Welcome!

Microservices Expo Authors: Pat Romanski, Elizabeth White, Stackify Blog, Liz McMillan, Yeshim Deniz

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Containers Expo Blog, Machine Learning , Cloud Security

@CloudExpo: Article

PCI Compliance for Retailers from the Cloud Perspective

Looking at individual PCI requirements and how they are addressed from the cloud

One of the key drivers to IT security investment is compliance. Several industries are bound by various mandates that require certain transparencies and security features. They are designed to mitigate aspects of risk including maintaining the sacrosanctity of customer information, financial data and other proprietary information.

One such affected vertical is retail. No matter if you’re Wal-Mart or Nana’s Knitted Kittens, if you store customer information; if you process payments using customer’s credit cards, you are required by law to comply with a variety of security standards. Although there are several auditing agencies and mandating bodies, today we will concentrate on the one compliance agency that is typically applicable to every retailer-PCI.

PCI (Payment Card Industry) enforces Data Security Standards that looks to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Now of course, not all merchants are created equal. Nana obviously doesn’t process the volume or the dollar amount of a national or even a high traffic regional retailer. However, this doesn’t let Nana off the hook. Her online shopping cart still needs to be Payment Application DSS validated (PCI compliant). She still is required to pass security audits of her network…just not as often.

But for the sake of this example, let’s assume you are a retailer who processes more than 20,000 transactions a year and the administrative burden of PCI is a real concern. In fact, it is a business necessity to maintain merchant accounts with VISA, American Express and MasterCard. And it is hugely important to keep the confidence of your customers. Fines for non-compliance aside, a breach of your network could cost millions of dollars. And that doesn’t begin to calculate the cost of customer defection through loss of trust.

Most, if not all, retailers have some sort of PCI monitoring in place. However, they are often cumbersome, expensive and resource heavy. Additionally, too many retail organizations don’t employ a compliance officer, much less a dedicated security person. This doesn’t mean these functions aren’t part of someone’s job description. Typically, they are yet another line item in a plethora of competing priorities and mission critical initiatives. In that security can be considered a cost center, the move to simply do the bare minimum to meet compliance is often an attractive alternative. Until now. Until the cloud. More specifically, a holistic enterprise security initiative deployed and managed from the cloud.

So how does cloud-based security/security-as-a-service meet the requirements of PCI while driving down costs, freeing up personnel resources and providing an easy-yet-comprehensive suite of capabilities and functions?

The easiest way to illustrate the potential is to look at the individual PCI requirements and how they are addressed from the cloud:

1. Protect Data: A cloud-based SIEM offering can accomplish the most important feature of this requirement: the ability to instantly recognize any change, intrusion or activity to your firewall IN REAL TIME. That’s the key. There isn’t the lag of looking at all the logs a week later when the damage has been done, or not being able to tell a suspicious action from a white noise false positive. Whereas many SIEM products can do just this, ones from the cloud provide the additional benefit of 7/24/365 monitoring across the entire enterprise. And, you get a scope of visibility of Fortune 500 class protection for literally pennies on the dollar.

2. No vendor-supplied defaults for system passwords and other security parameters: This process is typically enforced by an identity management protocol. The system includes a password management and synchronization feature. The overarching benefit here is SIEM and identity management are two separate functions from two separate applications. However, applying a holistic solution from the cloud gives you the additional flexibility to recognize new accounts, check device configurations and know when and where configurations have deviated from your standards including the entry of too many incorrect passwords

3. Protect cardholder data: Not only are you required to protect and store data, but ensure encryption of any transmission of that data across public networks. The application of situational awareness is  an effective means of capturing, encrypting and storing (and destroying) certain pieces of information and then providing the auditing regulatory agency with proof that your best practices are in line with internal and external policies. This is the heart of your security and should be treated as such. For instance an immediate alert can be escalated if anyone pings the server in which your data is stored and you can instantly move to block them out or allow access depending on their internally designed permissions.

4. Maintain a Vulnerability Management Program: This includes securing SaaS applications and regularly updating anti-virus software. Again the answer is in the clouds. Single sign on and web authentication can tie together all the permissible applications and provide user provisioning. What makes this especially valuable in the cloud is the speed in which connectors can be created and distributed to only those who require the application. For instance, shipping doesn’t need to see the HR applications and marketing doesn’t require access to inventory programs.

