|By Kevin Nikkhoo||
|November 14, 2012 08:30 AM EST||
One of the key drivers to IT security investment is compliance. Several industries are bound by various mandates that require certain transparencies and security features. They are designed to mitigate aspects of risk including maintaining the sacrosanctity of customer information, financial data and other proprietary information.
One such affected vertical is retail. No matter if you’re Wal-Mart or Nana’s Knitted Kittens, if you store customer information; if you process payments using customer’s credit cards, you are required by law to comply with a variety of security standards. Although there are several auditing agencies and mandating bodies, today we will concentrate on the one compliance agency that is typically applicable to every retailer-PCI.
PCI (Payment Card Industry) enforces Data Security Standards that looks to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Now of course, not all merchants are created equal. Nana obviously doesn’t process the volume or the dollar amount of a national or even a high traffic regional retailer. However, this doesn’t let Nana off the hook. Her online shopping cart still needs to be Payment Application DSS validated (PCI compliant). She still is required to pass security audits of her network…just not as often.
But for the sake of this example, let’s assume you are a retailer who processes more than 20,000 transactions a year and the administrative burden of PCI is a real concern. In fact, it is a business necessity to maintain merchant accounts with VISA, American Express and MasterCard. And it is hugely important to keep the confidence of your customers. Fines for non-compliance aside, a breach of your network could cost millions of dollars. And that doesn’t begin to calculate the cost of customer defection through loss of trust.
Most, if not all, retailers have some sort of PCI monitoring in place. However, they are often cumbersome, expensive and resource heavy. Additionally, too many retail organizations don’t employ a compliance officer, much less a dedicated security person. This doesn’t mean these functions aren’t part of someone’s job description. Typically, they are yet another line item in a plethora of competing priorities and mission critical initiatives. In that security can be considered a cost center, the move to simply do the bare minimum to meet compliance is often an attractive alternative. Until now. Until the cloud. More specifically, a holistic enterprise security initiative deployed and managed from the cloud.
So how does cloud-based security/security-as-a-service meet the requirements of PCI while driving down costs, freeing up personnel resources and providing an easy-yet-comprehensive suite of capabilities and functions?
The easiest way to illustrate the potential is to look at the individual PCI requirements and how they are addressed from the cloud:
1. Protect Data: A cloud-based SIEM offering can accomplish the most important feature of this requirement: the ability to instantly recognize any change, intrusion or activity to your firewall IN REAL TIME. That’s the key. There isn’t the lag of looking at all the logs a week later when the damage has been done, or not being able to tell a suspicious action from a white noise false positive. Whereas many SIEM products can do just this, ones from the cloud provide the additional benefit of 7/24/365 monitoring across the entire enterprise. And, you get a scope of visibility of Fortune 500 class protection for literally pennies on the dollar.
2. No vendor-supplied defaults for system passwords and other security parameters: This process is typically enforced by an identity management protocol. The system includes a password management and synchronization feature. The overarching benefit here is SIEM and identity management are two separate functions from two separate applications. However, applying a holistic solution from the cloud gives you the additional flexibility to recognize new accounts, check device configurations and know when and where configurations have deviated from your standards including the entry of too many incorrect passwords
3. Protect cardholder data: Not only are you required to protect and store data, but ensure encryption of any transmission of that data across public networks. The application of situational awareness is an effective means of capturing, encrypting and storing (and destroying) certain pieces of information and then providing the auditing regulatory agency with proof that your best practices are in line with internal and external policies. This is the heart of your security and should be treated as such. For instance an immediate alert can be escalated if anyone pings the server in which your data is stored and you can instantly move to block them out or allow access depending on their internally designed permissions.
4. Maintain a Vulnerability Management Program: This includes securing SaaS applications and regularly updating anti-virus software. Again the answer is in the clouds. Single sign on and web authentication can tie together all the permissible applications and provide user provisioning. What makes this especially valuable in the cloud is the speed in which connectors can be created and distributed to only those who require the application. For instance, shipping doesn’t need to see the HR applications and marketing doesn’t require access to inventory programs.
5. Implement strong access control methods: As PCI specifically says access to personal and sensitive data is on a “Business need to know,” cloud-based identity managementprovides control and creates specific provisioning on who can see what and have access to which data. It gives you the visibility and the audit reports to show who accessed what, when and from what device. Again, the cloud version of this solution ties it together with all the other security solutions giving it true enterprise context.
