A CISO reveals why the cloud is your secret weapon for faster, better, and cheaper PCI audits

How do you feel about PCI? Or the security of the cloud?

What happens when you need to attain PCI certification for your cloud-based service?

That’s precisely the challenge that Joan Pepin (LinkedIn, Twitter), CISO of SumoLogic, faced. Her results might surprise you.

Her approach to obtain PCI level 1 Service Provider certification took a fraction of the time, roughly 10% of the typical cost, and provided a quality clients accept.

As Joan explained, she did this, “Not in spite of the cloud, because of the cloud.”

The adoption of PCI 3.0 in January modified the approach to vendor management. Basically, if a vendor affects the controls, then the vendor must be PCI compliant. Joan saw this as an opportunity to give her company — a cloud-based company, serving business-to-business clients — a competitive advantage.

“It is an industry standard and one of the two that’s respected around the world. PCI is globally known, and that’s why it’s important from a business perspective.”

Here are the three ways Joan drove a faster, cheaper, and better audit. And how you can do it, too.

Considering the cloud, and a warning

When considering cloud, distinguish between business and consumer-focused offerings. A lot of the concern expressed over cloud security is focused on consumer companies. They strive for — and are often held — to a lower standard.

Joan put it simple, “If customers don’t trust us with their data, we don’t have a business.”

Business-level solutions need to satisfy regulatory and trust requirements with their clients. In that way, the cloud poses a bit of an initial challenge.

“We had to show that we had the intent to meet or exceed all 12 PCI rules. PCI is an old standard – it uses the word “DMZ” throughout. I run a firewall on every single host…I don’t have a firewall zone with a three-tier architecture. I needed to explain how what we are doing meets or exceeds those same requirements.”

A warning: watch out for companies who use the certification of their platform provider as an attestation of their compliance – especially if they declare “our data center is PCI certified.”

As Joan explains, “Bernie Madoff worked from a big NYC skyscraper. The building provided great security. He ran a total scam.” In the cloud, a hacker can run a scam on a “certified” AWS instance. The key is to look deeper and understand what the company is doing with your data.

Joan points out that the certification of the underlying platform, however, is valuable.

“We call it an unbroken-chain of paperwork. One of the things that made my audit easy. Physical and network security was AWS. They admit they’re responsible for that. Now the other 10 sections are my responsibility.”

1 – Define and reduce the scope as much as possible

The reason companies spend so much time and money on compliance audits is largely due to poor scope. As a result, they spend a lot of time and effort to inventory physical assets. They have to worry about networking and physical controls.

A clear key to speed and price is to reduce the scope as much as possible. This isn’t a gimmick. A quality auditor confirms the scope.

Joan suggested two key ways to reduce your scope:

1. Use managed services
2. Separate the corporate environment from the production environment

The use of (audited and certified) managed services allows the vendor to focus on providing the service and necessary security. Their certification becomes part of your audit. It reduces the complexity of your environment and the scope of your audit.

Keeping the corporate and production environments seperate requires planning and a lot of energy to get right. While it’s always best to start with this in mind, consider this for new projects. That makes going back a bit easier.

Joan works in a cloud-based startup. In her case, it took about a month’s worth of time of engineering and roughly 3 months of time to get the production environment isolated. A key is creating and enforcing proper controls around production. That prevents the two segments from crossing and connecting. It also reduces problems in the future – an advantage beyond scoping the assessment.

The result?

By doing the upfront work in selecting proper managed services and segmenting the production network, Joan was able to guide a successful audit in less than 2 months. The total cost was about 10-15% of comparable audits in the industry.

2 – Select an auditor you can work with

It’s critical to select a QSA that understands security and the cloud. Finding the right partner is a balance. To that end, Joan emphasizes relationship and quality over price.

Joan suggested considering the auditor a partner. As she explained, ultimately, they want you to get certified. She suggested listening to their advice and working with them to reach mutual understanding.

By having an auditor trusted by others work with you as a partner on the process, you’ll be able to demonstrate your compliance in a way that others recognize.

3 – Get support: up and out

You want a solid audit that is done faster than usual, cheaper than usual, and with a higher quality?

Then you need support from the entire organization. It starts at the top. The CEO and other executives need to be part of the program. They need to understand the benefit and potential to create value for the company.

As Joan explains, getting the timing right means touching multiple departments, asking for favors on providing information on short notice and shifting schedules.

If you don’t already have this level of support, you’ll need to focus on building it. If you try to do this without the proper support — up and out — you’ll waste time, money, and burn bridges.

This needs to be a key investment.

Better compliance as a result of the cloud

PCI compliance, done right, is a benefit for B2B service providers. Cloud services and solutions now play an important role in improving the compliance process – with faster, better, and cheaper results.

What’s holding you back?