Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PCI Compliance and Cloud Reference Architecture


Published on

Published in: Technology, Business
  • Be the first to comment

PCI Compliance and Cloud Reference Architecture

  1. 1. PCI Compliance and Cloud Reference Architecture A Best Practices Discussion with Authors Moderator: Hemma Prafullchandra, HyTrust Brought to you by: Panelists: George Gerchow, VMware Christian Janoff, Cisco Allan MacPhee, Trend Micro Kennet Westby, Coalfire Ken Owens, Savvis© HyTrust, Inc. All rights reserved. 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: 1
  2. 2. Speakers George Gerchow Hemma Prafullchandra Director, VMware Center for CTO/SVP Products Policy and Compliance HyTrust VMware Ken Owens Allan MacPhee Vice President of Security Senior Product Manager & Virtualization Technologies, Trend Micro Savvis Kennet Westby Christian Janoff CEO Industry Enterprise Architect Coalfire Cisco 2
  3. 3. Hemma Prafullchandra  Founded in Fall 2007 and Headquartered in Mountain View, CA.  Venture backed by Cisco, Epic, Granite, and Trident with strategic partners including VMware, CA, Cisco, Symantec, Intel, and VCE  HyTrust provides centralized control for virtual infrastructure, administrative access, policy management, and compliance.  HyTrust product addresses multiple requirements set forth in PCI. Outlined in Reference architecture doc (will be emailed after webinar)  HyTrust serves as co-leader in development and organization of PCI Cloud Reference Architecture team and content 3
  4. 4. George GerchowAbout VMwareVMware, the virtualization and cloud infrastructure leader, delivers themost customer-proven, reliable, secure and complete platform to buildthe enterprise cloud.VMware has more than 250,000 customers, including 99% of theFortune 1000 and 97% of the Fortune Global 500.VMware customers have experienced unmatched results with VMwaresolutions. • Financial: 50-60% CapEx savings • Human: Average of 33 percent cumulative time savings for day-to-day administrative activities. • Energy: Up to 80%, leveraging consolidationand distributed power management. 4
  5. 5. Christian Janoff  Christian Janoff  Vertical Solutions Architect at Cisco  Has led Ciscos participation on the PCI Security Standards Council since 2007 as a member of their Board of Advisors  Cisco virtual technology  Virtual servers, switching, routing, firewalling and intrusion detection systems for public and private clouds  For more information on Cisco and PCI: 5
  6. 6. Who is Savvis Hosting Track Cloud Track Savvis Symphony VPDC Enterprise features, multi-tier QoS Reduced Opex Savvis Symphony Open Multi-Tenant virtual infrastructure Savvis Symphony Dedicated Dedicated, virtual infrastructure Utility Compute Multi-tenant Stateless Bladeframe Managed Hosting Dedicated physical infrastructure Colocation Enterprise-Grade Space & Power Service Standardization, Virtualization & Automation 6
  7. 7. Allan MacPhee© 2011, HyTrust, Inc. 7
  8. 8. Kennet Westby© 2011, HyTrust, Inc. 8
  9. 9. Audience Poll - Let’s Get to Know Each Other  How many are virtualizing or have virtualized cardholder data?  How many of you are looking at cloud services?  How many feel your QSA is comfortable with your virtualized environment? 9
  10. 10. Panel DiscussionWhat are the characteristics of a cloud that make PCI compliancedifficult?Can a shared cloud environment even be PCI compliant?What does it mean when your cloud provider tells you that they are PCIcertified?  What areas should your cloud provider be responsible for?  What are the key questions you should ask your cloud provider to understand the scope of PCI certification achieved?  How does a merchant figure out what the shared responsibility split is in detail? 10
  11. 11. Panel DiscussionIf my environment is already PCI compliant and I want to just extend asingle tier to a public cloud, what should I be concerned about?What is the best way to involve my QSA in these discussions?What resources can I use to help me plan for and use cloud computingfor my CDE?  Policy, People, Process, Technology 11
  12. 12. Key Takeaways and GuidancePCI Compliance in Virtualized environments (on-premise)  Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process  Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls)  View virtualization as an opportunity to improve your current processes – i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure  Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation 12
  13. 13. Key Takeaways and GuidancePCI Compliance in the Cloud Compliance is possible, but it takes the right cloud provider Compliance is a shared responsibility, there is no magic bullet  Understand the details & scope of your cloud provider’s PCI certification  Work with your QSA to create a strategy for addressing the remaining required PCI controls Cloud compliance requires elastic and automated VM security and persistence of machine data for audit and forensics Create a strategy for Cloud compliance  Start with virtualized on premise and dedicated hosting environments  Evolve and apply these controls to cloud environments 13
  14. 14. Additional Resources compliance/ compliance/unified-framework.html Just Published: PCI-compliant Cloud Reference Architecture 14
  15. 15. Thank You 15