Embed Size (px)
Citation preview
PCI for Cloud Applications Securing the Subscription Economy
Rand Wacker VP of Products
@randwacker | #subscribed13
CloudPassage Overview
CloudPassage provides security and compliance
for your cloud, so9ware-‐defined, and tradi<onal data center
infrastructure
Our PCI Story
1. We use Zuora for metered usage billing
2. Since we accept CCs in mul;ple ways, had to do a full PCI cert
for ourselves
3. We also provide PCI security controls to our customers
4. Here’s what we learned…
I T S N E V E R J U S T T H A T S I M P L E
Your Architecture Drives PCI Scope
1. PCI “in-‐scope” systems are anything that accept, store, process,
or transmit CC info
2. Zuora can handle much (maybe all?) of this, depending on
architecture/features you’re using
3. If (like us) you take CCs in your app (or by other means), then
you’re responsible for PCI for those in-‐scope systems
E V E R Y O N E H E R E L I K E L Y P C I L I A B L E
Its Not All Doom and Gloom
1. Yes, you can be PCI compliant using cloud!
2. You will likely need some different tools and processes
3. Not all stacks/providers are created equal! 4. There is no “silver bullet” – but the
responsibility is s;ll yours
P L E N T Y O F F . U . D . R E P C I A N D C L O U D
YES IT IS POSSIBLE P C I I N T H E C L O U D
• CloudPassage is Cer;fied Level 1 Service Provider – First en;rely cloud-‐based vendor cer;fied across mul;ple CSPs – Hosted in Rackspace Cloud & AWS, with full DevOps automa;on
• Mul;ple customers have successfully cleared QSA audits
PCI Responsbility
Cloud Responsibility Model Y O U ’ R E O N T H E H O O K , W H E R E V E R H O S T E D
Physical Facili;es
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Opera;ng System
Physical Facili;es
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Opera;ng System
Private Cloud Public IaaS Provider
Customer
Responsibility Provider
Responsibility
Recent Guidance Changes
1. Use VM-‐to-‐VM firewalling (host-‐based) in cloud/virtual
environments
2. Ensure integrity of VM OS, Apps, and Data to isolate from
hypervisor-‐based access
3. CSP (Cloud Service Provider) PCI compliance helps, but is not
mandatory
4. If you’re in a private data center, all your stack is in-‐scope
P C I C L O U D S I G C L A R I F I E S R U L E S
PCI Shared Responsibility
PCI in any Cloud/Infrastructure
• Security (if done correctly) begets compliance – Not the other way around
• What worked in your datacenter might not work in cloud environments
• Need technical controls that work like the cloud does – Dynamic, elas;c, scalable
Compliance Design
Cloud PCI Founda<ons
Cloud Stack/Provider
Assessor
Applica;on design
Harden the systems
!!!
Assessor
• Find one … that knows cloud technology – A good default choice is the QSA who did the assessment for your CSP
• If you don’t want/need to use an external auditor, then …determine if you have the knowledge internally – You need to make sure you have the depth of knowledge on the PCI DSS, as
you will likely get it wrong if not
Applica<on Design
!!!
MASTER DB SLAVE DB!
• Ability to achieve PCI compliance is primarily based on forethought given to applica;on design
• Most providers, and all cloud-‐based OS’s can be PCI compliant*
• Ask: – What data am I storing? Why? – What is communica;on flow of the applica;on? Is it restricted? – Is my crypto public veled standards?
This is where Zuora can help limit your systems “in-‐scope”
Harden the Systems
• Protect the system – Firewalls (remember ingress and egress) – Change defaults – Install patches – Watch the system for odd behavior or changes
• You need to automate this. Trying to do this by hand in a cloud environment is error-‐prone.
Summary
How Zuora Can Help L I M I T I N G P C I S C O P E
• Zuora is a PCI Level 1 cer;fied vendor
• Your applica;on architecture determines how much PCI you’ll be exposed to
• Inves;gate Zuora HPM (iFrames, etc), APIs, and other mechanisms to accept/handle CC info
• Scrub everywhere else in your business process for ways CCs are managed (ie faxes, POs, sales emails)
Best Prac<ces • Read and understand what your provider does, and what you are responsible for, with regards to PCI
• When moving servers outside your data center, ensure that they are hardened and compliant before they are exposed to the public
• Start with public cloud, PCI everywhere else is rela;vely easy!
• Focus on securing the tenets of PCI that you can control – partners (CSPs, vendors) are key to success
!
