CloudPassage - Rand Wacker, VP Products
Link Bermuda - Winston Morton, VP Technology
Want to move to a usage-based pricing model but afraid of how to accurately measure and bill your customers? Come and learn about the processes and technology used to manage this advanced pricing model from two leading cloud service providers.
Powerful Google developer tools for immediate impact! (2023-24 C)
Usage Based Metering in the Cloud (Subscribed13)
1. PCI for Cloud Applications
Securing the Subscription Economy
Rand Wacker
VP of Products
@randwacker | #subscribed13
2. CloudPassage
Overview
CloudPassage
provides
security
and
compliance
for
your
cloud,
so9ware-‐defined,
and
tradi<onal
data
center
infrastructure
3. Our
PCI
Story
1. We
use
Zuora
for
metered
usage
billing
2. Since
we
accept
CCs
in
mul;ple
ways,
had
to
do
a
full
PCI
cert
for
ourselves
3. We
also
provide
PCI
security
controls
to
our
customers
4. Here’s
what
we
learned…
I T S
N E V E R
J U S T
T H A T
S I M P L E
4. Your
Architecture
Drives
PCI
Scope
1. PCI
“in-‐scope”
systems
are
anything
that
accept,
store,
process,
or
transmit
CC
info
2. Zuora
can
handle
much
(maybe
all?)
of
this,
depending
on
architecture/features
you’re
using
3. If
(like
us)
you
take
CCs
in
your
app
(or
by
other
means),
then
you’re
responsible
for
PCI
for
those
in-‐scope
systems
E V E R Y O N E
H E R E
L I K E L Y
P C I
L I A B L E
5. Its
Not
All
Doom
and
Gloom
1. Yes,
you
can
be
PCI
compliant
using
cloud!
2. You
will
likely
need
some
different
tools
and
processes
3. Not
all
stacks/providers
are
created
equal!
4. There
is
no
“silver
bullet”
–
but
the
responsibility
is
s;ll
yours
P L E N T Y
O F
F . U . D .
R E
P C I
A N D
C L O U D
6. YES
IT
IS
POSSIBLE
P C I
I N
T H E
C L O U D
• CloudPassage
is
Cer;fied
Level
1
Service
Provider
– First
en;rely
cloud-‐based
vendor
cer;fied
across
mul;ple
CSPs
– Hosted
in
Rackspace
Cloud
&
AWS,
with
full
DevOps
automa;on
• Mul;ple
customers
have
successfully
cleared
QSA
audits
8. Cloud
Responsibility
Model
Y O U ’ R E
O N
T H E
H O O K ,
W H E R E V E R
H O S T E D
Physical
Facili;es
Hypervisor
Compute
&
Storage
Shared
Network
Virtual
Machine
Data
App
Code
App
Framework
Opera;ng
System
Physical
Facili;es
Hypervisor
Compute
&
Storage
Shared
Network
Virtual
Machine
Data
App
Code
App
Framework
Opera;ng
System
Private
Cloud
Public
IaaS
Provider
Customer
Responsibility
Provider
Responsibility
9. Recent
Guidance
Changes
1. Use
VM-‐to-‐VM
firewalling
(host-‐based)
in
cloud/virtual
environments
2. Ensure
integrity
of
VM
OS,
Apps,
and
Data
to
isolate
from
hypervisor-‐based
access
3. CSP
(Cloud
Service
Provider)
PCI
compliance
helps,
but
is
not
mandatory
4. If
you’re
in
a
private
data
center,
all
your
stack
is
in-‐scope
P C I
C L O U D
S I G
C L A R I F I E S
R U L E S
11. PCI
in
any
Cloud/Infrastructure
• Security
(if
done
correctly)
begets
compliance
– Not
the
other
way
around
• What
worked
in
your
datacenter
might
not
work
in
cloud
environments
• Need
technical
controls
that
work
like
the
cloud
does
– Dynamic,
elas;c,
scalable
13. Cloud
PCI
Founda<ons
Cloud
Stack/Provider
Assessor
Applica;on
design
Harden
the
systems
!
!
!
14. Assessor
• Find
one
…
that
knows
cloud
technology
– A
good
default
choice
is
the
QSA
who
did
the
assessment
for
your
CSP
• If
you
don’t
want/need
to
use
an
external
auditor,
then
…
determine
if
you
have
the
knowledge
internally
– You
need
to
make
sure
you
have
the
depth
of
knowledge
on
the
PCI
DSS,
as
you
will
likely
get
it
wrong
if
not
15. Applica<on
Design
!
