Navigating PCI Security Mountains in the Cloud

Navigating PCI Security Mountains in the Cloud

November 06, 2013 2:00 pm

(Save to cal)

Online

Join a PCI DSS panel discussion with technical and administrative experts in the field as they discuss the role that cloud service providers play in protecting cardholder data and the security issues involved. 

Title: Navigating PCI Security Mountains in the Cloud
Who: Brandon Dunlap, Brightfly, Inc.; Bob Russo, PCI SSC; Jason Yaeger, Director of Operations, Online Tech; Randal Asay, Catbird
When: November 6, 2013 @2PM ET
Descriptions: Organizations outsourcing card data to the cloud face significant security risks. As soon as an organization adds other players to the offsite card-management mix, ensuring compliance with the PCI Data Security Standard becomes increasingly challenging. Cloud users and cloud service providers need to understand what their roles and responsibilities are when it comes to protecting this data. Storing, processing and transmitting cardholder data in the cloud brings the cloud environment into scope for PCI DSS.

Organizations need to know where their data is at all times. A lot of cloud clients have limited or no control over cardholder data storage. Where's the data being stored? Is it stored in multiple locations? These are all things that you have to take into consideration when you're thinking about outsourcing to a cloud provider. Learn how to address PCI compliance challenges in the cloud and gain new insights on:

  • Emerging PCI security risks in the cloud
  • Processes for assessing risk when card data could potentially be stored in multiple locations
  • Recommendations for achieving PCI compliance across virtual environments
  • How to use a data-centric approach to reduce the cost and scope of PCI Compliance

Kelly Vicks: Welcome everyone, and thanks for joining us on today’s panel discussion webinar Navigating PCI Security Mountains in the Cloud brought to you by the IT GRC Forum as a followup to our presentation in May. IT GRC Forum produces educational events for the governance, risk management, and compliance community and provides free market intelligence to all our members. If you’re not already a member, you can register at itgrcforum.com.

I’m Kelly Vicks, the host of today’s program, and it’s my pleasure to introduce today’s speakers. We welcome back Brandon Dunlap as moderator. Brandon is the Managing Director of research at Brightfly. On the panel, we have Jason Yaeger, Risk Management and Security Officer at Online Tech, Randal Asay, the Chief Technology Officer at Catbird, and Bob Russo, general manager of the PCI Security Standards Council. Bob will be joined by Troy Reach, the CTO of the Council.

Before we start, I’ll quickly run through the housekeeping and the agenda for today. First, all lines will be in listen-only mode for the 60-minute conference. If you have any issue with the audio, please first check your device settings before contacting technical support. For maximum quality, you can click to view in full screen on the bottom right-hand side of your console. Next, we want to hear from you and hope to get your feedback during the session. If you have any suggestions for future topics please let us know. We do value feedback and tak it into consideration when planning for future events. Please submit this through the ratings tab on your console. We’re taking questions throughout today’s presentation and you can submit these at any time through the question button. If we don’t manage to answer all questions today we’ll respond by email.

For anyone listening to the archived event, you can submit questions on the IT GRC Forum and we’ll continue the discussion in the community. If you’d like a copy of today’s slides you can download these through the attachments tab, and the PDF version includes some bonus slides not in the live presentation. You can also view our related white papers through attachments, so please take a look.

After the live presentation, this webcast will be available on demand, so please share with any colleagues who you think may be interested in the topic. Finally, at the end of today’s session, we’re holding a prize draw and one lucky attendee with be drawn at random to win a $2,950 pass to our partner event, the Cyber Security and Digital Forensics Exchange, being held in Texas on December 8th through the 10th. The pass for the entire three-day event and includes meals and two-night hotel accommodations, so stay tuned to find out if you’re the winner.

In today’s discussion, our panel will address ways to navigate PCI security challenges in the cloud and will give some insights on emerging PCI security risks, processes for assessing those risks, and some recommendations for receiving PCI compliance across virtual environments, including how to maintain PCI scope management. Now without further ado I’ll turn the program over to Brandon who will begin the discussion. Thanks, Brandon.


Brandon Dunlap: Thank you very much, Kelly, it’s always a pleasure to be back, especially with the great panel lineup that we have today. I want to start off by having everybody tell us a little bit about where you’re coming from organizationally as well as your personal perspectives. Randal, we’re going to start off, go from the other side of the table back this time. I’ll start with you here. Tell us a little bit about Catbird and where you fit into today’s discussion.


Randal Asay: Sure. Thanks, Brandon. Catbird really is a software based solution. We automate security and compliance in the virtualized infrastructure. We focus to reduce the scope of audit, preparation, and we really try to reduce the security administrations for our customers. Where we fit in is the transition to the cloud via PCI environments can be daunting. What we’re really focused on is trying to reduce that effort and make it a manageable and feasible process.