Cloud Security Resources
cloudpassage.com/pci-‐kit
cloudpassage.com
Winston Morton Vice President, Technology
Enabling Usage Based Metering Cloud Services
Agenda
1. LinkBermuda Company Introduc<on
2. Business Model and Metered Cloud Services
3. Cloud Services Billing and Challenges 4. Drivers to use a cloud based Recurring 5. How Zuora Helped ?
6. Lessons Learned 7. Wrap Up & QA
LinkBermuda -‐ Introduc<on
LinkBermuda Service Por^olio
LinkBermuda Network Facili<es § On-‐net connec;vity in mul;ple
undersea and terrestrial cable systems
§ Direct ownership of undersea cable landing sta;ons
§ Extensive Bermuda domes;c fiber network
§ Mul;ple interconnects with network providers for global reach
§ 7x24 redundant network opera;ons centers
LinkBermuda Data Center Facili<es § Bermuda’s largest data center
complex § Hos;ng many of the largest compute
nodes in Bermuda § Designated as a Cri%cal
Infrastructure by the Bermudian Government (Keypoint-‐1) for priority security and fuel delivery.
§ 7x24 Network Opera;ons Center § SSAE 16 SOC 2 Cer;fica;on (in
Process) § Strategic na;onal and interna;onal
network connec;vity
Key Specifica;ons: § Site is deployed on one of the highest eleva;ons in Bermuda to military specifica;ons
§ Designed to withstand hurricane force winds § Fully Redundant 4160V U;lity Feeds § N+1 Redundant Diesel Generators (3x1000kW) § N+1 UPS (2x1000kW) § N+1 Cooling (2x300 Ton Air Cooled Chillers)
Understanding Metered Cloud Services and Design
I N F R A S T R U C T U R E A S A S E R V I C E
§ Bundled Virtual Servers, Storage, Security, and Network Connec;vity
§ Flexible On-‐Demand Self Service § Geographically Aware
-‐ Customers can select as well as guarantee primary and secondary VDC loca;ons (Bermuda and/or Canada today)
IaaS High Level Features
§ Predictable Performance -‐ IaaS bundled with Interna;onal MPLS QOS features.
-‐ Broadband local loop -‐ SLA guarantees
§ Highly Secure -‐ Embedded VLAN Security -‐ Embedded offsite D/R
§ Ease of Management -‐ Customer Self Service Module
Metered Cloud Services
• Communica<on as a Service • Value Added Apps • $$/Mth Fixed + Usage
• Backup as a Service • Value Added Apps • $$/Mb/Mth
• Infrastructure as a Service • Virtual Servers • Value Added Apps • $$/Server/Hr
Cloud Services Billing H i g h L e v e l D e s i g n
Cloud Management Pla^orm (IaaS)
Exported Cumula<ve Usage
Report
Cloud Management Pla^orm (BaaS)
Cloud Management Pla^orm (CaaS)
Billing Pla^orm
IaaS Product Catalogue
Product Catalogue
Exported Cumula<ve Usage
Report
BaaS Product Catalogue
Product Catalogue
Exported Cumula<ve Usage
Report
CaaS Product Catalogue
Product Catalogue
Cloud Services Billing F u n c ; o n a l A p p r o a c h
§ Ini;al launched with a IaaS model with interfaces as straight forward as possible. § Most of our cloud systems have their own sophis;cated self service provisioning interface. § We choose to leverage the provisioning systems embedded in each cloud system to minimized development Upside:
One way usage based interfaces are more cost effect and quicker to launch
Downside:
Mul;ple product catalogues need to be synchronized
Cloud Management Pla^orm
Product Catalogue
Billing Pla^orm
Product Catalogue
Usage Report
Customer Portal
Business Drivers to use Recurring Billing Solu<on
§ LinkBermuda was looking to out-‐source billing, we did not want to build our own system because of the complexity involved in recurring billing. § We evaluated several different recurring billing systems – Zuora was the quickest to deploy and most cost effec;ve.
§ We needed a system which would enable to Price and Package our services efficiently and be able to rapidly iterate on Pricing when needed.
Why Zuora ? § The Ra;ng and Billing Engine in Zuora understands our subscrip;on business model and is ideally suited to do the job. § Zuora provided out of box solu;on (Zforce) for integra;ng with our CRM system (Salesforce). We took advantage of both ZQuotes and Z360.
§ Looking forward to u;lize Zuora Billing and Financial Reports and Forward Looking Metrics like MRR, ARR etc. § As LinkBermuda grows we are confident that Zuora can scale and accommodate our business growth.
How LinkBermuda Uses Zuora
Background
Business Model
The Challenge
Moving from tradi;onal Telco services to cloud services for interna;onal financial, insurance and eCommerce markets
B2B + B2C = B2Any Direct: Self-‐service and sales assisted Channels: Cloud Marketplace, Resellers
We needed to develop a self service cloud capability with usage based billing. Legacy billing system limited customiza;on and product catalogue capabili;es.
Lessons Learned
Plan. Plan. Plan
B E S T P R A C T I C E S
Limit Ini<al Scope
Learn. Launch. Repeat
Business strategy changes during market launch
Best Prac;ce: -‐ Clear defini;on of business goals. -‐ Phase 1 launch should be limited to base services, add func;onality as use cases
become more evident Avoid big bang cutovers
Best Prac;ce: -‐ Flexible architecture -‐ Repeatable Interfaces (If possible)
Deploy, measure, iterate
Best Prac;ce: -‐ Be data driven
Q&A
Thank You!
