260 likes | 380 Views
PCI and the Cloud. Paul Court - Technical Operations Director - Claranet UK. Payment and Fraud Conference - 11th February 2010. Who are we?. A Managed Services Provider. A technically astute partner offering Networks, Hosting and Managed Applications Services.
E N D
PCI and the Cloud Paul Court - Technical Operations Director - Claranet UK Payment and FraudConference - 11th February 2010
Who are we? A Managed Services Provider A technically astute partner offering Networks, Hosting and Managed Applications Services An experienced company with 36,000 business customers 550 employees spread across 7 countries
PCI and the Cloud Hosting, Challenges for a new era
The Hype “Cloud Will save you Money” “Virtualise your estate and Save!” “Cloud is the future of Services Computing” “Unrestricted Cloud Computing – All you Can Eat” “The future is Virtualisation!!!”
PCI and the Cloud Overview of the Differing Systems
Virtualising a Server Optimise Consolidate Traditional server can only support a single Operating System and Application A server running a Hypervisor can support multiple Operating Systems, each supporting a different application
The Virtualised Server Model Fault Tolerance
PCI and the Cloud What are the Risks ?
Data Security Risk Assessment • Standard • Model Virtualisation Model • Cloud • Model LOW RISK HIGH RISK
PCI and the Cloud What do the QSA’s Say ?
QSA’s Interviewed on Cloud “it’s so left field we would have to charge a consultancy to even give an opinion on it”
QSA’s Interviewed on Virtualisation “There is some debate on the Virtualisationin the PCI arena, however, in our opinion, it is an acceptable solution if done correctly. These Virtual servers will be treated as any other servers and will follow the required guidelines as they are in the PCI DSS standard. “
PCI and the Cloud Is it possible to run Virtual services?
Going Forward • There is talk about including some requirements for Virtual servers in later releases of the PCI DSS standard. • The PCI sub-committee is yet to return any guidance on Virtual services. • “The one thing that is not acceptable from a PCI stand point in a virtualised environment are virtualised firewalls” • “At this point, Cloud is not deemed acceptable in any shape or form”
Our Solution Physical Firewall Virtual Servers Physical Firewall Database Private Cloud
PCI and the Cloud What do I need to know / ask ?
Have a Published Technology Strategy • You need an opinion as your peers will want to know your strategy – not addressing cloud and virtualisation head-on is dangerous. • Publish a strategy and enforce it internally • Make sure all stake holders know the risks as well as the rewards.
Lookout for Shadow IT • Shadow IT is a term often used to describe IT systems and IT solutions built and used inside organisations without organisational approval or without organisational understanding of the risks. • See previous point..
Ask your vendors • If your vendors can’t give you their opinion or strategy in relation to virtualisation, PCI and Fraud Prevention, should they be your vendors ?
PCI and the Cloud Conclusions
Conclusions • Cloud computing is very good for sites that don’t require regulatory approval (although DPA should be considered) • Virtualisation Can be used but under strict guidelines and with PCI in mind from the design phase. • Not one of the QSA’s interviewed would certify a system based on a Cloud computing platform • Virtualisation is PCI compliant as long as it’s not a generic “V service” but is part of a managed solution