!
!
MASTER DB SLAVE DB!
• Ability
to
achieve
PCI
compliance
is
primarily
based
on
forethought
given
to
applica;on
design
• Most
providers,
and
all
cloud-‐based
OS’s
can
be
PCI
compliant*
• Ask:
– What
data
am
I
storing?
Why?
– What
is
communica;on
flow
of
the
applica;on?
Is
it
restricted?
– Is
my
crypto
public
veled
standards?
This
is
where
Zuora
can
help
limit
your
systems
“in-‐scope”
16. Harden
the
Systems
• Protect
the
system
– Firewalls
(remember
ingress
and
egress)
– Change
defaults
– Install
patches
– Watch
the
system
for
odd
behavior
or
changes
• You
need
to
automate
this.
Trying
to
do
this
by
hand
in
a
cloud
environment
is
error-‐prone.
18. How
Zuora
Can
Help
L I M I T I N G
P C I
S C O P E
• Zuora
is
a
PCI
Level
1
cer;fied
vendor
• Your
applica;on
architecture
determines
how
much
PCI
you’ll
be
exposed
to
• Inves;gate
Zuora
HPM
(iFrames,
etc),
APIs,
and
other
mechanisms
to
accept/handle
CC
info
• Scrub
everywhere
else
in
your
business
process
for
ways
CCs
are
managed
(ie
faxes,
POs,
sales
emails)
19. Best
Prac<ces
• Read
and
understand
what
your
provider
does,
and
what
you
are
responsible
for,
with
regards
to
PCI
• When
moving
servers
outside
your
data
center,
ensure
that
they
are
hardened
and
compliant
before
they
are
exposed
to
the
public
• Start
with
public
cloud,
PCI
everywhere
else
is
rela;vely
easy!
• Focus
on
securing
the
tenets
of
PCI
that
you
can
control
–
partners
(CSPs,
vendors)
are
key
to
success
!
23. Agenda
1. LinkBermuda
Company
Introduc<on
2. Business
Model
and
Metered
Cloud
Services
3. Cloud
Services
Billing
and
Challenges
4. Drivers
to
use
a
cloud
based
Recurring
5. How
Zuora
Helped
?
6. Lessons
Learned
7. Wrap
Up
&
QA
26. LinkBermuda
Network
Facili<es
§ On-‐net
connec;vity
in
mul;ple
undersea
and
terrestrial
cable
systems
§ Direct
ownership
of
undersea
cable
landing
sta;ons
§ Extensive
Bermuda
domes;c
fiber
network
§ Mul;ple
interconnects
with
network
providers
for
global
reach
§ 7x24
redundant
network
opera;ons
centers
27. LinkBermuda
Data
Center
Facili<es
§ Bermuda’s
largest
data
center
complex
§ Hos;ng
many
of
the
largest
compute
nodes
in
Bermuda
§ Designated
as
a
Cri%cal
Infrastructure
by
the
Bermudian
Government
(Keypoint-‐1)
for
priority
security
and
fuel
delivery.
§ 7x24
Network
Opera;ons
Center
§ SSAE
16
SOC
2
Cer;fica;on
(in
Process)
§ Strategic
na;onal
and
interna;onal
network
connec;vity
Key
Specifica;ons:
§ Site
is
deployed
on
one
of
the
highest
eleva;ons
in
Bermuda
to
military
specifica;ons
§
Designed
to
withstand
hurricane
force
winds
§
Fully
Redundant
4160V
U;lity
Feeds
§
N+1
Redundant
Diesel
Generators
(3x1000kW)
§
N+1
UPS
(2x1000kW)
§
N+1
Cooling
(2x300
Ton
Air
Cooled
Chillers)
29. I N F R A S T R U C T U R E
A S
A
S E R V I C E
§ Bundled
Virtual
Servers,
Storage,
Security,
and
Network
Connec;vity
§ Flexible
On-‐Demand
Self
Service
§ Geographically
Aware
-‐ Customers
can
select
as
well
as
guarantee
primary
and
secondary
VDC
loca;ons
(Bermuda
and/or
Canada
today)
IaaS
High
Level
Features
§ Predictable
Performance
-‐ IaaS
bundled
with
Interna;onal
MPLS
QOS
features.