Brandon: Fantastic. Pleasure having you on, really look forward to hearing some of your insights that you’ve gleaned over your customer base over the last number of years because I think that’s going to be a very good pivot point for our conversations. Up next, Jason. Tell us a little bit about your group and what you’re hoping to bring to the table in today’s conversation.


Jason Yaeger: Thank you. I’m Jason Yaeger. I’m the Director of Product Management as well as Online Tech’s Security Officer. Online Tech provides infrastructure, cloud computing infrastructure, for clients in a compliant-backed environment. We have environments that are backed by our PCI and HIPAA compliance as well as SAS II and Safe Harbor audits. We have environments for clients that don’t need to achieve compliance as well. Our main goal for our clients is to provide a framework for them to achieve compliance in the cloud and enable them to focus on what they really need to focus on which is their application or supporting their clients in some way, shape, or form.


Brandon: Great. Again, a wide smattering of experience across a diverse client set in a bunch of various areas. Really looking forward to your insights as well. Last but not least, Bob, tell us about the organization probably everybody on today’s webinar already knows at least a little bit.


Bob Russo: Thanks, Brandon. Let’s hope they do. This is Bob Russo. I’m the General Manager of the PCI Security Standards Council. Today, along with myself I have my Chief Technology Officer, Troy Leach. Thanks for inviting us to be part of the panel of the discussion.

By way of background, the PCI Security Standards Council is an open global forum for protecting payment card data. Very simply, this means that we want to protect not just consumers but industry players such as merchants, processors, financial institutions, and other organizations that, and here comes the key phrase, store, process, and transmit cardholder data.

We do this by developing and managing technical standards that cover everything from point of entry of account data to how that data’s processed through secure payment applications. Each standard reinforces the others to provide a comprehensive security for the payment card infrastructure and applications and devices that are used by merchants and service providers as well as software developers and manufacturers. With the help of really an active global community we continue to evolve these standards to provide pretty much the best framework per payment card security.

This week, we’re actually releasing version 3.0 of the PCI DSS and the PA-DSS, the application standard. Specific to our discussion today on cloud, today’s payment environment is even more complex creating multiple points of access to cardholder data. Changes that are introduced in the new version of the DSS as well as the PA-DSS really emphasize the shared nature of security across the payment chain and focus on helping organizations understand their entities, PCI DSS responsibilities when working with different business partners to ensure basically that cardholder data is secure including cloud providers as well. Overall, the changes are designed to give organizations a strong but flexible security architecture with principles that can be applied to their unique technology, payment, and business environments.

Brandon: Fantastic, fantastic. Appreciate the announcements and congratulations on getting the updated standards out. I’m sure that’s going to be a hot download for people, especially those listening in to either live or on the archives. I’m going to pause with a slide, as Kelly mentioned, there are a number of items that are on essentially the back end of this that you can grab from the attachments tab. I’m going to go ahead and just leave our pretty faces up here so folks can put a face to the voices that they’re hearing.

I want to kick things off, Bob, Troy, I’m going to send this one back into your wheelhouse, which one of you would like to answer feel free to. How is the council tackling this cloud problem right now? I say problem, we’ll call it a sea change, if you will, in infrastructure management. What is it that you feel that people on the call today really need to hone in on with regards to their compliance efforts?


Troy Leach: Sir, this is Troy Leach from the Council. I think one of the things that we have recognized over the past years is that a majority of merchants have either moved some resources to the cloud or are considering moving those resources to cloud. For us at the Council, some of the things that we’ve done people may not be not be aware of is earlier this year we published a special interest group paper that’s a verbose amount of information on how you become PCI compliant in the cloud. Highly recommend the audience download that free document from our website if they have an opportunity because it actually walks through each and every one of the PCI requirements and the what the differences, intricacies are of going from a software as a service to a platform as a service to an infrastructure as a service and what the responsibilities should be between the cloud service provider as well as their clients which are typically merchants that are pushing card data information into the cloud.

I think another area for us in the standard, just to probably emphasize, because as you mentioned we’re releasing version 3 of the DSS standard tomorrow, there’s not new language related to the cloud specifically. We try to keep the DSS standard technology agnostic to the best of our ability, but we believe that what we’ve seen on this cloud document and other effort the standard is going to be able to encompass and address these concerns, but people need to be aware of what the risks are and what business relationships they need to have with the cloud service provider.


Brandon: That takes me to the next point here. I love the overview of across the different types of cloud, infrastructure up through software and the concerns. Glad to hear you’re addressing so many of those and trying to unify some of those concerns and responses in the new standard. With that, I would like to reach out to our audience here and ask them what their thoughts are on struggling with proving PCI compliance in the cloud.

I’m going to kick off a real quick survey here. Folks, you should see that pop up in your window. Go ahead and make your selections now. We’ll keep that open for a few moments as we talk a little bit about those different strata. Jason, I want to hit this one over to you. Tell us a little bit about the positioning or the differences in the compliance endeavor across those different elements. If I’m going in for a software platform or infrastructure services.


