1 / 2

TECH SPEC SHEET

SUNGARD AVAILABILITY SERVICES CLOUD SOLUTIONS

Cloud Security at the Highest Level: PCI-DSS Compliant Sungard AS Managed Cloud and Managed Private Cloud.

Sungard AS Managed Cloud and Managed Private Cloud are PCI-DSS compliant infrastructure platforms that have been rigorously built, tested and audited – backed by a 99.95% SLA at the virtual machine level. For your business to achieve overall PCI compliance, both your environment and your Cloud Provider environment must be individually certified. By relying on Sungard AS Managed Cloud or Managed Private Cloud, your compliance is already

halfway complete, and Sungard AS can provide the knowledge necessary to make the complete solution PCI compliant.1

Sungard AS is a Qualified Security Assessor (QSA) and has the expertise to work with customers to establish and maintain the security posture required for PCI compliance in a cloud environment.

1 Note: Certain PCI DSS requirements have been identified as not being applicable to Sungard AS (as the service provider) and are the responsibility of the customer.

Starting compliance with your infrastructureYou might be exploring PCI-DSS compliant options to support your infrastructure for a variety of reasons: audit requirements, customer/partner expectations, regulatory restrictions, an inability to optimize your current environment, or simply the need to strengthen your overall security posture. Sungard AS Managed Cloud and Managed Private Cloud are compliant platforms that embed security and availability into the solution.

With PCI-DSS compliant Managed Cloud or Managed Private Cloud, customers can reduce overall costs by leveraging the expertise needed to maintain compliance. Sungard AS represents one of the few managed infrastructure providers that can deliver this level of security and breadth of services.

Completing your compliance A compliant infrastructure is just one step towards having a PCI-DSS compliant posture. There are 12 PCI-DSS requirements2 that fall into six high-level categories:

2 https://www.pcisecuritystandards.org

• Build and Maintain a Secure Network

• Protect Cardholder Data• Maintain a Vulnerability

Management Program• Implement Strong Access

Control Measures• Monitor and Test

Networks Regularly• Maintain an Information

Security Policy

Sungard AS has experience providing all of the key requirements inherent in a PCI-DSS solution. By having access to both Sungard AS’ infrastructure and consulting services, you can more easily complete and maintain PCI-DSS compliance across your entire organization.

You need the most stringent security posture available to protect your customers’ most sensitive data: their credit card information. Sungard AS Managed Cloud and Managed Private Cloud are important elements in your overall Payment Card Industry Data Security Standard (PCI-DSS) plan. In addition to providing a PCI-DSS compliant cloud platform, Sungard AS also offers customers ongoing assessments and consulting to ensure not only PCI compliance, but a complete security solution across your entire environment.

About Sungard Availability ServicesSungard Availability Services provides managed IT services, information availability consulting services, business continuity management software, and disaster recovery services.

To learn more, visit www.sungardas.com or call 1-888-270-3657

Trademark informationSungard Availability Services is a trademark of SunGard Data Systems Inc. or its affiliate used under license. All other trade names are trademarks or registered trademarks of their respective holders.

Connect with Us

2 / 2

© 2014 Sungard Availability Services, all rights reserved. TEC-117 614

SUNGARD AVAILABILITY SERVICES CLOUD SOLUTIONS

Additional readingSustaining compliance into the futureAs a long-time Qualified Security Assessor, Sungard AS has the personnel, methodologies, tool sets, and experience to highlight security holes, provide recommendations, and implement fixes. Sungard AS will work with you to:• Perform a gap analysis to identify

and prioritize PCI-DSS issues;• Mitigate gaps through process

reengineering, solution implementations, and training;

• Rationalize the use of credit cards via tokenization, segmentation, storage, etc.;

• Develop policies and procedures for security appliance configuration management; and

• Conduct auxiliary reviews, including: pen testing, scanning requirements, web application reviews (white and/or black box testing), vendor reviews, etc.

To learn more about our PCI-DSS Compliant Managed Cloud or Managed Private Cloud, visit http://www.sungardas.com/ Solutions/Cloud/IaaS/Pages/InfrastructureasaService (IaaS).aspx

Sungard AS PCI-DSS Compliance EcosystemPCI-DSS Compliant Managed Cloud

PCI-DSS Compliant Managed Private Cloud

PCI Readiness Assessment

PCI Report on Compliance (ROC)

Approved Scanning Vendor (ASV)

PCI Remediation Services

PCI Design Assistance

Audit Preparation

Qualified Security Assessor (QSA)

Enterprise Cloud Services

Why Compliance Matters in the Cloud

DATA SHEET

ENTERPRISE CLOUD SERVICES

Secure, flexible cloud services designed for your application lifecycle

Will your computing resources be there when you need them? Will your applications and data remain protected? Can you provision the needed infrastructure quickly enough to handle the needs of your business — across both production and test and development use cases?

