PCI for Cloud Applications Securing the Subscription Economy Rand Wacker VP of Products @randwacker | #subscribed13
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PCI for Cloud Applications Securing the Subscription Economy
Rand Wacker VP of Products
@randwacker | #subscribed13
CloudPassage Overview
CloudPassage provides security and compliance
for your cloud, so9ware-‐defined, and tradi<onal data center
infrastructure
Our PCI Story
1. We use Zuora for metered usage billing
2. Since we accept CCs in mul;ple ways, had to do a full PCI cert
for ourselves
3. We also provide PCI security controls to our customers
4. Here’s what we learned…
I T S N E V E R J U S T T H A T S I M P L E
Your Architecture Drives PCI Scope
1. PCI “in-‐scope” systems are anything that accept, store, process,
or transmit CC info
2. Zuora can handle much (maybe all?) of this, depending on
architecture/features you’re using
3. If (like us) you take CCs in your app (or by other means), then
you’re responsible for PCI for those in-‐scope systems
E V E R Y O N E H E R E L I K E L Y P C I L I A B L E
Its Not All Doom and Gloom
1. Yes, you can be PCI compliant using cloud!
2. You will likely need some different tools and processes
3. Not all stacks/providers are created equal! 4. There is no “silver bullet” – but the
responsibility is s;ll yours
P L E N T Y O F F . U . D . R E P C I A N D C L O U D
YES IT IS POSSIBLE P C I I N T H E C L O U D
• CloudPassage is Cer;fied Level 1 Service Provider – First en;rely cloud-‐based vendor cer;fied across mul;ple CSPs – Hosted in Rackspace Cloud & AWS, with full DevOps automa;on
• Mul;ple customers have successfully cleared QSA audits
PCI Responsbility
Cloud Responsibility Model Y O U ’ R E O N T H E H O O K , W H E R E V E R H O S T E D
Physical Facili;es
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Opera;ng System
Physical Facili;es
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Opera;ng System
Private Cloud Public IaaS Provider
Customer
Responsibility Provider
Responsibility
Recent Guidance Changes
1. Use VM-‐to-‐VM firewalling (host-‐based) in cloud/virtual
environments
2. Ensure integrity of VM OS, Apps, and Data to isolate from
hypervisor-‐based access
3. CSP (Cloud Service Provider) PCI compliance helps, but is not
mandatory
4. If you’re in a private data center, all your stack is in-‐scope
P C I C L O U D S I G C L A R I F I E S R U L E S
PCI Shared Responsibility
PCI in any Cloud/Infrastructure
• Security (if done correctly) begets compliance – Not the other way around
• What worked in your datacenter might not work in cloud environments
• Need technical controls that work like the cloud does – Dynamic, elas;c, scalable
Compliance Design
Cloud PCI Founda<ons
Cloud Stack/Provider
Assessor
Applica;on design
Harden the systems
!!!
Assessor
• Find one … that knows cloud technology – A good default choice is the QSA who did the assessment for your CSP
• If you don’t want/need to use an external auditor, then …determine if you have the knowledge internally – You need to make sure you have the depth of knowledge on the PCI DSS, as
you will likely get it wrong if not
Applica<on Design
!!!
MASTER DB SLAVE DB!
• Ability to achieve PCI compliance is primarily based on forethought given to applica;on design
• Most providers, and all cloud-‐based OS’s can be PCI compliant*
• Ask: – What data am I storing? Why? – What is communica;on flow of the applica;on? Is it restricted? – Is my crypto public veled standards?
This is where Zuora can help limit your systems “in-‐scope”
Harden the Systems
• Protect the system – Firewalls (remember ingress and egress) – Change defaults – Install patches – Watch the system for odd behavior or changes
• You need to automate this. Trying to do this by hand in a cloud environment is error-‐prone.
Summary
How Zuora Can Help L I M I T I N G P C I S C O P E
• Zuora is a PCI Level 1 cer;fied vendor
• Your applica;on architecture determines how much PCI you’ll be exposed to
• Inves;gate Zuora HPM (iFrames, etc), APIs, and other mechanisms to accept/handle CC info
• Scrub everywhere else in your business process for ways CCs are managed (ie faxes, POs, sales emails)
Best Prac<ces • Read and understand what your provider does, and what you are responsible for, with regards to PCI
• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public
• Start with public cloud, PCI everywhere else is rela;vely easy!
• Focus on securing the tenets of PCI that you can control – partners (CSPs, vendors) are key to success
!
