19. Example Security & Compliance Automation with Halo 1 Halo activates firewall on boot, applies latest policies, and orchestrates ongoing policy updates. 2 Halo secures privileged access via dynamic firewall rules triggered by multi-factor user authentication. 3 Halo scans O.S. configurations for vulnerabilities and continuously monitors O.S. state and activity. 4 Application configurations are scanned for vulnerabilities and are continuously monitored. 5 Cryptographic integrity monitoring ensures app code and binaries are not compromised. 6 Halo monitors system binary and config files for correct ACLs, file integrity, and vulnerabilities. 7 Application data stores are monitored for access; outbound firewall rules prevent data extrusion. 1 4 Application Engine 5 Application Code 6 7 App Storage Volume System Storage Volume System Administration Services 2 Halo Daemon Operating System Workload VM Instance 3
  20. 20. Halo PCI Coverage 20
  21. 21. Halo Grid: PCI & SOC2 • Certified Level 1 Service Provider – First entirely cloud-based vendor certified across multiple CSPs – Hosted in Rackspace Cloud & AWS, with full DevOps automation • Multiple customers recently cleared PCI QSA audits • Recently announced: SOC2 certification 21
  22. 22. Poll: PCI & IaaS • What percentage of your “in-scope” PCI systems run in a private or public IaaS infrastructure? – 100% of in-scope PCI systems on IaaS – PCI in-scope systems run across mix of IaaS and traditional infrastructures – No in-scope systems on IaaS (all on traditional physical hardware) – N/A, we run no PCI in-scope systems 22
  23. 23. Wrapping Up 23
  24. 24. Summary • PCI compliance on IaaS is possible • Responsibility shared with cloud provider • Security and management must be designed to work in dynamic, highly automated clouds • CloudPassage Halo designed and built to automate compliance in today’s complex environments 24
  25. 25. Q&A and Resources PCI Compliance in the Public IaaS Cloud: How I Did It 25
  26. 26. Thank You! Phil Cox Rand Wacker • Email: • Email: • Twitter: @sec_prof • Twitter: @randwacker 26