Almost all of the survey results I've seen concerning what's holding back medium and large organizations' cloud adoption plans point out security is a major concern. The constant litany of security breaches and loss of consumer personal information isn't helping put aside that fear. The payment card industry (PCI) has responded to this fear by setting standards. These standards have come to be the foundation of many organizations' security policy even though they're not in the payment card industry.
Some cloud computing service providers are making the claim that their service complies with PCI's most recent standard, PCI 2.0. FireHost, for example, just announced that they are offering PCI 2.0 compliant cloud services that can survive an audit. If I think back, I can recall several other service providers saying something similar. Chris Drake, CEO of FireHost, spent some time explaining what his company is doing that sets them apart from others claiming PCI 2.0 compliance.
Conversation with Chris Drake
FireHost's Chris Drake spent some time explaining how his company evolved, what they're offering and how that is different from the services others are offering.
A little FireHost history
Fire Host started out using Citrix's XenServer as a virtualization platform. The company soon learned that that XenServer, at that time, was vulnerable to several attacks and couldn't be a long term platform for its offerings. After looking at Microsoft's Hyper-V, Red Hat's KVM, VMware's ESX Sever and the open source Xen environment, the company decided that VMware's products, enfolded with the proper processes and procedures, could be the foundation of a PCI complient environment.
What Fire Host is offering
Here's what Fire Host says about its offerings:
FireHost provides a secure managed cloud hosting experience to protect valuable websites and business assets. We provide HIPAA compliant hosting and PCI compliant hosting solutions that's ready for your secure data. Your HIPAA and PCI data will be secured in our managed hosting environment to the highest of enterprise standards. The FireHost AdvantageAll the features your business demands without the costs you’d expect:
- Secure Network Design
- Application-Level Protection
- DoS/DDoS Mitigation
- PCI & HIPAA Compliant Ready
- Grow to 42 GB Memory
- Add up to 8 Processors
- TBs of Storage Available
- Load Balancing Available
- Advanced Security Included
- Encrypted Backups Included
- Full Monitoring Included
- Fast Response Included
What is FireHost doing differently
FireHost would make the point that it is doing the following things that are quite different from what others are offering under the banner of PCI 2.0 compliance:
- Card holder data is placed on systems behind the demilitarized zone (DMZ) and so, is not directly accessible from outside
- Web application firewall is provided and is not a separate option
- Two factor authorization a standard part of their product
- System, application and other logs are reviewed daily
- One year audit trail history is kept
It is clear to me that security has to be baked into the architecture of a workload. It has to be considered a way of life rather than a set of add-on products. FireHost appears to talk that talk and also to walk the walk. Most other service providers that are claiming PCI 2.0 compliance don't automatically take the extra steps FireHost takes. While those things might be available, they are often extra cost options that organizations might skip if they're in a hurry.
While version 2.0 of the PCI DSS requirement didn't please everyone (see "PCI 2.0: Is that all there is?" by Jon Geater is Director of Technical Strategy at Thales), it is at least a start.
If your organization believes that PCI 2.0 compliance is an important part of its cloud implementation, a chat with FireHost is in order.