Back to blog results

February 19, 2015By Elliot Stoll

Get ready for PCI, just like we did!

Security is probably top of mind for your enterprise. Companies like Home Depot, Target, Anthem and countless others had painful lessons in 2014, and their security breaches have grown to affect every business in the United States.

As if it wasn’t difficult enough keeping tabs on every system in your company, the PCI 3.0 specification went into effect at the beginning of the year. As specifications go, PCI 3.0 is like a virus in its compliance requirements. Being PCI 3.0 compliant means that your vendors must also be PCI 3.0 compliant, and that their vendors, in turn, are PCI 3.0 compliant. It’s like the GPL of security specifications.

Fortunately, Sumo Logic has you covered. Joan Pepin, our Chief Information Security Officer, had our ducks in a row well before hunting season opened, and as a result, we are one of the few SaaS vendors you can count on to be fully PCI 3.0 compliant. Heck, we’re one of the few software providers, period, that can make this claim. That’s because Joan is, literally, the best in the business: she was a hacker when they still made movies called “Hackers,” and she’s become a master of the craft since then.

But we’ll let Joan explain this in her own words.

What is the deal with PCI 3.0? It sounds much more complex than PCI 2.0.

On January 1, 2015, PCI 3.0 became mandatory for anyone certifying for PCI compliance. One of the key differences between PCI 2.0 and PCI 3.0 is around vendor management. Under the 2.0 specification, if you were not sharing cardholder data with your vendor (which includes credit card users’ name, credit card numbers, credit card expiration dates, CVV codes, or even just the last 4 digits of a credit card number) you didn’t have to worry.

The big change in PCI 3.0 is that now if any vendor impacts your security controls, regardless of of whether or not there’s credit card data involved, then that vendor must also be PCI 3.0 compliant.

In the security professionals forums and the user groups, a lot of people are unhappy about this change. The Qualified Security Assessor (QSA) could interpret this new requirement as broadly as possible. They are asking questions like: “my locksmith affects my security controls, does my locksmith need to be PCI 3.0 compliant?”

Why did Sumo Logic decide to become PCI 3.0 compliant by January 1, 2015?

Our customers use our service to strengthen their compliance and security posture. With our compliance and security applications, they monitor firewalls, logs, network appliances, services, and other components across their stacks. Needless to say, we jumped on the opportunity to have our compliance by day one. Our customers have learned to expect the best from us when it comes to security compliance.

Did Sumo Logic’s vendors pass their PCI 3.0 compliances as well?

The only vendor that we use that impacts us is Amazon. They passed. http://aws.amazon.com/compliance/pci-dss-level-1-faqs/

What level of PCI 3.0 certification does Sumo Logic have?

There’s PCI 3.0. That’s one thing. But PCI is a family of certifications. What we have is the Service Provider Level 1 certification, which has the strictest requirements, and is the highest level of PCI compliance available.

If you shop at a store where they swipe your credit card, they have to be PCI compliant as well, but they’re not a service provider, just a merchant. The credit card number just passes through their hands briefly. That’s a much, much lower level of certification. We are in the same class of companies that do the backend credit card processing, like Visa. We have the same certification that Visa themselves has.

We found this stat listed by Braintree: “Gartner estimates that during 2007, the nation’s largest merchants, classified as Level 1(processing in excess of 6 million transactions of a single card type per year), will spend $125,000 assessing the scope of required PCI-related work and another $568,000 to meet the requirements.”

How much did it cost Sumo Logic to gain this compliance?

The audit itself was around $20,000. We used around 4 to 6 person-weeks of engineering time, which amounts to about $20,000. Our project lead spent about 6 solid weeks which is about $20,000. Total spent was about $60,000, rounding up. So we spent about 50% of what most organizations spend on just assessing the scope of the whole damn thing.

Are any other logging services PCI 3.0 compliant? What about other SaaS vendors and enterprise software vendors?

