Rackspace Unveils Bundle of PCI Compliance Joy
Rackspace tries to put an end to the guessing game behind PCI solutions.
Managed IT hosting provider Rackspace has released a bundled solution that will help clients achieve PCI compliance. Clients can buy the entire bundle or get the individual solutions piecemeal.
The bundle, known as the PCI Toolbox, consists of standard components such as anti-virus protection, customer network scanning services, firewall services, intrusion detection systems, and log and patch management services.
It also includes Rackspaces's support team of experienced security professionals, who will modify the Toolbox offerings in line with changing PCI requirements.
"In many cases, customers are left to fend for themselves; we're putting the pieces together into our compliance framework," Rackspace security product manager Bret Piatt told InternetNews.com.
The security experts are drawn from two groups. One deals purely with security and ensures the Toolbox "is really good security overall," and the other handles Rackspace's internal audits, Piatt said.
Rackspace provides all the compliance tools needed for the infrastructure, such as a secure data center, firewalls, log and patch management and antivirus. However, the customer still has to follow proper application development and security procedures.
"A lot of our customers want to focus on what they feel is the right security for their business, but at the same time they want to be compliant, so they want a partner that will map out what's needed for compliance in an easy-to-handle manner," Piatt said.
"Rackspace already had a bunch of different point services that impacted PCI compliance, but customers needed to ask for them, and it was a fishing expedition," Daniel Golding, vice president and research director at Tier1 Research, told InternetNews.com.
While "a lot of other managed hosting providers" also offer pieces of the PCI puzzle and are internally compliant, Rackspace is the first one that has packaged them into a bundle, Golding said.
However, tools to address the requirements of PCI-DSS 6.6, which became mandatory June 30, are not included in the Rackspace PCI Toolbox.
The PCI-DSS (define) 6.6 standard requires that enterprises either put a Web application firewall in front of their customer-facing applications, or examine and harden their application code.
Rackspace is not offering Web application firewalls, because "a lot of Web application firewalls are immature and hard to deploy, and we're not sure they're workable in a hosted production environment right now," Piatt said.
And it does not want to get into examining clients' application code because it wants to retain its focus on providing infrastructure solutions.
Rackspace is not alone in its move to offer PCI compliance capabilities -- DataPipe, which considers its only competition in the IT managed hosting space to be IBM, offers security well beyond the 12 requirements of PCI-DSS.
"We've rewritten our internal organizational policies so they meet or exceed PCI policies," DataPipe chief security officer Joel Friedman told InternetNews.com.