Q&A with Dave Greenstein of StillSecure

VSM: Who is StillSecure and what products/services do you offer?

DG: We are a managed network security solutions and certified compliance company that designs and delivers a comprehensive portfolio of managed network security and certified compliance solutions for enterprise service providers (data center, telco, cloud, large enterprises). We sell network security software solutions standalone that the customer can manage or solutions that we can manage for them. Because our focus has been on software, our solutions have been virtualizable since the beginning and are ready for public/ private cloud deployment.

Our managed services and compliance solutions are internally developed and specifically created for deployment through co-location, hosted, private and public cloud environments. A cornerstone in our managed security strategy is PCI Complete – a comprehensive, auditor-certified PCI compliance service. Effectively, we are managing as many of the PCI DSS controls (over 90 percent) as possible on behalf of our customers.

On the product side, our flagship offering is Safe Access, one of the leading network access control solutions on the market. We have deployed within 3 out of the 4 military branches, throughout the National Guard, and across a wide range of enterprises.

VSM: What are the biggest hurdles facing companies who need to achieve PCI compliance in a virtual or cloud environment?

DG: As the bar for compliance, and costs, go up, organizations are searching for ways to reduce the cost and hassle to achieve compliance. One vehicle they are looking to utilize is the cloud. Unfortunately, today there are a number of gaps within public cloud environments that will likely cause a PCI audit to fail. These shortcomings include:

1. Insufficient Segmentation Capabilities
2. Lack of Access to Management Controls and Audit Trails
3. No Actionable Logging Information
4. Unsecured Physical Environments
5. No Introspection of Internal Virtual Host Packets
6. Lack of Implicit Trust in the Hypervisor

Many of these challenges can be solved, but that still won’t guarantee a positive outcome. Specific guidance will be required from the PCI Council to give auditors clear direction on what situations are acceptable and which are not.

VSM: How do StillSecure’s services address these gaps?

DG: Today, in cloud environments managed by our partners, our services can secure all of these gaps. Our managed IDPS service provides inspection of traffic within the virtual host, our virtual firewall service provides sufficient segmentation between trusted and untrusted environments and our log management service provides auditing up and down the cloud stack. Our partners’ physical environments are certified as compliant to complete the picture. For public clouds, like Amazon EC2, we can fill many of the gaps, but not all of them. Until the PCI Council provides guidance and the public cloud providers follow their guidance, online merchants will have to wait a bit longer.