Click here to close now.




















Welcome!

Cloud Security Authors: Liz McMillan, Tim Hinds, Pat Romanski, Elizabeth White, Ian Khan

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Containers Expo Blog, IoT User Interface, Cloud Security

@CloudExpo: Article

PCI Compliance for Retailers from the Cloud Perspective

Looking at individual PCI requirements and how they are addressed from the cloud

One of the key drivers to IT security investment is compliance. Several industries are bound by various mandates that require certain transparencies and security features. They are designed to mitigate aspects of risk including maintaining the sacrosanctity of customer information, financial data and other proprietary information.

One such affected vertical is retail. No matter if you’re Wal-Mart or Nana’s Knitted Kittens, if you store customer information; if you process payments using customer’s credit cards, you are required by law to comply with a variety of security standards. Although there are several auditing agencies and mandating bodies, today we will concentrate on the one compliance agency that is typically applicable to every retailer-PCI.

PCI (Payment Card Industry) enforces Data Security Standards that looks to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Now of course, not all merchants are created equal. Nana obviously doesn’t process the volume or the dollar amount of a national or even a high traffic regional retailer. However, this doesn’t let Nana off the hook. Her online shopping cart still needs to be Payment Application DSS validated (PCI compliant). She still is required to pass security audits of her network…just not as often.

But for the sake of this example, let’s assume you are a retailer who processes more than 20,000 transactions a year and the administrative burden of PCI is a real concern. In fact, it is a business necessity to maintain merchant accounts with VISA, American Express and MasterCard. And it is hugely important to keep the confidence of your customers. Fines for non-compliance aside, a breach of your network could cost millions of dollars. And that doesn’t begin to calculate the cost of customer defection through loss of trust.

Most, if not all, retailers have some sort of PCI monitoring in place. However, they are often cumbersome, expensive and resource heavy. Additionally, too many retail organizations don’t employ a compliance officer, much less a dedicated security person. This doesn’t mean these functions aren’t part of someone’s job description. Typically, they are yet another line item in a plethora of competing priorities and mission critical initiatives. In that security can be considered a cost center, the move to simply do the bare minimum to meet compliance is often an attractive alternative. Until now. Until the cloud. More specifically, a holistic enterprise security initiative deployed and managed from the cloud.

So how does cloud-based security/security-as-a-service meet the requirements of PCI while driving down costs, freeing up personnel resources and providing an easy-yet-comprehensive suite of capabilities and functions?

The easiest way to illustrate the potential is to look at the individual PCI requirements and how they are addressed from the cloud:

1. Protect Data: A cloud-based SIEM offering can accomplish the most important feature of this requirement: the ability to instantly recognize any change, intrusion or activity to your firewall IN REAL TIME. That’s the key. There isn’t the lag of looking at all the logs a week later when the damage has been done, or not being able to tell a suspicious action from a white noise false positive. Whereas many SIEM products can do just this, ones from the cloud provide the additional benefit of 7/24/365 monitoring across the entire enterprise. And, you get a scope of visibility of Fortune 500 class protection for literally pennies on the dollar.

2. No vendor-supplied defaults for system passwords and other security parameters: This process is typically enforced by an identity management protocol. The system includes a password management and synchronization feature. The overarching benefit here is SIEM and identity management are two separate functions from two separate applications. However, applying a holistic solution from the cloud gives you the additional flexibility to recognize new accounts, check device configurations and know when and where configurations have deviated from your standards including the entry of too many incorrect passwords

3. Protect cardholder data: Not only are you required to protect and store data, but ensure encryption of any transmission of that data across public networks. The application of situational awareness is  an effective means of capturing, encrypting and storing (and destroying) certain pieces of information and then providing the auditing regulatory agency with proof that your best practices are in line with internal and external policies. This is the heart of your security and should be treated as such. For instance an immediate alert can be escalated if anyone pings the server in which your data is stored and you can instantly move to block them out or allow access depending on their internally designed permissions.

4. Maintain a Vulnerability Management Program: This includes securing SaaS applications and regularly updating anti-virus software. Again the answer is in the clouds. Single sign on and web authentication can tie together all the permissible applications and provide user provisioning. What makes this especially valuable in the cloud is the speed in which connectors can be created and distributed to only those who require the application. For instance, shipping doesn’t need to see the HR applications and marketing doesn’t require access to inventory programs.

5. Implement strong access control methods: As PCI specifically says access to personal and sensitive data is on a “Business need to know,” cloud-based identity managementprovides control and creates specific provisioning on who can see what and have access to which data. It gives you the visibility and the audit reports to show who accessed what, when and from what device.  Again, the cloud version of this solution ties it together with all the other security solutions giving it true enterprise context.

6. Collect logs and applications impacted by PCI: Log management is one of the most time intensive aspects of security. Not only do the logs need to be collected, but they also need to be studied for traffic patterns, suspicious anomalies, improper or failed access and create an audit trail for card processing systems. An automated system can only do so much and most organizations don’t spend a great deal of man hours scouring millions of lines of machine code. That’s where log management from the cloud is a huge time and asset saver. Not only does it have the automation to review and categorize this code, but security-as-a-service provides the additional human expertise to piece together the situational awareness from multiple silos to give a true report of the security of the enterprise. It’s like having an expert analyst on staff without the associated costs. And of course, those logs can be archived in accordance with PCI requirements for 1 year.

PCI is just one agency with its strict set of requirements. Now imagine the cost and personnel savings  when having to comply with multiple agencies. A VP of Ops from a nationally recognized retail company told me he deals with six agencies on a regular basis. Without a holistic and centralized security approach, he would waste endless hours through redundant reporting. With the application of security centralization, 75 hours per month becomes 10. And more importantly, the degree of accuracy of the reporting is significantly better.

In the above six line items, I described four or five different solutions. That in itself can be a heavy investment...unless you look at layering in the cloud. If you are inclined, there is a growing best practice platform of unified security whereby a company can achieve all these goals by leveraging all the solutions into one single source managed from the cloud (cost-effective, enterprise-powered and compliance -ready). But, that is enough ammunition for several other blogs...so keep posted.

So if compliance is one of your banes of business, maybe it’s time you took a deeper look at the cloud.

Kevin Nikkhoo
Always PCI compliant! (HIPAA compliant too. And CIP, and SOX, GLBA and many, many others!)
www.CloudAccess.com

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@ThingsExpo Stories
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
While many app developers are comfortable building apps for the smartphone, there is a whole new world out there. In his session at @ThingsExpo, Narayan Sainaney, Co-founder and CTO of Mojio, will discuss how the business case for connected car apps is growing and, with open platform companies having already done the heavy lifting, there really is no barrier to entry.
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of IoT applications and projects. Business operations, IT, and data scientists need advanced analytics t...
A producer of the first smartphones and tablets, presenter Lee M. Williams will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. In his session at @ThingsExpo, Lee Williams, COO of ETwater, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater.
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of streaming data in the cloud with an enterprise grade SLA. It features built-in integration with Azur...
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducted a live demonstration of how quickly application development can happen when the need to comply wit...
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with APIs within the next year.
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, d...