6. Collect logs and applications impacted by PCI: Log management is one of the most time intensive aspects of security. Not only do the logs need to be collected, but they also need to be studied for traffic patterns, suspicious anomalies, improper or failed access and create an audit trail for card processing systems. An automated system can only do so much and most organizations don’t spend a great deal of man hours scouring millions of lines of machine code. That’s where log management from the cloud is a huge time and asset saver. Not only does it have the automation to review and categorize this code, but security-as-a-service provides the additional human expertise to piece together the situational awareness from multiple silos to give a true report of the security of the enterprise. It’s like having an expert analyst on staff without the associated costs. And of course, those logs can be archived in accordance with PCI requirements for 1 year.
PCI is just one agency with its strict set of requirements. Now imagine the cost and personnel savings when having to comply with multiple agencies. A VP of Ops from a nationally recognized retail company told me he deals with six agencies on a regular basis. Without a holistic and centralized security approach, he would waste endless hours through redundant reporting. With the application of security centralization, 75 hours per month becomes 10. And more importantly, the degree of accuracy of the reporting is significantly better.
In the above six line items, I described four or five different solutions. That in itself can be a heavy investment...unless you look at layering in the cloud. If you are inclined, there is a growing best practice platform of unified security whereby a company can achieve all these goals by leveraging all the solutions into one single source managed from the cloud (cost-effective, enterprise-powered and compliance -ready). But, that is enough ammunition for several other blogs...so keep posted.
So if compliance is one of your banes of business, maybe it’s time you took a deeper look at the cloud.
Always PCI compliant! (HIPAA compliant too. And CIP, and SOX, GLBA and many, many others!)
Today, the demand for new applications is growing at an unprecedented rate throughout lines of business and across industries. Customer expectations for mobile and e-commerce capabilities are transforming software development speed and quality into a competitive differentiator for even the most unlikely businesses. For existing software development shops, the proliferation of platforms, increasing need for total global uptime, and accelerating pace of industry disruption by fast-paced startups h...
Apr. 19, 2015 03:00 PM EDT Reads: 1,234
Dave will share his insights on how Internet of Things for Enterprises are transforming and making more productive and efficient operations and maintenance (O&M) procedures in the cleantech industry and beyond. Speaker Bio: Dave Landa is chief operating officer of Cybozu Corp (kintone US). Based in the San Francisco Bay Area, Dave has been on the forefront of the Cloud revolution driving strategic business development on the executive teams of multiple leading Software as a Services (SaaS) ap...
Apr. 19, 2015 02:45 PM EDT Reads: 484
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements...
Apr. 19, 2015 02:00 PM EDT Reads: 1,415
Change becomes the central principle of today’s enterprises, and thus business agility becomes the most important characteristic our organizations must exhibit. Agile Architecture lays out a best practice approach for achieving this agility – and thus drives and coordinates the other revolutions, as both digital and DevOps are about being able to deal with change better as well.
Apr. 19, 2015 01:45 PM EDT Reads: 1,356
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
Apr. 19, 2015 12:45 PM EDT Reads: 2,038
What exactly is a cognitive application? In her session at 16th Cloud Expo, Ashley Hathaway, Product Manager at IBM Watson, will look at the services being offered by the IBM Watson Developer Cloud and what that means for developers and Big Data. She'll explore how IBM Watson and its partnerships will continue to grow and help define what it means to be a cognitive service, as well as take a look at the offerings on Bluemix. She will also check out how Watson and the Alchemy API team up to off...
Apr. 19, 2015 12:00 PM EDT Reads: 1,483
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
Apr. 19, 2015 12:00 PM EDT Reads: 2,083
Thought experiment: let’s say your app gets a message from somewhere, perhaps from another app, but you don’t know from where. The message contains the number 47 but no other information. What should your app do with the message? The answer: nothing. There’s no way for your app to make any sense out of a single datum with no context, no additional information or metadata about the datum itself. Now, let’s scale up this thought experiment to a data lake. There are a few common definitions o...
Apr. 19, 2015 12:00 PM EDT Reads: 4,679
How do you securely enable access to your applications in AWS without exposing any attack surfaces? The answer is usually very complicated because application environments morph over time in response to growing requirements from your employee base, your partners and your customers. In his session at 16th Cloud Expo, Haseeb Budhani, CEO and Co-founder of Soha, will share five common approaches that DevOps teams follow to secure access to applications deployed in AWS, Azure, etc., and the frict...
