In this webinar, Phil Cox, Director of Security and Compliance at RightScale, and a certified Qualified Security Assessor (QSA) from an earlier role, will explain how his organization went about the task of meeting PCI compliance in their cloud deployment. Phil will share his best practice recommendations for PCI, identify potential pitfalls to watch out for and discuss what benefits RightScale has experienced with CloudPassage Halo. Rand Wacker, VP of Products at CloudPassage will join him. Who Should Attend: CSOs, CISOs Security Directors and Practitioners Compliance Managers What You Will Learn: Why static security architectures break Software-as-a-Service business models RightScale’s process for meeting PCI Compliance on cloud servers Best practices to leverage and pitfalls to watch out for Why CloudPassage Halo was the right choice for RightScale What benefits RightScale saw in their Halo deployment

1. Peer Stories:
How RightScale Achieved
PCI Compliance on Cloud Infrastructure
Phil Cox
Rand Wacker
Director, Security &
Compliance
RightScale
VP, Products
CloudPassage
1

2. About The Presenters
Phil Cox
Rand Wacker
• RightScale, Director of
Security and Compliance
• CloudPassage, VP of Products
• Multiple PCI SIGs
• Cisco Security, IronPort, UC
Berkeley Security/Network Ops
• 20+ years InfoSec
Twitter: @randwacker
Twitter: @sec_prof
2

3. Introducing RightScale
RightScale pioneered IaaS cloud management
• Enables organizations to manage all of their cloud infrastructure
• Established in 2006, partners with all major cloud providers
• Has launched nearly 6 million servers with the RightScale
management platform
3

4. RightScale’s PCI Challenge
• Payment processing servers are in scope for PCI DSS
• Built and runs on Amazon Web Services (AWS) for the Infrastructure-asa-Service (IaaS) benefits
• Required PCI DSS compliance on AWS servers
With background as a Qualified
Security Assessor, confident PCI
DSS compliance could be achieved
in an IaaS environment
4

5. PCI Shared Responsibility (IaaS)
Data
– OS, application, and data
– And the compliance of these
components
App Code
App Framework
Operating System
Virtual Machine
– Infrastructure, networking,
storage, and virtualization
mechanism
– And the compliance of these
components
Hypervisor
Compute & Storage
Shared Network
Physical Facilities
5
Provider
Responsibility
• Service provider responsibility
Customer
Responsibility
• Customer responsibility

6. One Approach From the CSA
1.
Plan PCI DSS controls for as though your IaaS infrastructure
is your on-premise network
2.
Realize which elements you do not control since it is really not
an on-premise network (e.g. physical facilities)
3.
Talk with a service provider on whether they can and will
cover the elements they control for compliance
4.
Realize which controls don’t apply verbatim to the cloud
environment and figure out how to compensate
6

7. Options for Achieving PCI DSS
Compliance
• RightScale used its own proven cloud management
platform to deploy the PCI cloud servers in the AWS
• Still needed ongoing visibility and intrusion detection
capabilities in an IaaS environment. Either:
– Build it themselves using traditional security tools
– Buy a cloud security and compliance product
RightScale chose
CloudPassage Halo
to speed up efforts
7

8. Why RightScale Picked Halo
• Purpose-built for cloud
environments, requiring no development
resources
• Visibility into servers running within an
IaaS infrastructure
• Real-time monitoring and enforcement
• Support for any cloud platform
8

9. Benefits Experienced with Halo
• Saved Time and Resources
– Saved 6 months of development
time with a part-time staff person
– Takes 1/5 the management time
(2 hours a week with Halo versus
¼ FTE for other tools)
9

10. Benefits Experienced with Halo
• Established RightScale as a Trusted Advisor with
Customers
– Used as part of RightScale’s reference architecture for PCI DSS
compliance
– Runs on any virtual or cloud platform, protecting various customer
environments
10

11. Benefits Experienced with Halo
• Helped Enable Sales
– Went to market faster
– Enabled sales to pitch Halo along with RightScale for
compliance
11

12. Best Practices for PCI DSS Compliance
in IaaS
• Select from PCI Approved Service Provider with the
IaaS features you need
• Avoid storing the Primary Account Numbers (PANs)
• Use purpose-built cloud security products
(we recommend CloudPassage Halo)
12

13. Poll: PCI Status
• What is the status of your PCI initiative (IaaShosted or otherwise)?
–
–
–
–
We have passed our audits and are fully operational
We have an audit planned within the next year
We are investigating what it will take to be PCI compliant
No plans to go through PCI audits
13

14. Using CloudPassage Halo for
PCI Compliance
14

15. Halo is a security-as-a-service
that enables cloud adoption.
• Software-as-a-Service delivery
• Private cloud / SDDC / IaaS
• Elastic application hosting
• Big data analytics
15

16. Halo consolidates multiple critical
security & compliance controls.
Cloud Firewall
Automation
File Integrity
Monitoring
Multi-Factor
Authentication
Server Account
Managements
Security Event
Alerting
System & Application
Config Security
Vulnerability &
Patch Scanning
REST API
Integrations
16

17. Halo architecture is
highly
scalable, automated, and is
rapidly deployed.
www-1
mysql-1
bigdata-1
Halo
Halo
Halo
Halo Admin
Web Portal
Halo REST
API
gateway
17
Halo Security
Analytics
Engine

18. Halo works in any environment.
18

19. Example Security & Compliance
Automation with Halo
1
Halo activates firewall on boot, applies latest
policies, and orchestrates ongoing policy updates.
2
Halo secures privileged access via dynamic firewall
rules triggered by multi-factor user authentication.
3
Halo scans O.S. configurations for vulnerabilities
and continuously monitors O.S. state and activity.
4
Application configurations are scanned for
vulnerabilities and are continuously monitored.
5
Cryptographic integrity monitoring ensures app
code and binaries are not compromised.
6
Halo monitors system binary and config files for
correct ACLs, file integrity, and vulnerabilities.
7
Application data stores are monitored for access;
outbound firewall rules prevent data extrusion.
1
4
Application
Engine
5
Application Code
6
7
App Storage
Volume
System Storage
Volume
System Administration Services
2
Halo Daemon
Operating System
Workload VM Instance
3

20. Halo PCI Coverage
20

21. Halo Grid: PCI & SOC2
• Certified Level 1 Service Provider
– First entirely cloud-based vendor certified across multiple CSPs
– Hosted in Rackspace Cloud & AWS, with full DevOps automation
• Multiple customers recently cleared PCI QSA audits
• Recently announced: SOC2 certification
21

22. Poll: PCI & IaaS
• What percentage of your “in-scope” PCI systems
run in a private or public IaaS infrastructure?
– 100% of in-scope PCI systems on IaaS
– PCI in-scope systems run across mix of IaaS and traditional
infrastructures
– No in-scope systems on IaaS (all on traditional physical
hardware)
– N/A, we run no PCI in-scope systems
22

23. Wrapping Up
23

24. Summary
• PCI compliance on IaaS is possible
• Responsibility shared with cloud provider
• Security and management must be designed to
work in dynamic, highly automated clouds
• CloudPassage Halo designed and built to automate
compliance in today’s complex environments
24

25. Q&A and Resources
PCI Compliance in the
Public IaaS Cloud:
How I Did It
cloudpassage.com/pci-kit
blog.rightscale.com
25

26. Thank You!
Phil Cox
Rand Wacker
• Email: phil@rightscale.com
• Email: rand@cloudpassage.com
• Twitter: @sec_prof
• Twitter: @randwacker
www.rightscale.com
www.cloudpassage.com
26