One of the most common regulations out there is PCI, which helps ensure the security of financial and personal information for payment card transactions. Any organization that accepts credit card payments, or stores, processes and transmits cardholder data, must be PCI compliant. That means most organizations, from not-for-profits to small businesses to large corporations, must comply. Non-compliance can result in costly fines or worse: data breaches, a loss of customer trust, and lasting brand damage.
For organizations adopting cloud, maintaining PCI compliance brings new challenges. PCI governs how IT infrastructure--such as servers, networks, and databases--must be configured to ensure data is protected at all times. But in the cloud, infrastructure is programmable and API-driven. The dynamic nature of cloud infrastructure is great for innovating fast, but how can you continuously enforce PCI compliance for cloud environments that are constantly changing? How can you identify misconfigurations and policy violations the moment they occur and fix them automatically? How can you demonstrate PCI compliance at all times to auditors and regulators?
One organization doing just that is GlobalGiving, the largest global crowdfunding community that connects nonprofits, donors, and companies and has raised more than $320 million for thousands of projects around the world. The security of the personal and financial data they handle is critical to maintaining the trust of its partners and maintaining PCI compliance at all times is a hard requirement.
GlobalGiving manages large, complex systems that handle financial data and transactions, and they must maintain PCI controls for things like network segmentation, data encryption, and least privileged access control. In order to move to the cloud, GlobalGiving needed to demonstrate to their partners that their cloud infrastructure configurations wouldn’t drift out of compliance once it’s running.
As Justin Rupp, Senior Systems Architect at GlobalGiving puts it, “monitoring and alerts on cloud deployments aren’t good enough for us. We can’t afford to have misconfigurations or unauthorized changes happen in the first place.”
Global Giving turned to Fugue for assistance with its compliance requirements as the company migrated its systems to Amazon Web Services (AWS). Using Fugue’s “policy as code” approach, they were able to automate and enforce controls for their infrastructure configurations. This means that infrastructure that contained policy violations can’t be deployed. And once deployed, any unauthorized changes to their cloud environments are quickly and automatically remediated back to the provisioned baseline, ensuring that their infrastructure is always in compliance with PCI regulations.
View the GlobalGiving case study.