Why Twitter Chose Sumo Logic to Address PCI Compliance

For many businesses, compliance, management and data protection in the cloud have been a major challenge due to the shared responsibility model and automation of public cloud infrastructure. Ensuring consistent security controls across hybrid environments requires new methodologies for security and auditing teams.

At the AWS Loft event in San Francisco last night, over 100 people joined industry thought leaders from Herjavec Group, Sumo Logic and Twitter for drinks, networking and thought provoking content.

What I found particularly engaging and informative was the presentation from Jim Skinner, Technical Program Manager for the Twitter platform.

Jim helped develop the infrastructure that resulted in the Oscar polling card, the World Cup polling card and other interactive experiences found within the Twitter app. He also led the security efforts that allowed Twitter to become PCI compliant.

Twitter, a $17B powerhouse that enables users to send and read short 140-character messages called “tweets” has seen tremendous growth and now boasts over 304 million monthly active users.

To support this massive social networking service, Twitter has built a massive, highly-secure private datacenter that runs hundreds of thousands of servers.

With an upcoming PCI audit, Twitter turned to Sumo Logic to help. PCI DSS requirement 10 calls out the need for logging mechanisms, to help track, alert and analyze when something goes wrong. More specifically:

• Requirement 10.5.3 calls for the prompt backup of audit trail files to a centralized log server or media that is difficult to alter
• Requirement 10.5.4 calls for the writing of logs for external-facing technologies onto a secure, centralized log server or media device

“We would not have passed our PCI audit in the allotted timeframe if it were not for Sumo Logic,” said Skinner. “Trying to put logging controls into our private cloud could have put the entire infrastructure within scope. Sumo Logic helped us completely segment all of our auditing data from our private cloud environment.”

While Twitter could have certainly done this on their own – given their resources – trying to procure, deploy and configure the necessary hardware, software, routers and security policies within their datacenters would have taken a lot of time and money. Time to value was key! Another challenge would have been the sign-offs needed from IT & Security to make changes to their production environment, which one can imagine they take very seriously. This would have required a lengthy review and approval process. It was time and effort that was deemed unnecessary and might have injected risk with their upcoming PCI audit.

With Sumo Logic’s numerous security attestations, including PCI DSS 3.0 Service Provider Level 1 and SOC 2 Type II, sending log data to Sumo Logic’s cloud platform, was a no brainer, and allowed Twitter to easily address PCI requirement 10. Boxes were built with the Sumo Logic collector agent to forward data to the Sumo Logic platform.

As maturity and experience with the Sumo Logic platform increased, Twitter started programming the system to automatically look for what they cared about, and generate alerts in real-time should thresholds be exceeded or anomalies detected from baseline patterns. Sumo Logic’s usage of machine learning helped them identify key metrics they would not have found otherwise.

In summary, Twitter was able to take an approach to PCI compliance that reduced scope, time and complexity. “It allowed us to not pollute or have our main datacenter in scope,” said Skinner. “Who really wants to deal with centralized logging and managing the execution environment anyways? This is not sexy. If you want to be an agile digital business, this is not what you want your teams to be working on.”