Meeting the new Payment Card Industry 3.0 standard has some companies on edge. As attackers find inventive new ways of breaching corporate networks, the PCI standard had to get tougher, including covering partners such as cloud providers who weren’t included under the previous standard.
That has led some organizations to fret about the cost and effort to meet PCI 3.0. But a SaaS-based log management and analysis service that has done it says that with a little thought — and, hopefully, existing tight security controls — third-party providers should have little to worry about.
That was the experience of Sumo Logic, a California-based company whose cloud service lets customers upload logs for application and security analysis. One customers uploads 10 TB of data a day.
Customers include Microsoft Corp., Visa and Netflix. It has Canadian customers through a partnership with the Herjavec Group.
Until the PCI standard changed, it wasn’t necessary for Sumo Logic, Joan Pepin the company’s CISO and vice-president of security said in an interview. Only rarely will network logs have payment card or personal health data. So the provider’s certifications for meeting the American Institute of Certified Accountants statement of controls SOC Type 2 (a standard for general purpose data centres and financial processes), the U.S., HIPPA AT101 rule for health care providers and US/EU Safe Harbor were sufficient.
But PCI 3.0’s Rule 10 requirements now cover log management, so any vendor that affects an organization’s logs and needs PCI audit approval has to be compliant. Logs have to be shown to be centrally managed, access controlled and unalterable.
Pepin admits that the changes her company had to make to meet the needs of PCI 3.0 were “pretty minor” because of the way its process had already been architected — which is one of the lessons: If you’re a service provider already has good security controls updating to PCI 3.0 might not be a struggle.
(Or, as Pepin put it, “an ounce of prevention is worth a pound of cure.”)
In Sumo Logic’s case there were two main things to fix:
— “What took the most time was we had to change the way we handled our encryption keys. We always had robust key management solution whereby our customers data as it comes into our service is split into two halves: Each gets a separate key generated for it. A new pair of keys is generated for each customer every 24 hours. Those keys are then stored on a secure and encrypted key ring per customer.”
If there was a breach the attacker would have to crack two keys and would only get access to a customer’s data for a 24 hour period.
To meet PCI 3.0 requirement that no one employee could have access to the key she added another layer of control by encrypting each pair of keys again. Three operations employees have access to one, and three managers have access to the other. To unlock the primary keys an operator and a manger from each team at a console is needed. to unlock the key encryption keys.
— All Sumo Logic servers had to synchronize their time using the network time protocol (NTP) with a single point of failure. In the past, the servers individually checked a a cloud time provider for this. To meet PCI 3.0, the system had to be redesigned all servers linked to one unit which did the time check.
“In general we had to spend six man-weeks in engineering time to meet some of these various requirements for PCI, Pepin said. :We spent a total between engineering time, project management time and the cost of the audit itself only US$60,000.”
Here’s some lessons for service providers she learned from the experience:
–Keep the scope of your PCI audit as small as possible. For example, make sure there’s a thick wall between from your internal corporate IT environment and production. An email server should not be in scope of a PCI audit.
Similarly, laptops of IT operations staff shouldn’t be in scope for the PCI audit. They should have to log into the production environment through a bastion server, not a laptop, unless its through a VPN.
“A lot of companies don’t take the time to thing about those types of things up front,” says Pepin and that causes their audit to include all sorts of systems that don’t have anything to do with the delivery of their service to their customers.”
–Use whatever services you can that are also PCI-compliant to fill in parts of your audit. All of the Sumo Logic’s 5,000 production servers are hosted on Amazon, which is PCI DSS service-provider level certified. “I don’t have to worry about physical controls, I don’t have to worry about network controls,” she said, just hand over the Amazon audit to Sumo Logic’s auditors.
“Anywhere you can outsource part of your system to a service provider that specializes in that and has its (PCI) compliance in that area and can prove it, that reduces your scope and makes it easer for you to focus on your environment.”
Even co-locating is an advantage, she said.
–Take the time to do a proper gap analysis. “It seems common sense, but so many people just go barging into this. Read the specs, maybe hire a contractor if you don’t have resources on staff to find areas where you need to sped time. You want to be able to give a correct answer to your auditor the first time they ask a question, not say ‘let me look into that,’
“You want to make sure you have audited yourself before the auditor gets there.”