Jason: Yes. I think one of the … hopefully, I’m answering this correctly, but one of the challenges, you start out with a list of requirements and tests from a PCI perspective. One of the challenges that we’ve seen from our clients is trying to understand what a hosting provider or an infrastructure provider can do for them when it comes to … what portion of those requirements and tests can we help our clients with and what portion do they have to keep for themselves.

We do a few things to try to help them with that, but this is what I would look at it for anybody’s perspective is you take the list of the requirements and the tests and look at what your hosting provider can alleviate for you, can take off your plate, and then also find out exactly what they do for each of those requirements or tests to make sure that they’re living up to their end of the bargain keeping their compliance. That’s really where it starts out. People don’t really understand exactly what can be offloaded and what has to stay with their company.


Brandon: I think that’s a very fantastic point. I want to drill into that here in just a few minutes, Jason. Right now, we have about what looks like 75 or so people have weighed in. Let’s go ahead and see what their thoughts are. That’s a pretty telling remark. About 27% said that they’re struggling to prove they’re PCI compliant in the cloud, 35% saying no, 39% saying they’re really not sure if they’re struggling with this or not. It could be because they’re part way through the process, or to your point which I thought was fantastic maybe they don’t know what’s available to them in a systems from their service provider. I want to dig into that because I think that’s a fantastic opportunity and really builds the relationship between provider and client with regards to meeting their compliance requirement.

I want to turn this over, Randal, a little bit in your direction now. Let’s talk about the application of controls from the enterprise that we’re all pretty much used to is security on a practitioner’s and migrating some of those same control sets and that same mindset into the cloud service providers. Where, perhaps, some of those handoffs that Jason mentioned occurred? Can you give us a little color commentary, if you will, around that?


Randal: Sure, sure. Brandon, thanks. I can tell you from Catbird’s perspective the way that we handle that is we looked at applying control frameworks to trust zones. Whether or not you’re in your private virtual environment or whether or not you’re migrating to the cloud, the key and the strategy that we think enables that opportunity is applying those logically. As those assets move and as they migrate around, let the people take advantage of the lack of compute or compute on demand, that data set still inherits the policies that enable you to still be compliant. That model allows for the ability to migrate data from your internal environment and the handoff to your cloud provider.


Brandon: Bob, you and Troy, because your point of view, I think is going to be critical here. What do you think folks listening in today need to think about with that shared responsibility with that hosting or that cloud provider? How does that color or change the audit dynamic and how does that change the responsibility of the parties, or does it for that matter, when they partner on the shared responsibility of the controls?


Bob: I think the overall theme here is a recognition of what controls have already been stated are going to be applied by the merchant and what are going to be assumed by the cloud service provider. One of the challenges that we’ve had in this overall process is a lack of visibility and transparency to merchants of what is actually being done within the cloud service environment.

For example, we have several problems of data breaches happening with nested relationships. We have a merchant that was a point of compromise and it was a sad unfortunate situation because the merchant themselves had told their cloud service provider we don’t want to have cardholder data in the cloud, we want you to remove it from any of your servers that are hosting our information. The cloud service provider did that, but unfortunately, the cloud service provider had a third party relationship with a backup contingency organization that was storing that information. It led to a data compromise of that facility and as a result the merchant saw that their customer’s cardholder data was still exposed. I think it’s those types of relationships and roles and responsibilities that need to be truly invalidated by the merchant as they explore what is going to be migrated in this cloud.

One of the ways that we’ve seen merchants be able to take advantage and leverage cloud services is by encrypting the cardholder information before it ever enters the cloud. Their PCI responsibilities are minimized, the cardholder data footprint is significantly less, and the risk of exposure is decreased if they’re doing that type of effort within their storefronts, within their facilities, and then using the cloud services for all the other benefits.


Brandon: That’s a very good point. While you may shift the burden of responsibility around, at the end of the day it always comes back to the merchant to a large degree. From a PR perspective and also from owning this, I think, from end-to-end, I think that encryption angle that you brought up is a great way to mitigate those nesting of those relationships.

Jason, with the work that you’re doing at Online Tech with the hosting, what kind of advice are you giving to your customer base now as they bring services into you and whether or not you’re in those types of nesting relationships that we just discussed, how is that playing out through things like contract negotiations, setup, configuration, and the ongoing audit cycles with your customers?


Jason: I think to the point just made, encrypting the credit card data is something that we highly recommend to any of our clients for their peace of mind. By going further into that, if that’s not a possibility, not everybody has those capabilities, Online Tech has a number of services and also we have a number of security offerings that we have to do our best to detect any data breach that could possibly happen. We also have implemented a lot of ways to separate our compliant clients from other compliant clients or from other clients that don’t need compliance or the security around compliance.

