WHY we left. Amazon Web Services for. Regulatory Compliance Improved Efficiency NO SURPRISES. Why We Left Amazon Web Services 1

Transcription

1 WHY we left Amazon Web Services for Regulatory Compliance Improved Efficiency NO SURPRISES Why We Left Amazon Web Services 1

2 Launched in 2005, this mobile payment solutions startup quickly became a worldwide leader in mobile point of sale solutions, tools, and services to retailers and merchant-facing organizations. The founders realized that despite huge advances in device and network capabilities, only a tiny fraction of mobile merchants and direct sellers have access to payments and other commerce capabilities via their own mobile phones. By providing a single development platform to create and update commerce applications that run securely on all major mobile devices, the founders established a global reference for mobile payments. They are also able to provide all the essential services to make it easy to provision and support direct sales forces of any size. Since the technology is provided As-a-Service to their worldwide customers, the CIO chose Amazon Web Services (AWS) as their cloud provider for their agility and speed. The company began using AWS to take advantage of the low startup costs using Amazon EC2 to provision and manage instances and several other AWS services. Their Challenge Their technology was built with the highest security levels in mind. As an organization that processes, stores, and transmits credit card information, they are regulated by the Payment Card Industry Data Security Standard (PCI DSS.) Based on the standards of PCI DSS, organizations are required to maintain a secure environment throughout the entire transaction process. As the service provider, this company wanted to ensure that PCI regulatory compliance guidelines were followed to protect themselves, their merchant customers, and their end users. Why We Left Amazon Web Services 2

3 Non-Compliant While going through a yearly PCI Compliance audit, the company learned that their existing AWS solutions was non-compliant based on a specific requirement of an enterprise customer intending to use the mobile payments platform. Not only that, to be able to meet PCI regulatory compliance requirements, they needed an offsite disaster recovery site in a data center that could be physically audited. Thinking this could be resolved by simply reaching out to AWS as their cloud provider to help resolve this issue, AWS issued this statement: All merchants manage their own PCI certification. For the portion of the PCI cardholder environment deployed in AWS, your QSA can rely on our PCI compliance, but you will still be required to satisfy all other PCI compliance and testing requirements, including how you manage the cardholder environment that you host with AWS. AWS Website PCI DSS FAQS, April 2016 The representatives at AWS would not allow a physical audit of their data center to help this company receive their PCI compliance. The CIO had long dealt with the typical annoyances of Amazon Web Services. For example, the initial low cost for startups quickly changed when the company started experiencing exponential growth. Paying for extras and discovering hidden charges in their monthly bill was tolerable since he felt as ease knowing a global organization like Amazon supported his company. He dealt with the outages that are typical when it comes to large cloud providers. While he did receive extremely negative feedback from his customers when their platform was down for several hours, he still continued as an AWS customer. But, this was the final straw. Their organization was built on security and he, along with the company founders, required their providers to support their security and compliance initiatives. Why We Left Amazon Web Services 3

4 Cirrity Vision Cirrity s secure cloud services are designed from the ground-up to be highly secure, compliant, and offer unmatched performance & reliability. The CIO was lead to Cirrity through his value added reseller (VAR.) By working with this extended team of experts, he received an unbiased proposal that introduced him to Cirrity s secure cloud services. The CIO discovered that Cirrity s Cisco-Powered SECURE PERFORMANCE COMPLIANT RELIABILITY cloud infrastructure delivers the same enterprise-level infrastructure as a service and disaster recovery as a service that he had received from Amazon. While they needed immediate action for their PCI compliance, the CIO knew this was a decision not to be taken lightly. The most important step was to thoroughly analyze and validate Cirrity s compliance policy. Not only are they HIPAA and PCI compliant, but have also received SOC II Type 2 Attestation for Cirrity services and data center. For a specific case like theirs, Cirrity was willing to be flexible and allow for a physical audit of their secure infrastructure for PCI regulatory compliance. Cirrity was the first cloud service provider in the United States to receive the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR.) The CSA STAR Program is a comprehensive set of offerings for cloud provider trust and assurance. Cirrity has also received ISO/IEC 27001, which formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. ISO/IEC certification examines Cirrity s information security management practices to ensure that they are effective and not merely compliant. Why We Left Amazon Web Services 4

5 Cirrity Implementation Cirrity s partner utilized a multi-phase approach to transfer the mobile payment provider s infrastructure from AWS. The first phase was to store replicated versions of their environment in a secure offsite location. This would ensure disaster recovery and make their environment compliant with PCI and auditor requirements. Since the company had an elevated security risk from their non-compliance with PCI previously, the organization was required to go through an exhaustive audit of their physical data center. With Cirrity, they achieved this requirement and their PCI compliance. The second and remaining phases including migrating their data, customers, etc. off the Amazon Web Services and onto Cirrity s secure cloud. Why We Left Amazon Web Services 5

6 Results and Conclusion The company s main objective, achieve PCI regulatory compliance, was met through a physical data center audit of Cirrity s environment and Cirrity s PCI documentation. Since the main objective has been achieved, the company has also realized even greater benefits of working with Cirrity s secure cloud, including: No hidden costs or surprises. The contract clearly lays out all the costs included in the overall price and their monthly bill matches the contract. Flexibility. Cirrity runs as a lean operation, giving team members flexibility to shift priorities as their customer s needs change. Improved Efficiency. With no more dependence on AWS, this mobile payments provider has been able to shift their priorities to their customers. Whether accepting electronic payments in the store aisle, at a pop-up store or onboard an airplane, this mobile payments solution provider can ensure the integrity of their platform through the security and compliance of Cirrity s cloud. Why We Left Amazon Web Services 6

7 Virtual Desktops from the Cloud Secure Infrastructure as a Service Backup and Disaster Recovery