-‐ Broadband
local
loop
-‐ SLA
guarantees
§ Highly
Secure
-‐ Embedded
VLAN
Security
-‐ Embedded
offsite
D/R
§ Ease
of
Management
-‐ Customer
Self
Service
Module
Metered
Cloud
Services
30. •
Communica<on
as
a
Service
•
Value
Added
Apps
•
$$/Mth
Fixed
+
Usage
•
Backup
as
a
Service
•
Value
Added
Apps
•
$$/Mb/Mth
•
Infrastructure
as
a
Service
•
Virtual
Servers
•
Value
Added
Apps
•
$$/Server/Hr
Cloud
Services
Billing
H i g h
L e v e l
D e s i g n
Cloud
Management
Pla^orm
(IaaS)
Exported
Cumula<ve
Usage
Report
Cloud
Management
Pla^orm
(BaaS)
Cloud
Management
Pla^orm
(CaaS)
Billing
Pla^orm
IaaS
Product
Catalogue
Product
Catalogue
Exported
Cumula<ve
Usage
Report
BaaS
Product
Catalogue
Product
Catalogue
Exported
Cumula<ve
Usage
Report
CaaS
Product
Catalogue
Product
Catalogue
31. Cloud
Services
Billing
F u n c ; o n a l
A p p r o a c h
§
Ini;al
launched
with
a
IaaS
model
with
interfaces
as
straight
forward
as
possible.
§
Most
of
our
cloud
systems
have
their
own
sophis;cated
self
service
provisioning
interface.
§
We
choose
to
leverage
the
provisioning
systems
embedded
in
each
cloud
system
to
minimized
development
Upside:
One
way
usage
based
interfaces
are
more
cost
effect
and
quicker
to
launch
Downside:
Mul;ple
product
catalogues
need
to
be
synchronized
Cloud
Management
Pla^orm
Product
Catalogue
Billing
Pla^orm
Product
Catalogue
Usage
Report
Customer
Portal
32. Business
Drivers
to
use
Recurring
Billing
Solu<on
§ LinkBermuda
was
looking
to
out-‐source
billing,
we
did
not
want
to
build
our
own
system
because
of
the
complexity
involved
in
recurring
billing.
§
We
evaluated
several
different
recurring
billing
systems
–
Zuora
was
the
quickest
to
deploy
and
most
cost
effec;ve.
§ We
needed
a
system
which
would
enable
to
Price
and
Package
our
services
efficiently
and
be
able
to
rapidly
iterate
on
Pricing
when
needed.
33. Why
Zuora
?
§ The
Ra;ng
and
Billing
Engine
in
Zuora
understands
our
subscrip;on
business
model
and
is
ideally
suited
to
do
the
job.
§
Zuora
provided
out
of
box
solu;on
(Zforce)
for
integra;ng
with
our
CRM
system
(Salesforce).
We
took
advantage
of
both
ZQuotes
and
Z360.
§ Looking
forward
to
u;lize
Zuora
Billing
and
Financial
Reports
and
Forward
Looking
Metrics
like
MRR,
ARR
etc.
§
As
LinkBermuda
grows
we
are
confident
that
Zuora
can
scale
and
accommodate
our
business
growth.
34. How
LinkBermuda
Uses
Zuora
Background
Business
Model
The
Challenge
Moving
from
tradi;onal
Telco
services
to
cloud
services
for
interna;onal
financial,
insurance
and
eCommerce
markets
B2B
+
B2C
=
B2Any
Direct:
Self-‐service
and
sales
assisted
Channels:
Cloud
Marketplace,
Resellers
We
needed
to
develop
a
self
service
cloud
capability
with
usage
based
billing.
Legacy
billing
system
limited
customiza;on
and
product
catalogue
capabili;es.
35. Lessons
Learned
Plan.
Plan.
Plan
B E S T
P R A C T I C E S
Limit
Ini<al
Scope
Learn.
Launch.
Repeat
Business
strategy
changes
during
market
launch
Best
Prac;ce:
-‐
Clear
defini;on
of
business
goals.
-‐
Phase
1
launch
should
be
limited
to
base
services,
add
func;onality
as
use
cases
become
more
evident
Avoid
big
bang
cutovers
Best
Prac;ce:
-‐
Flexible
architecture
-‐
Repeatable
Interfaces
(If
possible)
Deploy,
measure,
iterate
Best
Prac;ce:
-‐
Be
data
driven