From a contract perspective, all of our services are geared towards people of the security mindset, people that need to be compliant, companies that need to be either HIPAA or PCI compliant. Our contract negotiations, our contracts, are already geared towards that and we really don’t have to do much from that perspective. We carry the type of insurance that we need to from a HIPAA perspective. All of the things that we’re doing from all those different compliance standpoints, we’re really not having to change the way we do contract negotiations. It’s a one-stop shop for compliance related infrastructure services for us. It’s very easy.


Brandon: That’s great. I like how your streamlining the on-ramp, shall we say. I want to dig into something very near to that transition phase. We mentioned contracts and the onboarding and the assurances, Jason, that your organization gives. Randal, I’m kind of curious as we start to hone in on scoping of environments and segmentation of own networks within the enterprise over the years with regards to PCI compliance, what kind of advice are you giving folks moving to a hosted solution or a cloud solution in maintaining or understanding where their scope is going to change? What’s going to retain within the enterprise? What’s going to go an organization like Jason’s and how that is going to evolve over the coming terms of their contract?


Randal: Right, right. Brandon, the first thing I would say, my previous experience before Catbird I worked for a large retail company. In the early days, we used to find out that our scope was expanded because one of our organizations had a credit card, either they’ll purchase compute on demand. That really lends itself to, number one, having a strong and 100% accurate asset management. When you talk about being able to do things quickly and that approach that the cloud provides, making sure that you have the correct balance and control point.

In addition, if you have a succinct and clear perimeter around your PCI environment, as you go into the cloud you have to realize that it’s a virtual perimeter. With some very strong software security you can ensure that the policy that you’re enforcing, scope that you manage within your own data centers you can take those same methodologies and apply those to your cloud environment. I think that’s probably the best route that you can take to ensure that you maintain your scope.


Brandon: Fantastic insights. Folks, I want to remind everybody we have a great panel assembled today. Please, don’t be shy in submitting your questions. We want to get those answered, as many of them on the air as we possibly can live today. As Kelly mentioned, those that we cannot get to today we will try to address via email.

Bob, I want to toss this one your way right now and that is around scoping and the audit cycle and such. What kind of guidance is the PCI Standards Council bringing to this scoping discussion? What advice are you giving or guidance are you giving as people are making this migration to cloud services about those responsibilities?


Bob: The biggest thing from our perspective is the complexity that this whole thing adds to the mix here. When you’re beginning to scope these things out, you need to make sure that you’re finding this cardholder data wherever it might be in your systems, and now that you’re going to a cloud environment some of the things you may not be aware of are really good security practices. Your cloud provider now is backing up your data because it’s good security to back up your data. That data could be backed up into three or four or five different places. You have no idea. You think it’s in one spot. Scoping the stuff out becomes that much more difficult when you’re in a cloud environment and not because people are trying to hide things, but because people are trying to do the right thing.

You need to be well aware of where your data is all the time. I harken back to what Troy said about encrypting the data. If the data’s encrypted before it gets there then you need to be less concerned about trying to figure out where it is and what the scope is and where it’s being touched and massaged either in your network or on a service provider’s network. That’s probably the best advice that we can give you, but other than that scoping is always a big issue. You always think that you know where your data is, and time and time again we get customers coming to us, we have people on our board, large companies, small companies, coming to us and saying, “We just discovered that we have cardholder data in the HR Department. How did we get cardholder data in the HR Department? We had no idea it was there.”

Scoping continues to be a big issue. Before you bring an assessment company in to help do your assessment, make sure that you’ve gone through and found out where this data is, where it’s being touched, where it’s being process, and so on. You’ll continue to see scoping be tweaked not only in the standard but in task forces and in special interest groups. We just finished our community meetings, two of them, one in Vegas and one in Europe last week. When we have the special interest groups that people are proposing, by and large, it is always a proposal for a special interest group on scoping. Continues to be a big issue. Make sure you’re thorough when you’re looking for this data before you scope what you need to do.


Brandon: Most definitely. Very good advice. Just out of curiosity, are there any more upcoming events like that that people may be able to look forward to in the near future?


Bob: Yeah, we actually have one more community meeting left. Just to let everybody know, we do three community meetings, one in North America, one in Europe, and one in Asia-Pac. The next one will be in about two weeks in Malaysia in Kuala Lumpur. If you happen to be in Kuala Lumpur and you’re up in Petronas Towers having a look around come on down and join us.


Brandon: Fantastic. I want to come over. Randal, I want to get your opinion, and then after that, Jason, I want your point of view on this. We had a question come in from the audience. We’re starting to talk about very early on in the conversation encrypting the data, the nesting of responsibilities, identifying where it is and such. Randal, starting off with you, how do you feel that tokenization changes things in the cloud versus the non-cloud environment or does it?