Apr. 19, 2015 11:30 AM EDT Reads: 1,427
The concept and subsequent adoption of 'Containerization'' is growing at a rapid speed with the support of almost every other major player in the industry. This concept is much more efficient than the Virtualization which has been a major option for Infrastructure optimization in the past decade. The following factors distinguish a Container from a Virtual Machine. Containers contain Only the Application Specific libraries and binaries. They do not include a guest operating system. Rather ...
Apr. 19, 2015 11:00 AM EDT Reads: 1,297
Financial services organizations were among the earliest enterprise adopters of cloud computing. The ability to leverage massive compute, storage and networking resources via RESTful APIs and automated tools like Chef and Puppet made it possible for their high-horsepower IT users to develop a whole new array of applications. Companies like Wells Fargo, Fidelity and BBVA are visible, vocal and engaged supporters of the OpenStack community, running production clouds for applications ranging from d...
Apr. 19, 2015 10:00 AM EDT Reads: 1,112
ProfitBricks has launched its new DevOps Central and REST API, along with support for three multi-cloud libraries and a Python SDK. This, combined with its already existing SOAP API and its new RESTful API, moves ProfitBricks into a position to better serve the DevOps community and provide the ability to automate cloud infrastructure in a multi-cloud world. Following this momentum, ProfitBricks has also introduced several libraries that enable developers to use their favorite language to code ...
Apr. 19, 2015 10:00 AM EDT Reads: 1,379
Back in 2009 I posted about the “Great Cloud Shakeout” and the coming market consolidation into a few very large clouds. Nearly 5 1/2 years later and it’s about (long past?) time I took another look to see how I did. Back then I predicted that the market would be dominated by “mega CSPs” by the name of Amazon, Google and Microsoft. Note that this was during a period of Cambrian Explosion in the CSP market – it seems like everybody in the hosting business wanted to be a cloud provider....
Apr. 19, 2015 10:00 AM EDT Reads: 1,453
As we recently previewed (read more about our London PoP in Jesse's post), Blue Box is opening a new Data Center in London, but hadn't announced the provider. Today we're excited to partner with TelecityGroup, whom we've selected as our data center partner in London. We chose their Powergate location, which is one of the U.K.'s most advanced, flexible and energy efficient carrier-neutral data centres. Why does that matter to you? Well, when customers choose Blue Box, they're trusting us with ...
Apr. 19, 2015 10:00 AM EDT Reads: 1,124
SYS-CON Events announced today that Column Technologies, a global technology solutions company, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Established in 1998, Column Technologies is a leader in application performance and infrastructure management for commercial and federal markets. The company is headquartered in the United States, with a diverse and talented team of more than 350 employees around th...
Apr. 19, 2015 10:00 AM EDT Reads: 1,592
Cloud Expo New York is happening from June 9 - 11. This event brings together the worlds of Cloud Computing, DevOps, IoT, WebRTC, Big Data and SDDC. We hope to see you there-members of the Blue Box team will exhibit in booth 218 next to the DevOps area. Plus, our Chief Product Officer, Hernan Alvarez, will present his talk "The Cloud Has a Down-and-Dirty Lining" as part of the Operations track in the DevOps Summit portion of the event on June 9 at 11 am. Learn more about his session her...
Apr. 19, 2015 10:00 AM EDT Reads: 1,271
SYS-CON Events announced today Sematext Group, Inc., a Brooklyn-based Performance Monitoring and Log Management solution provider, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), search analytics (S...
Apr. 19, 2015 09:30 AM EDT Reads: 3,600
SYS-CON Events announced today Isomorphic Software, the global leader in high-end, web-based business applications, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Isomorphic Software is the global leader in high-end, web-based business applications. We develop, market, and support the SmartClient & Smart GWT HTML5/Ajax platform, combining the productivity and performance of traditional desktop software ...
Apr. 19, 2015 09:15 AM EDT Reads: 4,471
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborat...
Apr. 19, 2015 08:30 AM EDT Reads: 5,626
SYS-CON Media announced today that Blue Box as launched a popular blog feed on Cloud Computing Journal. Cloud Computing Journal aims to help open the eyes of Enterprise IT professionals to the economics and strategies that utility/cloud computing provides. Blue Box Cloud gives you unequaled agility, without the burden of designing, deploying and managing your own infrastructure. It’s the right choice when public cloud just won’t do. Blue Box Cloud is a managed Private Cloud as a Service (...
Apr. 19, 2015 08:00 AM EDT Reads: 1,331