How do you feel about PCI? Or the security of the cloud?What happens when you need to attain PCI certification for your cloud-based service?That\u2019s precisely the challenge that Joan Pepin (LinkedIn, Twitter), CISO of SumoLogic, faced. Her results might surprise you.Her approach to obtain PCI level 1 Service Provider certification took a fraction of the time, roughly 10% of the typical cost, and provided a quality clients accept.As Joan explained, she did this, \u201cNot in spite of the cloud, because of the cloud.\u201dThe adoption of PCI 3.0 in January modified the approach to vendor management. Basically, if a vendor affects the controls, then the vendor must be PCI compliant. Joan saw this as an opportunity to give her company -- a cloud-based company, serving business-to-business clients -- a competitive advantage.\u201cIt is an industry standard and one of the two that\u2019s respected around the world. PCI is globally known, and that\u2019s why it\u2019s important from a business perspective.\u201dHere are the three ways Joan drove a faster, cheaper, and better audit. And how you can do it, too.Considering the cloud, and a warningWhen considering cloud, distinguish between business and consumer-focused offerings. A lot of the concern expressed over cloud security is focused on consumer companies. They strive for -- and are often held -- to a lower standard.Joan put it simple, \u201cIf customers don\u2019t trust us with their data, we don\u2019t have a business.\u201dBusiness-level solutions need to satisfy regulatory and trust requirements with their clients. In that way, the cloud poses a bit of an initial challenge.\u201cWe had to show that we had the intent to meet or exceed all 12 PCI rules. PCI is an old standard \u2013 it uses the word \u201cDMZ\u201d throughout. I run a firewall on every single host\u2026I don\u2019t have a firewall zone with a three-tier architecture. I needed to explain how what we are doing meets or exceeds those same requirements.\u201dA warning: watch out for companies who use the certification of their platform provider as an attestation of their compliance - especially if they declare \u201cour data center is PCI certified.\u201dAs Joan explains, \u201cBernie Madoff worked from a big NYC skyscraper. The building provided great security. He ran a total scam.\u201d In the cloud, a hacker can run a scam on a \u201ccertified\u201d AWS instance. The key is to look deeper and understand what the company is doing with your data.Joan points out that the certification of the underlying platform, however, is valuable.\u201cWe call it an unbroken-chain of paperwork. One of the things that made my audit easy. Physical and network security was AWS. They admit they\u2019re responsible for that. Now the other 10 sections are my responsibility.\u201d1 - Define and reduce the scope as much as possibleThe reason companies spend so much time and money on compliance audits is largely due to poor scope. As a result, they spend a lot of time and effort to inventory physical assets. They have to worry about networking and physical controls.A clear key to speed and price is to reduce the scope as much as possible. This isn\u2019t a gimmick. A quality auditor confirms the scope.Joan suggested two key ways to reduce your scope:Use managed servicesSeparate the corporate environment from the production environmentThe use of (audited and certified) managed services allows the vendor to focus on providing the service and necessary security. Their certification becomes part of your audit. It reduces the complexity of your environment and the scope of your audit.Keeping the corporate and production environments seperate requires planning and a lot of energy to get right. While it\u2019s always best to start with this in mind, consider this for new projects. That makes going back a bit easier.Joan works in a cloud-based startup. In her case, it took about a month\u2019s worth of time of engineering and roughly 3 months of time to get the production environment isolated. A key is creating and enforcing proper controls around production. That prevents the two segments from crossing and connecting. It also reduces problems in the future - an advantage beyond scoping the assessment.The result?By doing the upfront work in selecting proper managed services and segmenting the production network, Joan was able to guide a successful audit in less than 2 months. The total cost was about 10-15% of comparable audits in the industry.2 - Select an auditor you can work withIt\u2019s critical to select a QSA that understands security and the cloud. Finding the right partner is a balance. To that end, Joan emphasizes relationship and quality over price.Joan suggested considering the auditor a partner. As she explained, ultimately, they want you to get certified. She suggested listening to their advice and working with them to reach mutual understanding.By having an auditor trusted by others work with you as a partner on the process, you\u2019ll be able to demonstrate your compliance in a way that others recognize.3 - Get support: up and outYou want a solid audit that is done faster than usual, cheaper than usual, and with a higher quality?Then you need support from the entire organization. It starts at the top. The CEO and other executives need to be part of the program. They need to understand the benefit and potential to create value for the company.As Joan explains, getting the timing right means touching multiple departments, asking for favors on providing information on short notice and shifting schedules.If you don\u2019t already have this level of support, you\u2019ll need to focus on building it. If you try to do this without the proper support -- up and out -- you\u2019ll waste time, money, and burn bridges.This needs to be a key investment.Better compliance as a result of the cloudPCI compliance, done right, is a benefit for B2B service providers. Cloud services and solutions now play an important role in improving the compliance process - with faster, better, and cheaper results.What\u2019s holding you back?