1 / 26

PCI and the Cloud

PCI and the Cloud. Paul Court - Technical Operations Director - Claranet UK. Payment and Fraud Conference - 11th February 2010. Who are we?. A Managed Services Provider. A technically astute partner offering Networks, Hosting and Managed Applications Services.

ofira
Download Presentation

PCI and the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PCI and the Cloud Paul Court - Technical Operations Director - Claranet UK Payment and FraudConference - 11th February 2010

  2. Who are we? A Managed Services Provider A technically astute partner offering Networks, Hosting and Managed Applications Services An experienced company with 36,000 business customers 550 employees spread across 7 countries

  3. PCI and the Cloud Hosting, Challenges for a new era

  4. The Hype “Cloud Will save you Money” “Virtualise your estate and Save!” “Cloud is the future of Services Computing” “Unrestricted Cloud Computing – All you Can Eat” “The future is Virtualisation!!!”

  5. PCI and the Cloud Overview of the Differing Systems

  6. The Standard Server Model

  7. Virtualising a Server Optimise Consolidate Traditional server can only support a single Operating System and Application A server running a Hypervisor can support multiple Operating Systems, each supporting a different application

  8. The Virtualised Server Model Fault Tolerance

  9. The Cloud Services Model

  10. PCI and the Cloud What are the Risks ?

  11. Data Security Risk Assessment • Standard • Model Virtualisation Model • Cloud • Model LOW RISK HIGH RISK

  12. Compliance vs PCI Standard

  13. PCI and the Cloud What do the QSA’s Say ?

  14. QSA’s Interviewed on Cloud “it’s so left field we would have to charge a consultancy to even give an opinion on it”

  15. QSA’s Interviewed on Virtualisation “There is some debate on the Virtualisationin the PCI arena, however, in our opinion, it is an acceptable solution if done correctly. These Virtual servers will be treated as any other servers and will follow the required guidelines as they are in the PCI DSS standard. “

  16. PCI and the Cloud Is it possible to run Virtual services?

  17. Going Forward • There is talk about including some requirements for Virtual servers in later releases of the PCI DSS standard. • The PCI sub-committee is yet to return any guidance on Virtual services. • “The one thing that is not acceptable from a PCI stand point in a virtualised environment are virtualised firewalls” • “At this point, Cloud is not deemed acceptable in any shape or form”

  18. Our Solution Physical Firewall Virtual Servers Physical Firewall Database Private Cloud

  19. PCI and the Cloud What do I need to know / ask ?

  20. Have a Published Technology Strategy • You need an opinion as your peers will want to know your strategy – not addressing cloud and virtualisation head-on is dangerous. • Publish a strategy and enforce it internally • Make sure all stake holders know the risks as well as the rewards.

  21. Lookout for Shadow IT • Shadow IT is a term often used to describe IT systems and IT solutions built and used inside organisations without organisational approval or without organisational understanding of the risks. • See previous point..

  22. Ask your vendors • If your vendors can’t give you their opinion or strategy in relation to virtualisation, PCI and Fraud Prevention, should they be your vendors ?

  23. PCI and the Cloud Conclusions

  24. Conclusions • Cloud computing is very good for sites that don’t require regulatory approval (although DPA should be considered) • Virtualisation Can be used but under strict guidelines and with PCI in mind from the design phase. • Not one of the QSA’s interviewed would certify a system based on a Cloud computing platform • Virtualisation is PCI compliant as long as it’s not a generic “V service” but is part of a managed solution

  25. Cloud Overview

  26. Any questions?

More Related