2. Speakers
George Gerchow
Hemma Prafullchandra
Director, VMware Center for
CTO/SVP Products
Policy and Compliance
HyTrust
VMware
Ken Owens
Allan MacPhee
Vice President of Security
Senior Product Manager
& Virtualization Technologies,
Trend Micro
Savvis
Kennet Westby Christian Janoff
CEO Industry Enterprise Architect
Coalfire Cisco
2
3. Hemma Prafullchandra
Founded in Fall 2007 and Headquartered in Mountain View, CA.
Venture backed by Cisco, Epic, Granite, and Trident with strategic
partners including VMware, CA, Cisco, Symantec, Intel, and VCE
HyTrust provides centralized control for virtual infrastructure,
administrative access, policy management, and compliance.
HyTrust product addresses multiple requirements set forth in PCI.
Outlined in Reference architecture doc (will be emailed after webinar)
HyTrust serves as co-leader in development and organization of PCI
Cloud Reference Architecture team and content
3
4. George Gerchow
About VMware
VMware, the virtualization and cloud infrastructure leader, delivers the
most customer-proven, reliable, secure and complete platform to build
the enterprise cloud.
VMware has more than 250,000 customers, including 99% of the
Fortune 1000 and 97% of the Fortune Global 500.
VMware customers have experienced unmatched results with VMware
solutions.
• Financial: 50-60% CapEx savings
• Human: Average of 33 percent cumulative time
savings for day-to-day administrative activities.
• Energy: Up to 80%, leveraging consolidation
and distributed power management.
4
5. Christian Janoff
Christian Janoff
Vertical Solutions Architect at Cisco
Has led Cisco's participation on the PCI Security Standards Council since
2007 as a member of their Board of Advisors
Cisco virtual technology
Virtual servers, switching, routing, firewalling and intrusion detection
systems for public and private clouds
For more information on Cisco and PCI:
http://www.cisco.com/go/pci2.
5
6. Who is Savvis
Hosting Track Cloud Track
Savvis Symphony VPDC
Enterprise features, multi-tier QoS
Reduced
Opex
Savvis Symphony Open
Multi-Tenant virtual infrastructure
Savvis Symphony Dedicated
Dedicated, virtual infrastructure
Utility Compute
Multi-tenant Stateless Bladeframe
Managed Hosting
Dedicated physical infrastructure
Colocation
Enterprise-Grade Space & Power Service
Standardization, Virtualization & Automation
6
9. Audience Poll - Let’s Get to Know Each Other
How many are virtualizing or have virtualized cardholder data?
How many of you are looking at cloud services?
How many feel your QSA is comfortable with your virtualized
environment?
9
10. Panel Discussion
What are the characteristics of a cloud that make PCI compliance
difficult?
Can a shared cloud environment even be PCI compliant?
What does it mean when your cloud provider tells you that they are PCI
certified?
What areas should your cloud provider be responsible for?
What are the key questions you should ask your cloud provider to
understand the scope of PCI certification achieved?
How does a merchant figure out what the shared responsibility split is in
detail?
10
11. Panel Discussion
If my environment is already PCI compliant and I want to just extend a
single tier to a public cloud, what should I be concerned about?
What is the best way to involve my QSA in these discussions?
What resources can I use to help me plan for and use cloud computing
for my CDE?
Policy, People, Process, Technology
11
12. Key Takeaways and Guidance
PCI Compliance in Virtualized environments (on-premise)
Virtualization increases the risk and complexity of PCI compliance,
engage your QSA early to streamline the audit process
Look beyond traditional security vendors for solutions that address
virtualization specific requirements (hypervisor/VM controls)
View virtualization as an opportunity to improve your current
processes – i.e. reporting, monitoring, inter-VM controls, etc. and
achieve objectives that you always wanted in physical environments
but could not afford or were restricted by legacy infrastructure
Embrace virtualization with a virtualization by default approach and
build compliance into the default mode of operation
12
13. Key Takeaways and Guidance
PCI Compliance in the Cloud
Compliance is possible, but it takes the right cloud provider
Compliance is a shared responsibility, there is no magic bullet
Understand the details & scope of your cloud provider’s PCI certification
Work with your QSA to create a strategy for addressing the remaining
required PCI controls
Cloud compliance requires elastic and automated VM security
and persistence of machine data for audit and forensics
Create a strategy for Cloud compliance
Start with virtualized on premise and dedicated hosting environments
Evolve and apply these controls to cloud environments
13