Randal: It does. Anytime you talk about levels of encryption and adding those features on to your data set it increases your ability to manage risk. This all depends on the maturity of the organization and how you handle that type of technology.


Brandon: Jason, what are your thoughts on the implementation of tokenization technologies as they relate to this migration? Is it really the easiest route?


Jason: I’m not sure it’s the easiest route. Anytime that you’re going to be encrypting or using tokens or something of that nature to try to protect that sensitive data whether it’s cardholder data or personally identifiable data, I would look at those two solutions and make sure that you’re choosing the right one. If you really can’t do either one of those you really need to, I think people have touched on this a number of times, you really need to make sure that the level of security you have in your environment, your application, your hosting provider, wherever this data is, you need to make sure that you’re doing everything you can from a security perspective to protect that data if it is unencrypted or not tokenized. Look at either one of them and figure out what’s the best solution for your company and choose that implementation for whatever protected data you’re trying to protect.


Brandon: You mentioned some of the controls that your organization may have. Jason, I’m going to come back to you on this because we had a very interesting question come in from the audience. Obviously, an organization such as yours that’s housing stuff for their client base is going to have a variety of audit requirements yourself and assurances that you’re going to give to your customer base. We had a question come in about platforms, for example, that automate some of these compliance elements and the specific one mentioned was cloud e-assurance, ways for the customer base to have the assurances themselves, about your environment, your controls, your processes, and even to Troy’s commentary and Bob’s commentary earlier about some of those nesting issues. How are you folks as a business articulating that information to your customer base? Do you allow the publication of those reports very open and transparently? Services like cloud e-assurance, something that you’re engaged in and essentially how are you making your customer base feel comfortable.


Jason: The first thing I think you mentioned it is that we do make all of our reports available to our clients under a nondisclosure agreement. If you are a client of Online Tech or a potential client, we will make our reports whether it’s HIPAA, PCI, or any of SAS reports, we will make those available to you. We’re all about transparency. In our mind, if we’re not willing to show you our report to show you what we’re doing and show you how our independent auditors are grading us against the requirements, then we’re probably trying to hide something. We show our reports.

We’re always looking at ways in which the industry is measuring people. For example, like cloud e-assurance, we are not part of that, but we are always looking at different ways in which we can provide more transparency around our services and our security around our services. The best thing that we feel we can do at this time is to make sure our report is available and we do that for our potential and our existing clients under a nondisclosure agreement.


Brandon: That’s fantastic. I really appreciate and I’m sure your customers do also that level of transparency. Bob, I want to ask you, and Troy feel free to chime in on this one as well from the technical perspective, as we get into those levels of transparency and the sharing of some of those audit reports, how is it that your organization is working with others like the Cloud Security Alliance to publish audit guidelines, and then reconciling that with the vendor community to say here are some things you might want to let your customers know, or here’s the direction that we’re going to be taking so that you have the tool sets that you need to offer those assurances?


Bob: I think, for us at the Council, we are looking at validating the payment card transaction and the lifecycle payment card data as it exists wherever that might be in both more traditional payment acceptance channels and use of new technologies whether that be mobile, cloud, or what have you. We have had many conversations with stakeholders in the industry and Cloud Security Alliance and others.

I think for us rather than trying to focus on recreating and having technology specific audit functions, what we look to is how are ways that we can minimize the footprint and still take advantage of new technologies? One thing that we haven’t done in the conversation yet is promote some of the security benefits that we see from the PCI Council perspective if we look at zero-day exploits and the roll out of virtual networks, what was a very challenging requirement within our PCI standards to update and patch systems within 30 days now becomes possibly a matter of 30 minutes across an entire enterprise if they’re effectively using cloud services.

I think from our perspective it’s been less on time, how do you audit specifically against the cloud but be sensitive to those types of issues such as logging and other items that the other gentleman have mentioned and how do you address them effectively and in the same way that would expect the integrity of other types of payment transactions.


Brandon: Let’s talk a little about logging. One of the things that comes up pretty frequently when I talk both on web events and in live events is the logging burden that the requirements place on organizations. Obviously, that’s critical to the [Inaudible 00:32:47] what’s going on in and around the cardholder environment. Can you give some folks some [Inaudible 00:32:52] advice or perhaps some direction that might help them overcome that because that seems to be a sticking point for a number of folks?


Jason: Around the logging itself, I think we provided some flexibility as to how merchants can go about identifying that. I will say probably that the fundamental message that we promoted when it comes to logging is obviously there needs to be integrity of the transactions. With certain types of instances like software service and you’re usually leveraging the same applications across multiple merchants there are some challenges. We saw not a breach, but we saw a merchant raise concerns when they saw their customer’s cardholder data was being shared in the same memory space as another merchant, and there was in that case a logging trail to identify who had had access to that information.


