Blog

credit card

45 Minutes to Achieving Cloud PCI Compliance – Webinar Resources

Yesterday, CloudPassage and Sumo Logic held a webinar on “45 Minutes to Achieving PCI Compliance in the Cloud”. Bruno Kurtic, the Founding VP of Product & Strategy, and Carson Sweet, co-founder and CEO of CloudPassage touched on a number of topics which included:

  • Understanding the typical challenges faced by enterprises by achieving PCI on cloud infrastructure
  • How purpose-built SaaS-based cloud security solutions can save you tens of thousands of audit costs by speeding your time to compliance
  • Learning how CloudPassage Halo and Sumo Logic solutions provide them telemetry and query/reporting engines respectively for cloud PCI

As promised, we have created a blog post to share the answers to the questions asked by attendees, which were covered in the webinar, and those we ran out of time for. Should you have any questions or comments, please do not hesitate to contact us.

Q: The hack on Target shows a lack in security but they are PCI compliant. Does this diminish the value of PCI Compliance?

Carson Sweet: The short answer is: no it doesn’t. Compliance does not = security. Compliance is intended to drive certain minimum behaviors and in doing so it can help drive companies to deal with a very large number of compromises, but being compliant with PCI, HIPAA or any other standard does not make you secure. So there is more you need to do to fully protect yourself, particularly with very advanced attacks, like the Target attack, as we learn more about it. That is not something that an industry minimum is going to be able to protect against. The important thing is not to blend security with compliance. In many environments, the converse is true where you can be very secure, but not compliant. Security and compliance are different things and therefore need to be treated differently.

Bruno Kurtic: This is also why checkbox compliance is a trap. It allows you to do business, but it does not take away the risk of being on the front page of the Wall Street Journal. These solutions like CloudPassage Halo and Sumo Logic go far beyond the checkbox compliance and try to give you proactive compliance management with a slew of other tools that will allow you to bolster your security and ensure that you stay away from security breaches for your customers.

As promised, we have created a blog post to share the answers to the questions asked by attendees, which were covered in the webinar, and those we ran out of time for. Should you have any questions or comments, please do not hesitate to contact us.

Q: The hack on Target shows a lack in security but they are PCI compliant. Does this diminish the value of PCI Compliance?

CS: The short answer is: no it doesn’t. Compliance does not = security. Compliance is intended to drive certain minimum behaviors and in doing so it can help drive companies to deal with a very large number of compromises, but being compliant with PCI, HIPAA or any other standard does not make you secure. So there is more you need to do to fully protect yourself, particularly with very advanced attacks, like the Target attack, as we learn more about it. That is not something that an industry minimum is going to be able to protect against. The important thing is not to blend security with compliance. In many environments, the converse is true where you can be very secure, but not compliant. Security and compliance are different things and therefore need to be treated differently.

BK: This is also why checkbox compliance is a trap. It allows you to do business, but it does not take away the risk of being on the front page of the Wall Street Journal. These solutions like CloudPassage Halo and Sumo Logic go far beyond the checkbox compliance and try to give you proactive compliance management with a slew of other tools that will allow you to bolster your security and ensure that you stay away from security breaches for your customers.

Q: Our ASV Company status reports “In Remediation” in red. I know that ASV Companies in remediation may continue to perform PCI Scanning Services. What should I do to monitor their status when they are not under an obligation to tell my company what the requirement violation(s) are?

This is really a relationship management issue. High transparency is quite important, and if the ASV is not willing to be transparent, consider it a red flag. From there, it’s up to you to decide if a “semi-compliant” ASV is satisfactory to you, and/or your own customers.

Q: Our ASV Company status reports “In Remediation” in red. I know that ASV Companies in remediation may continue to perform PCI Scanning Services. What should I do to monitor their status when they are not under an obligation to tell my company what the requirement violation(s) are?

This is really a relationship management issue. High transparency is quite important, and if the ASV is not willing to be transparent, consider it a red flag. From there, it’s up to you to decide if a “semi-compliant” ASV is satisfactory to you, and/or your own customers.

Q: (With CloudPassage Halo) Is there an agent on each VM or one that runs in the hypervisor?

CS: Each VM. That creates portability and scale. The agent is 6 MB in memory — extremely light weight, vs. an endpoint security solution.

