Linkable has also looked to TBG to provide required compliance services such as vulnerability scanning and penetration testing, Correra says. "One of the key recommendations was about investing in some technology that enables us to efficiently incorporate static byte code scans of our platform," he says. "While our initial scans didn't reveal that we had a long list of issues to resolve, we did discover some areas that we thought were important to improve upon."
One of the challenges of the initiative is the companys nearly exclusive use of cloud computing resources, with the entire computing infrastructure on Amazons public cloud.
"We found that there was plenty of information, best practices, technologies and implementation examples that pre-date [the] cloud environment but far less that accounted for cloud deployments such as ours, and nearly nothing that actually took advantage of some of the natural benefits of clouds," Correra says.
"When the PCI standards were developed, they didnt take into account the challenges of shared environments that cloud computing presents today," says Gorsline. "That being the case, weve had to do more extensive penetration testing to not only insure that Linkable Networks data is protected, but that we could not gain access to any other data that might be shared in the cloud environment."
The verification process becomes a bit more cumbersome in this type of environment, Gorsline says, "since were relying on a third party, in this case Amazon, to report and ensure compliance with the regulations. And then we need to verify that compliance with a limited toolset provided by Amazon."
Over the next year Linkable Networks will let everything it has deployed and learned "soak in" while it practices the new security procedures and makes small improvements as needed, Correra says. "Beyond these short-term goals, we'll keep an eye on some of the emerging security tools and technologies that are specifically geared to cloud environments and look for opportunities to improve the efficiency of our security program," he says.
Sign up for Computerworld eNewsletters.