What we have seen is some merchants when they’ve been identified as a common point of purchased that’s how the brands or the banks triangulate to find out where fraud has originated from, they’ve gone back to their cloud service providers and not had the evidence to help defend that they had done all their due diligence to protect the customers cardholder data. Sometimes just not having the logs but the cloud service provider said there’s no agreement in place for us to even help coordinate and support a forensic investigation.

I think when it comes to logging, the requirements are, I think, manageable in the cloud, but there has to be probably less use of public services and shared services among multiple organizations. Merchants have to make a very sound business decision as to what benefits they’re getting from using the cloud compared to what type of risk may be introduced by sharing resources with other entities that they would not have transparency into what they were doing.


Brandon: You bring up that spectre of shared resources. There’s a lot of variability with regards to the isolation of systems in cloud providers. Jason, what kind of advice can you give us with regards to logging and monitoring of elements within the cloud space as it relates to that multi-tendency or shared environment?


Jason: I think there were a couple of points that I heard there. I think anybody who’s looking at a hosting provider to help them with some sort of compliance should ask them what type of support they have in the even that they do need to prove that they’ve been doing what they need to do and they had a breach. You never want to be left out in the cold, so to speak. When you’re having an issue, you look to your hosting provider who no doubt has a lot of data and will need to spend a lot of time with you in the event you do have an issue. You never want to be left out in the cold, so ask them what type of support you have in the event that you do need them to provide documentation and to get on phone calls with whoever it may be.

The second thing is that there’s a list of requirements that you being the PCI compliant provider needs to take of. If you have any confusion or questions on which one can’t be offloaded to your hosting provider, which ones can be, which ones are shared responsibilities because there’s a list of requirements that can’t be fully owned by a hosting provider, but they can help offload some of the support. You need to start with those requirements; understand what the hosting provider is taking care of for you; what their joint cooperation where they’re taking care of some of the requirement, you’re taking care of others; and what are the requirements that you, the company, has to take care of solely.

Understanding what all those are, and then asking the hosting provide if it’s something the hosting provider solely owning for you, ask them how they’re going to help you prove this in the event that there’s an issue. As long as you do your due diligence, understand all of those things, then it shouldn’t be a surprise to you what happens in the event that you do have a disaster of some sort.


Brandon: Great advice. Randal, what are your thoughts on getting that level of isolation moving to a cloud and getting those assurances worked out?


Randal: I think Jason touched on a few critical points. One is doing your due diligence. You don’t want to be figuring this stuff out after you’ve had a breach or you’ve had some sort of incident occur. Ultimately, we’ve been working with a number of cloud providers and I would tell you that there is a strong awareness, not only to be able to provide customers’ access to data when they need it, but put a little more forethought into it and be proactive and starting to develop, let’s say, different product solutions that in advance provide this. When the incidence, continuous monitoring or asset management, any one of those logging capabilities that are needed is provided up front to the customer so that they have that isolation of responsibility, not just for the customers so they get the information that’s relevant to what they’re looking for, but also so that the cloud providers aren’t having to mind millions of lines of data just to provide relevant information. The due diligence piece is the most important.

Again, when you look at how you apply your policies and your controls to your data, to your credit card environment, ensuring that those are in line with your expectations going into your relationship that you have with your cloud provider, and also making sure that you have access to those appropriate systems of logging, which is extremely important.


Brandon: Excellent, excellent. I love having both Randal and Jason on this call to that perspective about inside and outside. I think that’s fantastic. I want to shift gears a little bit here, Bob. I want to toss a question out that came in from the audience. I’m going to paraphrase a little bit to give a little background as well.

We saw with the release of other best practice frameworks around infrastructure protection and data protection ... NIST 853. We’ve seen this with ISO. Usually, if you flip to the appendices on these frameworks and such there’s going to be some sort of a mapping between then usually at a pretty high level. I see that the bar for due care, that being what a reasonable person in similar circumstances would do, it’s hard to assess with these really broad spectrum frameworks. Because the PCI Security Standards Council is dealing with such a specific data set that is so pervasive because credit cards are taken everywhere, I’ve often half joked and half not said that DSS is going to become the de facto standard of due care for protecting any kind of personally identifiable information.

To that end, how are you guys reconciling your controls and your control sets and aligning those with organizations what may have other regulatory burdens? Are you giving guidance to how these things relate, how they map, and how they support or augment one another in your future releases, obviously, the one that’s going to be coming out here shortly?

Bob: The short answer is no, we’re not. As you say, we are pretty succinct is what it is that we are trying to protect and that’s cardholder data. That being said, you also made a good point that people tend to use PCI as springboard for all intents and purposes to get more security into their organizations. To answer your question in terms of how do we relate with other standards of someone using or having to comply with another standard, very often the assessment community has those charts, those graphs, those relationships mapped out. Very often they’ll do it as part of their selling tool where they’ll come in and say, “You already need to be compliant with SAS, and if you’re compliant with SAS or GLBA you’re already 70% of the way toward PCI compliant.”

