1. PCI Compliance and Cloud Reference Architecture A Best Practices Discussion with Authors Moderator:Hemma Prafullchandra, HyTrustBrought to you by: Panelists:George Gerchow, VMware Christian Janoff, Cisco Allan MacPhee, Trend Micro Kennet Westby, Coalfire Ken Owens, Savvis HyTrust, Inc. All rights reserved.1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 1

2. SpeakersGeorge GerchowHemma Prafullchandra Director, VMware Center for CTO/SVP Products Policy and Compliance HyTrustVMware Ken OwensAllan MacPheeVice President of SecuritySenior Product Manager & Virtualization Technologies,Trend Micro SavvisKennet WestbyChristian JanoffCEOIndustry Enterprise Architect Coalfire Cisco2 3. Hemma Prafullchandra Founded in Fall 2007 and Headquartered in Mountain View, CA. Venture backed by Cisco, Epic, Granite, and Trident with strategic partners including VMware, CA, Cisco, Symantec, Intel, and VCE HyTrust provides centralized control for virtual infrastructure, administrative access, policy management, and compliance. HyTrust product addresses multiple requirements set forth in PCI. Outlined in Reference architecture doc (will be emailed after webinar) HyTrust serves as co-leader in development and organization of PCI Cloud Reference Architecture team and content3 4. George GerchowAbout VMwareVMware, the virtualization and cloud infrastructure leader, delivers themost customer-proven, reliable, secure and complete platform to buildthe enterprise cloud.VMware has more than 250,000 customers, including 99% of theFortune 1000 and 97% of the Fortune Global 500.VMware customers have experienced unmatched results with VMwaresolutions. Financial: 50-60% CapEx savings Human: Average of 33 percent cumulative timesavings for day-to-day administrative activities. Energy: Up to 80%, leveraging consolidationand distributed power management. 4 5. Christian Janoff Christian JanoffVertical Solutions Architect at CiscoHas led Ciscos participation on the PCI Security Standards Council since2007 as a member of their Board of Advisors Cisco virtual technologyVirtual servers, switching, routing, firewalling and intrusion detectionsystems for public and private clouds For more information on Cisco and PCI:http://www.cisco.com/go/pci2.5 6. Who is Savvis Hosting Track Cloud TrackSavvis Symphony VPDC Enterprise features, multi-tier QoS ReducedOpex Savvis Symphony OpenMulti-Tenant virtual infrastructure Savvis Symphony Dedicated Dedicated, virtual infrastructure Utility Compute Multi-tenant Stateless Bladeframe Managed Hosting Dedicated physical infrastructure Colocation Enterprise-Grade Space & Power ServiceStandardization, Virtualization & Automation 6 7. Allan MacPhee 2011, HyTrust, Inc. www.hytrust.com 7 8. Kennet Westby 2011, HyTrust, Inc. www.hytrust.com 8 9. Audience Poll - Lets Get to Know Each Other How many are virtualizing or have virtualized cardholder data? How many of you are looking at cloud services? How many feel your QSA is comfortable with your virtualized environment?9 10. Panel DiscussionWhat are the characteristics of a cloud that make PCI compliancedifficult?Can a shared cloud environment even be PCI compliant?What does it mean when your cloud provider tells you that they are PCIcertified?What areas should your cloud provider be responsible for?What are the key questions you should ask your cloud provider tounderstand the scope of PCI certification achieved?How does a merchant figure out what the shared responsibility split is indetail?10 11. Panel DiscussionIf my environment is already PCI compliant and I want to just extend asingle tier to a public cloud, what should I be concerned about?What is the best way to involve my QSA in these discussions?What resources can I use to help me plan for and use cloud computingfor my CDE? Policy, People, Process, Technology 11 12. Key Takeaways and GuidancePCI Compliance in Virtualized environments (on-premise) Virtualization increases the risk and complexity of PCI compliance, engage your QSA early to streamline the audit process Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls) View virtualization as an opportunity to improve your current processes i.e. reporting, monitoring, inter-VM controls, etc. and achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation12 13. Key Takeaways and GuidancePCI Compliance in the CloudCompliance is possible, but it takes the right cloud providerCompliance is a shared responsibility, there is no magic bulletUnderstand the details & scope of your cloud providers PCI certificationWork with your QSA to create a strategy for addressing the remaining required PCI controlsCloud compliance requires elastic and automated VM securityand persistence of machine data for audit and forensicsCreate a strategy for Cloud complianceStart with virtualized on premise and dedicated hosting environmentsEvolve and apply these controls to cloud environments13 14. Additional Resources www.pcisecuritystandards.org www.coalfiresystems.com www.hytrust.com/pci www.savvis.net http://us.trendmicro.com/us/solutions/enterprise/security-solutions/ compliance/ http://www.vmware.com/solutions/datacenter/cloud-security- compliance/unified-framework.html www.cisco.com Just Published: PCI-compliant Cloud Reference Architecture14 15. Thank You15