Cloud Security Resources
cloudpassage.com/pci-‐kit
cloudpassage.com
Winston Morton Vice President, Technology
Enabling Usage Based Metering Cloud Services
Agenda
1. LinkBermuda Company Introduc<on
2. Business Model and Metered Cloud Services
3. Cloud Services Billing and Challenges 4. Drivers to use a cloud based Recurring 5. How Zuora Helped ?
6. Lessons Learned 7. Wrap Up & QA
LinkBermuda -‐ Introduc<on
LinkBermuda Service Por^olio
LinkBermuda Network Facili<es § On-‐net connec;vity in mul;ple
undersea and terrestrial cable systems
§ Direct ownership of undersea cable landing sta;ons
§ Extensive Bermuda domes;c fiber network
§ Mul;ple interconnects with network providers for global reach
§ 7x24 redundant network opera;ons centers
LinkBermuda Data Center Facili<es § Bermuda’s largest data center
complex § Hos;ng many of the largest compute
nodes in Bermuda § Designated as a Cri%cal
Infrastructure by the Bermudian Government (Keypoint-‐1) for priority security and fuel delivery.
§ 7x24 Network Opera;ons Center § SSAE 16 SOC 2 Cer;fica;on (in
Process) § Strategic na;onal and interna;onal
network connec;vity
Key Specifica;ons: § Site is deployed on one of the highest eleva;ons in Bermuda to military specifica;ons
§ Designed to withstand hurricane force winds § Fully Redundant 4160V U;lity Feeds § N+1 Redundant Diesel Generators (3x1000kW) § N+1 UPS (2x1000kW) § N+1 Cooling (2x300 Ton Air Cooled Chillers)
Understanding Metered Cloud Services and Design
I N F R A S T R U C T U R E A S A S E R V I C E
§ Bundled Virtual Servers, Storage, Security, and Network Connec;vity
§ Flexible On-‐Demand Self Service § Geographically Aware
-‐ Customers can select as well as guarantee primary and secondary VDC loca;ons (Bermuda and/or Canada today)
IaaS High Level Features
§ Predictable Performance -‐ IaaS bundled with Interna;onal MPLS QOS features.
-‐ Broadband local loop -‐ SLA guarantees
§ Highly Secure -‐ Embedded VLAN Security -‐ Embedded offsite D/R
§ Ease of Management -‐ Customer Self Service Module
Metered Cloud Services
• Communica<on as a Service • Value Added Apps • $$/Mth Fixed + Usage
• Backup as a Service • Value Added Apps • $$/Mb/Mth
• Infrastructure as a Service • Virtual Servers • Value Added Apps • $$/Server/Hr
Cloud Services Billing H i g h L e v e l D e s i g n
Cloud Management Pla^orm (IaaS)
Exported Cumula<ve Usage
Report
Cloud Management Pla^orm (BaaS)
Cloud Management Pla^orm (CaaS)
Billing Pla^orm
IaaS Product Catalogue
Product Catalogue
Exported Cumula<ve Usage
Report
BaaS Product Catalogue
Product Catalogue
Exported Cumula<ve Usage
Report
CaaS Product Catalogue
Product Catalogue
Cloud Services Billing F u n c ; o n a l A p p r o a c h
§ Ini;al launched with a IaaS model with interfaces as straight forward as possible. § Most of our cloud systems have their own sophis;cated self service provisioning interface. § We choose to leverage the provisioning systems embedded in each cloud system to minimized development Upside:
One way usage based interfaces are more cost effect and quicker to launch
Downside:
Mul;ple product catalogues need to be synchronized
Cloud Management Pla^orm
Product Catalogue
Billing Pla^orm
Product Catalogue
Usage Report
Customer Portal
Business Drivers to use Recurring Billing Solu<on
§ LinkBermuda was looking to out-‐source billing, we did not want to build our own system because of the complexity involved in recurring billing. § We evaluated several different recurring billing systems – Zuora was the quickest to deploy and most cost effec;ve.
§ We needed a system which would enable to Price and Package our services efficiently and be able to rapidly iterate on Pricing when needed.
Why Zuora ? § The Ra;ng and Billing Engine in Zuora understands our subscrip;on business model and is ideally suited to do the job. § Zuora provided out of box solu;on (Zforce) for integra;ng with our CRM system (Salesforce). We took advantage of both ZQuotes and Z360.
§ Looking forward to u;lize Zuora Billing and Financial Reports and Forward Looking Metrics like MRR, ARR etc. § As LinkBermuda grows we are confident that Zuora can scale and accommodate our business growth.
How LinkBermuda Uses Zuora
Background
Business Model
The Challenge
Moving from tradi;onal Telco services to cloud services for interna;onal financial, insurance and eCommerce markets
B2B + B2C = B2Any Direct: Self-‐service and sales assisted Channels: Cloud Marketplace, Resellers
We needed to develop a self service cloud capability with usage based billing. Legacy billing system limited customiza;on and product catalogue capabili;es.
Lessons Learned
Plan. Plan. Plan
B E S T P R A C T I C E S
Limit Ini<al Scope
Learn. Launch. Repeat
Business strategy changes during market launch
Best Prac;ce: -‐ Clear defini;on of business goals. -‐ Phase 1 launch should be limited to base services, add func;onality as use cases
become more evident Avoid big bang cutovers
Best Prac;ce: -‐ Flexible architecture -‐ Repeatable Interfaces (If possible)
Deploy, measure, iterate
Best Prac;ce: -‐ Be data driven
Q&A
Thank You!
Related Documents