We have SOC-2 Type 2, we have our HIPAA attestation, and of course, our PCI 3.0 and Service Provider Level 1 certifications. There are few Software-as-a-service providers that can confirm this level of security and regulation compliance. I know of no other SaaS log analytic providers that can boast the same level of certifications.

Certifications are all fine and dandy, but what actual security practices do you have in place that are revolutionary, or non-traditional?

We patch in our OS automatically. Every 6 hours, we run a script on all servers that downloads the latest security patches from Ubuntu. There is nothing traditional about the way we operate. If boxes go down, we don’t have some dude with a UNIX beard and a clipboard go down and reboot the server. Everything is automated. We have created a couple hundred pages of code to do all of this.

How important was your use of Sumo Logic the product in getting the audit completed?

We ate our own dog food, and it tasted like Thomas Keller cooked it. Sumo Logic was essential for ensuring Sumo Logic was compliant with the PCI 3.0 specifications. We couldn’t have done it without our own service!

2014 was a bad year for security. Will things be getting better for enterprises with security concerns in 2015 now that PCI 3.0 is in place?

The world had some of the worst, full-Internet affecting vulnerabilities in 2014. There was the Bash bug, the OpenSSL vulnerabilities, the more recent glibc problems, the issues in NTP… There are advanced and persistent threats out there. There are an unprecedented number of actors and types of actors out there.

You’re dealing with cyber criminals working for profit. You’re dealing with hacktivists, who can be very serious. You’ve got nationalist actors: see the Sony hacks. You’ve got social hacktivists like anonymous. You’ve got state actors, like the Chinese and the Russians, and possibly the North Koreans.

This happens a lot with Russia. They get into a political dispute, and there are thousands of patriotic Russians who take it upon themselves to hack these countries. It’s not necessarily a Russian government operation. Look at Estonia.

There are all sorts of different types of actors out there with different goals in mind. Take the number of applications running across the number of IP addresses out there on the Internet and watch it grow over the years. This is not a linear increase.

Then you take into account the fact that there are over 200,000 unfilled digital security job openings in the U.S. alone, it becomes a very very big problem to solve.

You can’t just throw a room full of brilliant computer scientists at the problem?

Computer scientists are concerned with the theory of computation. They do not care about how things actually work in the real world, when there’s hardware to consider, voltage usage concerns, temperature concerns… The people who run data centers are the auto mechanics of the IT world. What’s the wattage draw of a server? That never enters the mind of a computer scientist. Whereas, a perfectly successful hack could be “how do I make these computers produce more heat, and thus take the datacenter down?”

What’s the solution to the increasing threat of security intrusions from around the world?

I don’t see things getting any better until they get a lot worse. I was talking to the CSO of the State of Texas a couple of months ago in Austin. One of the things he said was that he realizes he doesn’t have enough people he can hire to fill the positions he needs. So he is looking at impacting high school curriculum so he can get more trained people in security.

The problem with information security is that in order to be good at infosec, you need to understand the entire stack. You need to understand things that can go wrong at the network hardware layer, things that can go wrong through social engineering, and everything else from the BIOS up through the processor, up through the network, through the application, clear through to human psychology.

To boil this all down, what are two things you want our readers to take away from this discussion?

First off, that we are the most thoroughly audited SaaS provider in our space. None of our competitors, direct or indirect, have subjected themselves to the rigor of PCI/DSS Service Provider certification. In fact, most have not subjected themselves to really any third party audits or assessments, of which we now have several including SOC 2 Type II attestation, attestation of HIPAA compliance and compliance with U.S – E.U. Safe Harbor framework.

Secondly, if you are looking for someone to help you meet your own PCI requirements, particularly around PCI Rule 10, we’ve got you covered with a completely compliant, turn-key solution that is secure, scalable, easy to use and ready for you today.

We’re quite lucky we have someone with all of these skills in charge of security here at Sumo Logic. Thanks, Joan, for getting us certified PCI 3.0 compliant!

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Elliot Stoll

More posts by Elliot Stoll.

People who read this also enjoyed