We are, as you said, pretty prescriptive in what we say. The other frameworks you mentioned in a lot of cases sit at 50,000 foot level and tell you you need to be secure. Okay, wonderful but how do I do that? That’s where PCI departs from those things. We not only tell you you need to be secure, we tell you how to go about doing it.


Brandon: Randal, would you have anything say on that in the consultative conversations that you’ve been having with your customer base about cross linking between some of their various constituents and the control libraries that are being in their various audit activities?


Randal: Absolutely, absolutely. As you said, if you’re SAS compliant you’re 70% there. Same thing can be said across the board with a number of the compliance frameworks. The way that we’ve approached it and the way that we’ve handled it with some of our customers. If you take the universities, for example, in order for a university to get a Federal grant they have to be compliant. The other big problem that a lot of the universities run into is that they need to be PCI compliant. What we’ve done is we map our control configuration policies trust zones. If you have an asset that needs to be PCI compliant it sits in that trust zone and those policies are applied, and the monitoring, and the auditing, and all that stuff automatically. In addition, what you find is as they have these needs for business, that same asset can sit in the business compliance framework and those frameworks are applied, they’re monitored, and then they’re audited on, and it gives the end customer the ability to understand where their strengths are and where their weaknesses are. That goes across the board.


Brandon: Great, great. Folks, we have about 15 minutes total left in today’s discussion. I know Kelly has some closing remarks and each of you have some additional insights that you would like to share as well. I want to go across the group here and I want to hit all four of you because I think, Bob, you and Troy are probably going to different insights here. I want to say if you have one thing that people takeaway from today’s conversation in the short time that we’ve actually had together, what would it be?

Jason, I want to start with you. If you were going to give that one salient piece of advice, maybe something was covered and you want to reinforce it or maybe something that we haven’t had time to get to that you want to folks to takeaway today what would it be?


Jason: I think we have talked about it today. I just want to reinforce it that take the requirements test lists, understand what your hosting provider is doing for you, understand what you are solely responsible for, and make sure that you’re going to have the data to support if there’s ever an issue in the future. Do your due diligence, know the requirements, and know what data you have at your fingertips to support those requirements in the event of an issue.


Brandon: Fantastic. That’s a great summation. Randal, what, from your point of view, do you think people to be most concerned about or looking forward to as they move down this path?


Randal: Sure. The thing I would say is I would touch again on the concept of due diligence. There was a point in time where organizations and virtualization was coming about and people went back and they looked and they said, “Okay, what applications do we know that we can migrate to a virtual environment?” That was within just their data centers. Now what you have is you have a number of institutions that are looking and saying, “How do we take advantage of this is great opportunity to save money and move to the cloud?”

What I would say is in your due diligence process make sure that you’re taking a significant look at your physical perimeters and a lot of your legacy security practices that you have in place and ensure that you’re able to make the transition as you move into these cloud providers that have more sophisticated software based security solutions and ensure that the operations and the frameworks that you have in place match up. That’ll go a long ways to make sure that your transition is a successful one.


Brandon: Probably also has a significant impact on the cost analysis too if you’re essentially duplicating a cost on those control sets, maybe getting some alignment with regards to your contractual measures with your various providers be it in scope or out of scope assets that you’re moving. Very good advice.

Bob, from your perspective, before we get to Troy because I know Troy may be a little more on the technical side, from a business angle and the PCI Standards Council, what are your thoughts on what people should be taking away from today’s conversation first and foremost?


Bob: I think you may enter into a cloud agreement thinking that you have less to do. In all instances, you have to do the same controls that you would do if this were physically in your location. Now that it’s on a cloud service provider you still have to do the same things. You have to make sure that all of these things are secure. I think the watch word here is caution in terms of everybody saying do you due diligence. Due diligence becomes very different when you’re trying to solve a problem and you have somebody waving a flag in your face saying, “Hey, this is cheaper and we guarantee that it’s secure.” Okay, I’ll do it.

I think that the watch word here is caution. Certainly, cloud computing has tremendous advantages for merchants, but make sure, in fact, that you are doing your due diligence. I think Jason said before make sure you’re asking these people what if this happens, what do I do, what can you show me, what do you have in place, and so. I think you really have to get those what-ifs answered before you can really feel secure that everything is okay and that you’ve covered all your bases when it comes to cloud computer.


Brandon: It doesn’t necessarily make it easier at the beginning, but perhaps there’s some long-term benefits that can be explored in greater detail. Good point. Troy, what would you like to add to this equation here?


Troy: Just continuing on with what Bob said, I think for those that are looking at exploring relationships and cloud service provider having preplanned questions and document with that cloud service provider who is going to be responsible for what requirements as it relates to PCI so that there’s a formal process, and there’s a formal recognition by both parties as to who should be responsible for what.