Click here for more information on Halo’s architecture.

Q: Could you walk us through how your tools would be used during or in an audit?  Would the auditor interact directly with you, for example?

BK: I will start with our solution since you use it heavily to automate the compliance audits. Sumo Logic is essentially a data management tool which will collect your entire data stream of the activity, changes, feeds from Halo, and others so in one place you’ll have all of the data relevant and required to prove to your auditor that you have reviews of  your logs, controls in place, that they are operating, and that you can actually provide reports to your auditors on the things I just mentioned. So Sumo Logic, in addition to giving you the ability to monitor your real time changes, it also stores this data and with the click of a button can generate reports. You would interact with Sumo Logic for your audits in both the scheduled and the interactive form as you are responding to your auditor’s requests.

CS: Yes our solution will interact with auditors. The use case for Halo is collecting the data needed to demonstrate PCI compliance. We already have a number of QSAs who have written integration scripts against our APIs to pull data out to learn the data model within Halo, data about configurations and current state of users to be able to grab a snapshot very quickly, where previously they would have to sit with someone and have them show the configuration of files, and running processes. Now, they can grab that data straight from Halo. This has been a very big win in terms of saving money, not just in getting ready for the audit, but saving money during the actual audit process itself, because a big part of the audit itself is data collection. So when you couple that with Sumo and have audited reports that show the configuration, and all the changes that happened, that is a very powerful combination. We also work with our customers on how to remediate things, because we’ve gone through this ourselves, and we help our customers stay compliant as they deploy things into the cloud.

Q: From your experience, what are the most common issues that organizations overlook from a PCI compliance perspective as they transition to a Cloud environment?

BK: Typically when we see organizations move from a traditional infrastructure environment to a cloud-based environment, the mistake they usually make is that they don’t keep up with the rate of change. The flexible cloud environments actually enable your development teams and operations teams to operate in a very different mode, and the challenge they run into is that they don’t actually account for all the changes and how those changes will impact their daily, weekly, and quarterly compliance reviews and compliance posture. They forget about the proactive compliance management and continue to rely on the classic approach of pulling up the data sets when the auditor comes in assuming only a few changes have happened. When moving to the cloud you have to proactively monitor your changes in real time and what they impact and close the loop on those changes before they threaten your compliance posture.

CS: I would agree with that: the rate of change is what gets people off-guard. Especially for companies who are used to more static environments. Another thing that people don’t understand is where your PCI data actually is. In cloud environments, it’s very easy to make copies of servers, data and all, it’s very easy to let data get out of control. If you don’t have visibility and control into how those systems are being replicated and where and how they’re coming up, you might find that you are PCI compliant but one of the copies of your data with credit card information is compromised, but you nor your auditor knew where the data was located. The idea that you can do things in a self-service way, tracking that is very important.

Q: How do organizations typically handle remediation once they find PCI holes/gaps via your systems?

CS: It depends on the deficiency. Typically what we find is that organizations will look for a product or a solution to try to address that. At your first pass at getting audited, you will mostly likely have a larger number of things you’ll need to address. The best strategy there is to consolidate these things and run it as a project and don’t simply try to react to these things. In many cases what works well is to have a PCI auditor do a pre-audit for you, which is not as expensive as the full audit, and find out where the deficiencies are and then look for solutions that can handle as many of those as possible. One of the reasons why Halo is so popular is because we are able to deal with so many pieces of compliance in shot as opposed to doing it piecemeal.

BK: From our side what we see in monitoring and validating compliance, it really runs a gamut. Some people react manually after they detect a non-compliance event. We also see that people use Sumo Logic to integrate to their workflow systems or ticketing systems to actually trigger an appropriate response routed to a particular team who can detect where the problem originally came from. You can use CloudPassage Halo and Sumo Logic together to remediate against some of these issues automatically and in real time.

Q: Do you have any data on the performance impact of the Halo solution on protected servers?

CS: We designed Halo to use a centralized analytics engine that offloads 95% of the actual compute power, which means that the agent on the VM or the servers we’re protecting only consumes 1% of the CPU. It is very small in memory 6MB and very lightweight

On behalf of Sumo Logic and CloudPassage, thank you for attending the webinar. We hope you found it useful as you navigate through your PCI and other compliance journeys.

 

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts