Embed Size (px)
Citation preview
45 Minutes to AchievingPCI Compliance in the Cloud
Carson SweetChief Executive OfficerCloudPassage
Bruno KurticFounding VP, Product & StrategySumo Logic
What Today’s Webinar Is About
• If you’re here, you care about PCI in the cloud.
• You know (or need to know) the new parameters for success with PCI in the cloud.
• You want to understand how the new parameters impact how you can approach PCI compliance.
• You’re going to learn how cloud and big data can be combined to power a startlingly fast, easy solution to PCI compliance in any cloud.
Quick Review of PCI
• A dozen high-level control categories with ~200 specific control requirements
• Audit conducted annually by a Qualified Security Assessor (QSA) anointed by the PCI Counsel
• Often includes a lookback period for some controls
• PCI DSS v3 pending, v2 still the norm “in the wild”
• Yes, you can be PCI compliant when using public, private or hybrid cloud infrastructure
PCI Can Be Complex & Expensive
• Merchants pay an average of $225,000 per audit each year
• 10% are paying $500,000 or more annually
• 2% fail these audits
• 54% respondents say PCI DSS is too costly
• 52% respondents are not proactively managing data privacy and security in their environments
Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.htmlhttp://www.campuscommerce.com/page.cfm?p=398http://www.darkreading.com/management/10-ways-to-fail-a-pci-audit/240004877?pgno=1
• Level 1 Merchant (6M tx/year)– Initial scope - $250,000– Becoming compliant - $550,000– Annual audit cost - $250,000
• Level 2 Merchant (1-6M tx/year)– Initial scope - $125,000– Becoming compliant - $260,000– Annual audit cost - $100,000
• Level 3, 4 Merchants (<1M tx/year)– Initial scope - $50,000– Becoming compliant - $81,000– Annual audit cost - $35,000
PCI Requires Ongoing Effort
Initial Control DeploymentCompliance Established
Changes Detected & Evaluated
Controls Verified or Updated
Huge amounts of data must be collected, verified, and accessible
Cloud Changes the Security Situation
• Infrastructure more distributed and dynamic than ever
• Rate of change higher than ever
• Legacy security solutions neither dynamic nor distributed
• Perimeters, hardware appliances, network-deployed controls, endpoint security solutions highly marginalized in dynamic cloud environments
• New set of data needs to be integrated – IaaS / provider activities, and your admins’ activities on cloud systems
Who’s Responsible for PCI in Clouds?
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Guest VM
Data
App Code
App Framework
Operating System
You
rR
esp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
“…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management…”
Amazon Web Services: Overview of Security Processes
AWS Shared Responsibility Model
New complexity, high rate of change
Existing security tools don’t work, even higher RoC
Agile software development further
increases RoC
Example of Automation & Big Data Needs
• Assurance of initial and ongoing compliant state– 6,285,300 infrastructure data points– 1,628,000 code data points
• Assurance of control adjustments as environment changed– 6,400 infrastructure data points– 4,598,000 code data points
• Monitoring of access management & behaviors– Over 28,000 access control / behavioral data points
CloudPassage’s PCI scope included over
12,500,000 individual data points
Option 1
Stick head in sand. Cross fingers.
Option 2
Hire a small army. Cross fingers.
Option 3
Automate with cloud-native security solutions.
SOLUTIONS OVERVIEW
What You’ll Want In A Solution
• Portable, built-in, automated control consolidation
– Automated, consolidated controls (defense-in-depth)
– Transparent across heterogeneous clouds– Supports your part of shared security
responsibility
• Efficiently deployed controls & telemetry– Security built directly into the stack– Changes instantly detected– Adjustments instantly deployed– Integrations for SIEM, GRC, LDAP, AD, etc.
• Technically, financially, operationally scalable– Rapidly deployed, low system impact– Transparent capacity scalability– Metered usage & billing– Built-in controls & telemetry, zero provisioning
• Flexible Collection– Aware and capable within ephemeral
infrastructure– Automated collector deployment that works
with common tools (Chef, Puppet, etc.)– Ability to collect from cloud data sources S3,
CDN, IaaS/SaaS/PaaS Audit
• Rapid and Flexible Deployment– Out of the box reports, searches, alerts and
dashboards– No servers, no software, no storage, no
appliances– Ability to seamlessly collect across cloud and
physical environments
• Big Data with Elastic Scale– Ability to analyze terabytes of data per day in
near-real time– Support for bursting in data and seasonal
spikes without adding infrastructure– Ability to handle unstructured formats of
custom logs
Control & Telemetry Monitoring & Validation
The Halo security automation platform secures workloads anywhere, at any scale, as-a-
service• One platform, many functions
– Centrally automates dozens of controls critical to security and compliance
• Efficiency through automation– Eliminates extensive manual effort of deploying and
managing many legacy solutions
• Broad compliance support– E.g. 75% of PCI DSS, 83% of HIPAA requirements*
within a single solution
• Easily deployed security-as-a-service– No hardware to deploy or network changes
– Typically fully operational within hours
* Remaining requirements related to documentation, application development, or end-user computing practices.
CUSTOMER CLOUD / DATACENTER HOSTING ENVIRONMENTS
wwwnode1,2,(n)
mysqlnode1,2,(n)
mongo-dbnode1,2,(n)
HALO HALO HALO
• Micro-agents with minimal system overhead
• Highly scalable centralized security analytics
• Agnostic to platform or provider – runs on any hardware, cloud, virtualized environment
Halo ties security directly to workloads and devices to achieve portability and scalability
CIO
Security IT Operations Application Development
Scalable Index and Data Store
Managed Collection
Analytics Engine
Anomaly/Event Console Operational Intelligence Console
APIs
BI
TableauCognos
SASSAP
Jasper etc.
Analytics
HadoopAWS EMR
MapRCloudera
etc.
Ente
rpris
e Cl
ass
SaaS
Sumo Logic Applications
• Collect logs from any source• Integrate on-premise and Cloud
environments with minimal overhead
• Scale to multi-terabytes of data per day• Supports bursting and seasonality
with no impact on deployment
• Rapidly discover data patterns• Reduce time to identifying
compliance gaps by 50% or more
• Uncover data anomalies in real-time• Proactively address symptoms
before issues hit your organization
Sumo Logic: Machine Data Intelligence
Sumo Logic: Deployment Model
Collector
Collector
Hosted Collector
Primary Datacenter
Acquisition Datacenter
Private Cloud Hosted CollectorCollector
Mapping Halo + Sumo Logic to PCI
Rapid and Easy Deployment
• Instant account provisioning– No software, hardware, storage
• Out-of-the-box PCI specific content– Requirement specific controls, reports, dashboards
• Collection & agents support cloud deployment model– Scripted mode, chef/puppet/etc, ephemeral model
• Architecture supports bursting and seasonality– No changes required to increase or decrease capacity
How To Learn More
• CloudPassage PCI Compliance Kit– www.cloudpassage.com/pci-kit
• Sumo Logic Compliance Technical Brief– www.sumologic.com/product/use-cases/enforce-
compliance/
• Stay tuned for future cloud security webinars!
