Join CloudPassage CEO, Carson Sweet and Sumo Logic Founding VP of Product & Strategy, Bruno Kurtic, for a webinar on “45 minutes to PCI Compliance in the Cloud”. What You Will Learn: -Understand the typical challenges faced by enterprises for achieving PCI on cloud infrastructure -Learn how purpose-built SaaS-based cloud security solutions can save you tens of thousands in audit costs by speeding your time to compliance -Get a quick demo of the CloudPassage Halo and Sumo Logic solutions that provide the telemetry and query/reporting engines respectively for cloud PCI

1. 45 Minutes to Achieving
PCI Compliance in the Cloud
Bruno Kurtic
Carson Sweet
Founding VP, Product & Strategy
Sumo Logic
Chief Executive Officer
CloudPassage

2. What Today’s Webinar Is About
• If you’re here, you care about PCI in the cloud.
• You know (or need to know) the new parameters
for success with PCI in the cloud.
• You want to understand how the new parameters
impact how you can approach PCI compliance.
• You’re going to learn how cloud and big data can
be combined to power a startlingly fast, easy
solution to PCI compliance in any cloud.

3. Quick Review of PCI
• A dozen high-level control
categories with ~200 specific
control requirements
• Audit conducted annually by a Qualified Security Assessor
(QSA) anointed by the PCI Counsel
• Often includes a lookback period for some controls
• PCI DSS v3 pending, v2 still the norm “in the wild”
• Yes, you can be PCI compliant when using public, private
or hybrid cloud infrastructure

4. PCI Can Be Complex & Expensive
•
•
Merchants pay an average of
$225,000 per audit each year
•
– Initial scope - $250,000
– Becoming compliant - $550,000
– Annual audit cost - $250,000
10% are paying $500,000 or more
annually
•
•
2% fail these audits
•
54% respondents say PCI DSS is
too costly
Level 2 Merchant (1-6M tx/year)
– Initial scope - $125,000
– Becoming compliant - $260,000
– Annual audit cost - $100,000
•
•
Level 1 Merchant (6M tx/year)
52% respondents are not proactively
managing data privacy and security
in their environments
Source: http://www.networkworld.com/news/2010/030110-pci-compliance-audit-cost.html
http://www.campuscommerce.com/page.cfm?p=398
http://www.darkreading.com/management/10-ways-to-fail-a-pci-audit/240004877?pgno=1
Level 3, 4 Merchants (<1M tx/year)
– Initial scope - $50,000
– Becoming compliant - $81,000
– Annual audit cost - $35,000

5. PCI Requires Ongoing Effort
Initial Control Deployment
Huge amounts of
data must be
collected, verified,
and accessible
Compliance
Established
Controls
Verified or
Updated
Changes
Detected &
Evaluated

6. Cloud Changes the Security Situation
•
Infrastructure more distributed and
dynamic than ever
•
Rate of change higher than ever
•
Legacy security solutions neither
dynamic nor distributed
•
Perimeters, hardware appliances, network-deployed controls, endpoint security
solutions highly marginalized in dynamic cloud environments
•
New set of data needs to be integrated – IaaS / provider activities, and your
admins’ activities on cloud systems

7. Who’s Responsible for PCI in Clouds?
AWS Shared Responsibility Model
“…the customer should assume responsibility
and management of, but not limited to, the
guest operating system and associated
application software...”
“it is possible for customers to enhance security
and/or meet more stringent compliance
requirements with the addition of host
Amazon Web Services: Overview of Security
Processes
App Framework
Operating System
Guest VM
Hypervisor
Compute & Storage
Shared Network
Physical Facilities
Provider
Responsibility
based firewalls, host based intrusion
detection/prevention, encryption and
key management…”
App Code
Your
Responsibility
Data

9. New
complexity, high
rate of change

11. Existing security
tools don’t
work, even higher
RoC

12. Agile software
development further
increases RoC

13. Example of Automation & Big Data Needs
CloudPassage’s PCI scope included over
12,500,000 individual data points
• Assurance of initial and ongoing compliant state
– 6,285,300 infrastructure data points
– 1,628,000 code data points
• Assurance of control adjustments as environment changed
– 6,400 infrastructure data points
– 4,598,000 code data points
• Monitoring of access management & behaviors
– Over 28,000 access control / behavioral data points

14. Option 1
Stick head in sand. Cross fingers.
Option 2
Hire a small army. Cross fingers.
Option 3
Automate with cloud-native security
solutions.

