Halo. for PCI Compliance. Who Needs PCI in the Cloud? What It Takes to be PCI Compliant

Transcription

1 SOLUTION BRIEF Halo for PCI Compliance Who Needs PCI in the Cloud? Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) is important to companies running e-commerce, subscription-based sites, and other applications that handle credit card data. Since it s a de-facto standard, many companies undertake PCI-DSS compliance as proof they adhere to recognized security practices often their customers demand it. When companies want to host applications in scalable, dynamic cloud environments, PCI requirements don t go away. In fact, concerns about data safety in the cloud make them more intense. What It Takes to be PCI Compliant The PCI-DSS is a set of technical and operational standards set forth by a council representing the largest payment card providers in the world. If your product or application stores, processes, or transmits payment cardholder data, compliance is mandatory. Failure to comply may result in higher processing fees, penalties leveraged by the credit card providers, and public declaration of non-compliance. None of these outcomes are good for business or brand reputation. To comply with the PCI-DSS, several mandatory requirements must be satisfied. These twelve requirements are split across six high-level control objectives, as seen in Table 1. Establishing and maintaining PCI-DSS compliance in traditional data center environments is already a complex accomplishment. Doing so in a cloud hosting environment makes things more complicated. Operating a PCI-DSS compliant application or product in public or hybrid cloud environments requires reconciling the differences between traditional data-center and new cloud-oriented models. Copyright 2013 CloudPassage Inc. 1

2 Table 1 PCI DSS Control Objective Summary Control Objectives Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Why PCI-DSS Is Tougher in the Cloud Most organizations find themselves between a rock and a hard place when it comes to deploying security tools in cloud environments. Some see cloud servers as just another architecture to run applications on, so the thought of extending already deployed enterprise tools to cloud feels like an easy solution. Unfortunately, few traditional security tools or approaches translate well to cloud environments, if at all. The technical nature of cloud-hosting environments makes them difficult to secure. For example, a technique called cloud-bursting can be used to increase application capacity extremely rapidly by cloning servers. While extremely useful, this also replicates the security problems that PCI auditors look for. Traditional firewall technologies present another challenge in cloud environments. There is rarely a guarantee that your server will launch with the same IP address, meaning that traditional firewall approaches and many security tools won t operate correctly. There is also the issue of control. If your application is hosted with a public cloud provider (even just partially) it means there s a loss of control over the hardware, network topology, network addressing, and other factors that traditional security approaches rely upon. This lack of control adds to the challenges that a cloud engineering team will have in achieving PCI-DSS compliance. Copyright 2013 CloudPassage Inc. 2

3 How CloudPassage Halo Can Help CloudPassage built the Halo security platform specifically to help organizations deal with the challenges of securing servers, applications and data in cloud environments. Halo was designed based on the needs of realworld cloud customers and addresses the failures of traditional security products and do-it-yourself approaches. Halo was built from the ground up for cloud environments, helping cloud teams get security and compliance handled quickly and allowing focus to return to core objectives. Halo works using a software component, the Halo Daemon, that is installed on each cloud server. The Halo Daemon works in tandem with a cloud-hosted compute farm, the Halo Grid, which CloudPassage operates on behalf of its customers. The Halo Daemon and Halo Grid work together to monitor dozens of important server security factors (network addressing, installed software, running processes, open network ports, system integrity, etc.). Halo s security modules address a broad spectrum of functions required for secure, PCI-compliant cloud operation. Dynamic Firewall Automation Centrally manage host-based firewalls including automatic updates for when servers are added, changed or retired. GhostPorts Multi-factor Authentication Use strong authentication to dynamically provision and de-provision network access for authorized users. File Integrity Monitoring Use cryptographic signatures to detect unexpected changes to system binaries, configurations, source code, and other critical files. Account Management Evaluate who has accounts on which cloud servers, what privileges they operate under, and how accounts are being used. Configuration Security Monitoring Automatically monitor operating system and application configurations, processes, network services, privileges, and more. Security Logging and Alerting Securely store and generate real-time alerts for server creation, changes, exposures, and more. Software Vulnerability Assessment Scan the packages installed on your server for security vulnerabilities (NIST CVEs). RESTful API Access Use the RESTful data access and management APIs to integrate Halo with other systems. Copyright 2013 CloudPassage Inc. 3

4 The Halo Grid s powerful and sophisticated security analytics engine evaluates data collected by the Halo Daemon using highly secure, robust, cloud-aware protocols. The Halo Grid does the heavy lifting on behalf of the Halo Daemons, ensuring that your cloud server performance is not degraded by the compute demands of security analytics, and coordinates the issuing of commands to your servers based on your policies. Halo also gives you options as your project requirements change. Should your application need to move or expand to another cloud provider or hosting model (such as a traditional datacenter), Halo s architecture-agnostic portability facilitates easy movement without provider lock-in. When combined with Halo s built-in elasticity and scalability, organizations need no longer worry about security scalability as the project succeeds and grows. CloudPassage Halo is a rapidly deployed software-as-a-service (SaaS) that can deliver strong protection to cloud servers and applications within minutes of registration. Halo is procured on an hourly utility basis, so you pay only for what you use. Unit costs drop as your cloud environment grows, and minimum usage commitments increase discount levels, making Halo economically attractive. Copyright 2013 CloudPassage Inc. 4

5 See If Halo Is Right For Your Cloud Project CloudPassage Halo provides a fast, easily deployed and strong security approach for cloud-hosted application deployments. This means that your cloud project can be delivered faster and more safely than relying on solutions not designed for cloud operation. Halo s ease of use and speed-to-value means that technical resources can focus on core technical and business issues instead of struggling with cloud security and compliance issues. And of course, Halo means that when PCI and customer demands put you in the hot-seat about security, you ll have the right answers. If you d like a more detailed overview of how CloudPassage Halo can help your organization secure your cloud servers and exceed PCI DSS minimums, please download our complete PCI in the Cloud Kit from The kit contains informative blog entries, videos and module-specific information in addition to a technical white paper aimed at helping cloud engineering teams understand how they can help your business with PCI compliance. For more information, please visit: CloudPassage Cloud Security Alliance PCI Security Standards Council About CloudPassage CloudPassage is the leading cloud server security provider and creator of Halo, the industry s first security and compliance platform purpose-built for elastic cloud environments. Halo operates across public, private and hybrid clouds. Industry-leading companies like Foursquare, Avatar New York and Martini Media trust Halo to seamlessly manage their server security configuration, host-based firewalls, intrusion detection and server account auditing from one system. Headquartered in San Francisco, CA, CloudPassage is backed by Benchmark Capital, Tenaya Capital and other leading investors. Learn more about CloudPassage at Copyright 2013 CloudPassage Inc. 5