5. Implement strong access control methods: As PCI specifically says access to personal and sensitive data is on a “Business need to know,” cloud-based identity managementprovides control and creates specific provisioning on who can see what and have access to which data. It gives you the visibility and the audit reports to show who accessed what, when and from what device.  Again, the cloud version of this solution ties it together with all the other security solutions giving it true enterprise context.

6. Collect logs and applications impacted by PCI: Log management is one of the most time intensive aspects of security. Not only do the logs need to be collected, but they also need to be studied for traffic patterns, suspicious anomalies, improper or failed access and create an audit trail for card processing systems. An automated system can only do so much and most organizations don’t spend a great deal of man hours scouring millions of lines of machine code. That’s where log management from the cloud is a huge time and asset saver. Not only does it have the automation to review and categorize this code, but security-as-a-service provides the additional human expertise to piece together the situational awareness from multiple silos to give a true report of the security of the enterprise. It’s like having an expert analyst on staff without the associated costs. And of course, those logs can be archived in accordance with PCI requirements for 1 year.

PCI is just one agency with its strict set of requirements. Now imagine the cost and personnel savings  when having to comply with multiple agencies. A VP of Ops from a nationally recognized retail company told me he deals with six agencies on a regular basis. Without a holistic and centralized security approach, he would waste endless hours through redundant reporting. With the application of security centralization, 75 hours per month becomes 10. And more importantly, the degree of accuracy of the reporting is significantly better.

In the above six line items, I described four or five different solutions. That in itself can be a heavy investment...unless you look at layering in the cloud. If you are inclined, there is a growing best practice platform of unified security whereby a company can achieve all these goals by leveraging all the solutions into one single source managed from the cloud (cost-effective, enterprise-powered and compliance -ready). But, that is enough ammunition for several other blogs...so keep posted.

So if compliance is one of your banes of business, maybe it’s time you took a deeper look at the cloud.

Kevin Nikkhoo
Always PCI compliant! (HIPAA compliant too. And CIP, and SOX, GLBA and many, many others!)
www.CloudAccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@MicroservicesExpo Stories
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
Regardless of what business you’re in, it’s increasingly a software-driven business. Consumers’ rising expectations for connected digital and physical experiences are driving what some are calling the "Customer Experience Challenge.” In his session at @DevOpsSummit at 20th Cloud Expo, Marco Morales, Director of Global Solutions at CollabNet, will discuss how organizations are increasingly adopting a discipline of Value Stream Mapping to ensure that the software they are producing is poised to o...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
This talk centers around how to automate best practices in a multi-/hybrid-cloud world based on our work with customers like GE, Discovery Communications and Fannie Mae. Today’s enterprises are reaping the benefits of cloud computing, but also discovering many risks and challenges. In the age of DevOps and the decentralization of IT, it’s easy to over-provision resources, forget that instances are running, or unintentionally expose vulnerabilities.
It has never been a better time to be a developer! Thanks to cloud computing, deploying our applications is much easier than it used to be. How we deploy our apps continues to evolve thanks to cloud hosting, Platform-as-a-Service (PaaS), and now Function-as-a-Service. FaaS is the concept of serverless computing via serverless architectures. Software developers can leverage this to deploy an individual "function", action, or piece of business logic. They are expected to start within milliseconds...
There are two main reasons for infrastructure automation. First, system administrators, IT professionals and DevOps engineers need to automate as many routine tasks as possible. That’s why we build tools at Stackify to help developers automate processes like application performance management, error monitoring, and log management; automation means you have more time for mission-critical tasks. Second, automation makes the management of complex, diverse environments possible and allows rapid scal...
One of the biggest challenges with adopting a DevOps mentality is: new applications are easily adapted to cloud-native, microservice-based, or containerized architectures - they can be built for them - but old applications need complex refactoring. On the other hand, these new technologies can require relearning or adapting new, oftentimes more complex, methodologies and tools to be ready for production. In his general session at @DevOpsSummit at 20th Cloud Expo, Chris Brown, Solutions Marketi...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry’s single source for the cloud. Fusion’s advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
The purpose of this article is draw attention to key SaaS services that are commonly overlooked during contact signing that are essential to ensuring they meet the expectations and requirements of the organization and provide guidance and recommendations for process and controls necessary for achieving quality SaaS contractual agreements.
SYS-CON Events announced today that OpsGenie will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2012, OpsGenie is an alerting and on-call management solution for dev and ops teams. OpsGenie provides the tools needed to design actionable alerts, manage on-call schedules and escalations, and ensure that the right people are notified at the right time, using multiple notification methods.