I think, in addition, what we’ve covered briefly in this call is find ways to devalue any sensitive information in the cloud whether that’s encrypting the information before it’s shared, using tokenization or other mechanisms, try to find ways to devalue the information so that you can get the benefit of using cloud technology without the risks and some of the compliance burden.


Brandon: Great, guys. I appreciate all your time, all your insights. There have been a couple of questions, unfortunately, we haven’t had a chance to take more than a couple, actually quite a few and there are a couple still trickling in that we haven’t had a chance to get to. I know each of you has something additional that you would like to share. I just want to thank you all for your time and preparing for today’s event and also for your participation today. Big thanks to IT GRC Forum to having me here. Kelly, I want to turn things back over to you because I know we have a drawing. We have a whole bunch of other elements to take care of, put the ball back in your court. Thank you.


Kelly: Great. Thanks, Brandon. Thanks for a great discussion today everyone. Thanks to our attendees for your questions. If we didn’t get to those questions we will respond by email. I’d like to remind all the listeners that we have the slides and white papers available for viewing through the attachments tab there in your consoles.

Before our prize draw we just have time for some closing remarks and to give you some contact information if you’d like to follow up with any of the panelists directly. Bob, I’ll start with you. I see you have some guidance for maintaining PCI controls in the cloud. Can you tell us a little bit about this?


Bob: Yeah, sure. First let me give my email address which is brusso@pcissc.org. As cloud computing really becomes increasingly attractive to businesses pretty much of all sizes this is an area where companies need to know how to apply PCI. Applying PCI to the cloud environment really can be a challenge as you’ve heard throughout the discussion today. By its distributed nature and dynamic infrastructure, you’re dealing with multiple parties handling data in many different ways. Businesses really need to be aware of the risks and more importantly the challenges that are associated with a particular cloud choice before you move your payment data services into that cloud environment.

To that end, the Council, as you mentioned, the Council has documentation on our website, the PCI DSS Cloud Computing Guidelines, that were developed both by businesses using the cloud as well as companies that are selling cloud computing technology as part of a special interest group that we have. It’s really a good starting point. Visit the website and download this guidance. I think you’ll find it very, very helpful.


Kelly: Bob, thank you very much. Jason, I have your contact details here. Do you have any further information you’d like to share?


Jason: No, contact information, couple white papers on the slides. If anybody has questions, resource.onlinetech.com is our blog site, which has a ton of information and hopefully some things that can help anybody here with any of the questions they have. I’m also available for any questions that people may feel they have for me. Feel free to shoot me an email anytime. I’d be more than happy to talk to anybody.


Kelly: Perfect. Thanks, Jason. Last but not least, Randal, I have your closing slide up here. Do you have anything that you’d like to add?


Randal: I would just encourage folks to take a look at our PCI white paper. It’s a two-facet approach. We look at how you can reach your PCI compliance, your virtual asset management via your internal or your private cloud. A lot of those same methods and controls definitely migrate over to your public cloud. Again, read our information. My contact information here is rasay@catbird.com. Please reach out to me, I’m always available and I’d be more than happy to talk with anybody.

Kelly: Great. Thanks, Randal. Just time for our prize draw before we end for today. We’re giving away a $2,950 pass to the Cyber Security and Digital Forensics Exchange being held in Texas next month on December 8th through the 10th. The pass is for the entire three-day event that includes meals and two nights hotel accommodation, so good luck to everyone. The winner, chosen at random, is Trey Robinson from Expedia. Congratulations, Trey. We’ll contact you shortly to arrange the details.

Before we leave you today, please take a moment to provide us with your feedback on the session through the ratings tab and let us know if you have any topic requests. We value feedback and take it into consideration when planning for our future events. If you’d like additional information related to today’s topic please visit itgrcforum.com, where you can access our resources for free.

Once again, I’d like to thank all of today’s speakers for joining us with a special thanks for our sponsors, Catbird and Online Tech, without whom these events would not be possible. Of course, thank you to our attendees for listening. Please stay tuned to confirm your position on our next event and have a great day everyone.


Jason Yaeger, Risk Management & Security Officer, Online Tech

Jason YaegerJason Yaeger is Online Tech’s Risk Management and Security Officer. In his three years at Online Tech, Jason has guided the company through successful completion of many audits, including SAS 70 Type I, SAS 70 Type II, SSAE 16, SOC 2, HIPAA, and PCI.

In addition to overseeing operations across all of Online Tech’s data centers, Jason is also the Vice President of the Southeast Michigan Chapter of 7x24 Exchange. Prior to Online Tech, Jason was Director of Internet Operations at 20/20 Communications where he spent 8 years developing the company’s wireless and internet initiatives.



Webinars    |    Online


Get started now. Exceptional service awaits.