15. SOLUTIONS OVERVIEW

16. What You’ll Want In A Solution
Control & Telemetry
•
Portable, built-in, automated control consolidation
–
–
–
Monitoring & Validation
•
Flexible Collection
–
–
Automated, consolidated controls (defense-in-depth)
Transparent across heterogeneous clouds
Supports your part of shared security responsibility
–
•
Efficiently deployed controls & telemetry
–
–
–
–
•
Aware and capable within ephemeral infrastructure
Automated collector deployment that works with
common tools (Chef, Puppet, etc.)
Ability to collect from cloud data sources
S3, CDN, IaaS/SaaS/PaaS Audit
Security built directly into the stack
Changes instantly detected
Adjustments instantly deployed
Integrations for SIEM, GRC, LDAP, AD, etc.
•
Rapid and Flexible Deployment
–
–
–
Technically, financially, operationally scalable
–
–
–
–
Rapidly deployed, low system impact
Transparent capacity scalability
Metered usage & billing
Built-in controls & telemetry, zero provisioning
•
Out of the box reports, searches, alerts and
dashboards
No servers, no software, no storage, no appliances
Ability to seamlessly collect across cloud and
physical environments
Big Data with Elastic Scale
–
–
–
Ability to analyze terabytes of data per day in nearreal time
Support for bursting in data and seasonal spikes
without adding infrastructure
Ability to handle unstructured formats of custom logs

17. The Halo security automation platform secures
workloads anywhere, at any scale, as-a-service
• One platform, many functions
– Centrally automates dozens of controls critical to
security and compliance
• Efficiency through automation
– Eliminates extensive manual effort of deploying and
managing many legacy solutions
• Broad compliance support
– E.g. 75% of PCI DSS, 83% of HIPAA requirements*
within a single solution
• Easily deployed security-as-a-service
– No hardware to deploy or network changes
– Typically fully operational within hours
* Remaining requirements related to documentation, application
development, or end-user computing practices.

18. Halo ties security directly to workloads and devices to
achieve portability and scalability
CUSTOMER CLOUD / DATACENTER
HOSTING ENVIRONMENTS
www
node1,2,(n)
mysql
node1,2,(n)
mongo-db
node1,2,(n)
HALO
HALO
HALO
•
Micro-agents with minimal system overhead
•
Highly scalable centralized security analytics
•
Agnostic to platform or provider – runs on any
hardware, cloud, virtualized environment

19. Sumo Logic: Machine Data Intelligence
CIO
Security
IT Operations
Application Development
•
Collect logs from any source
• Integrate on-premise and Cloud
environments with minimal
overhead
•
Scale to multi-terabytes of data per day
• Supports bursting and seasonality
with no impact on deployment
•
Rapidly discover data patterns
• Reduce time to identifying
compliance gaps by 50% or more
•
Uncover data anomalies in real-time
• Proactively address symptoms
before issues hit your organization
Sumo Logic Applications
BI
Operational Intelligence Console
Tableau
Cognos
SAS
SAP
Jasper
etc.
Analytics Engine
APIs
Enterprise Class SaaS
Anomaly/Event Console
Analytic
s
Scalable Index and Data Store
Managed Collection
Hadoop
AWS EMR
MapR
Cloudera
etc.

20. Sumo Logic: Deployment Model
Primary
Datacenter
Acquisition
Datacenter
Private Cloud
Collector
Collector
Hosted Collector
Collector
Hosted
Collector

22. Mapping Halo + Sumo Logic to PCI

23. Rapid and Easy Deployment
• Instant account provisioning
– No software, hardware, storage
• Out-of-the-box PCI specific content
– Requirement specific controls, reports, dashboards
• Collection & agents support cloud deployment
model
– Scripted mode, chef/puppet/etc, ephemeral model
• Architecture supports bursting and seasonality
– No changes required to increase or decrease capacity

24. How To Learn More
• CloudPassage PCI Compliance Kit
– www.cloudpassage.com/pci-kit
• Sumo Logic Compliance Technical Brief
– www.sumologic.com/product/use-cases/enforce-compliance/
• Stay tuned for future cloud security webinars!