With Sungard AS Enterprise Cloud Services, the answer is yes.

The Sungard AS Enterprise Cloud Services portfolio consists of multi-tenant, private and public cloud options which provide your business with the flexibility to support a full application lifecycle. Sungard AS Managed Cloud and Managed Private Cloud Services provide your applications with fully managed cloud solutions with all the necessary compute, storage, network, and backup. While Sungard AS Public Cloud provides your application development community with the

flexible and efficient test and development environments they require.

Security is an integral part of the Sungard AS Enterprise Cloud Services portfolio. The Sungard AS Managed Cloud and Managed Private Clouds are PCI DSS compliant infrastructures. In addition both the Sungard AS Managed Cloud and Managed Private Cloud offer redundant firewalls, support for multiple private virtual local area networks (VLANs) and encrypted virtual private network. All of which can be enhanced with optional security services such as Host Intrusion Protection, Log and Threat Management and more.

Sungard AS Enterprise Cloud Services are delivered in Sungard AS’ premier data centers, which are backed by the ITILv3 framework, including an annual SSAE 16 Type II audit, and certified to the ISO 20000-1 standard.

Enterprise Cloud security

The efficiency and flexibility of cloud computing. The security and experience of Sungard Availability Services.

Sungard AS provides the right solutions, so you can realize the promise of cloud computing.

And truly achieve strategic results.

Key capabilities• Specialized expertise for complex,

“hybrid” IT environments — integration of cloud with legacy environments

• Multi-site high availability, fail-over options, and service-level agreement of 99.95 percent availability for every virtual machine (Managed Cloud and Managed Private Cloud)

• Fully-staffed support for round-the-clock monitoring and management

• Optional managed services include SAP® services, Oracle services, Citrix XenApp®, Microsoft SQL Database®, Microsoft® Exchange Server and Blackberry® Enterprise Server services

• “Workplaces” enable both users and departments to have uniquely defined compute environments which have their own budget allocation and allowed users (AS Public Cloud)

• Cloud Transformation and Optimization Consulting Services

• ITILv3-based services• Security assessments and recommendations• Penetration tests• Strict change control• Data center standards and certifications (SSAE 16 Type II and ISO 20000-1)

• Options for dedicated ESX clusters and dedicated datastores• Redundant firewalls• Encrypted virtual private network

• Role-based access control• Infrastructure security; shared vs. dedicated• Activity logging, monitoring and detection

• Biometric and key-card access control• No customer access to shared infrastructure• 24/7 security service; CCTV monitoring

PLAT

FORM SECURITY

DATA CENTER SECURITY CLOUD SECURI

TY

IT BEST PRACTICES

Host and networkintrusion detectionand log and threat

management

1 / 7

WHITE PAPER

Thought Leadership

WHY COMPLIANCE MATTERS IN THE CLOUD

Compliance in the cloud: myth or reality

Using the cloud means moving from a dedicated environment where a company has complete control to an environment where that control often belongs to someone else. Although that may sound negative, if the move is to a provider that is well-versed in regulatory standards, and offers a compliant environment, this can actually be positive.

The need for complianceRegulated industries or businesses that have strict security policies each have their own compliance checklists to follow. The regulatory mandates with the most severe penalties for non-compliance are the Health Insurance Portability and Accountability Act (HIPAA) healthcare regulations, the Federal Information Security Management Act (FISMA) standards for government contractors, the Payment Card Industry Data Security Standard (PCI-DSS) for organizations that handle cardholder information, and the Sarbanes-Oxley (SOX) accounting regulations for wholly-owned or partially-public companies.

These regulations have a common objective: the implementation and enforcement of policies. Compliance with these regulations involves maintaining specific certification standards and ensuring best practices. • HIPAA requires that healthcare

businesses hold onto patient documents for six years.

• FISMA requires each government agency carefully document and continuously review its information security strategy.

• Businesses that process credit transactions are required to track all access to cardholder data via PCI-DSS regulations.

• SOX mandates that an organization is responsible for any accounting or financial wrong, even those of a third party.

Each regulation is about mitigating risk and creating a strong foundation of people, processes, and technology.

Most compliance standards governing the management of IT infrastructure were not designed with cloud in mind. Compliance standards are predominantly concerned with maintaining the protection and integrity of data … not locking down virtual environments. Therefore, as organizations look into adopting cloud services for better scalability and lower IT costs, they are confronted with a myriad of unanswered questions regarding compliance in the cloud.

The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions.