Layered protection in the cloud

Layered Technolgies Inc.'s exhibit at the Electronic Transactions Association's 2012 Annual Meeting & Expo was notable for two reasons, according to Jeff Reich, the company's Chief Risk Officer. First, Layered Tech, known for its compliant managed hosting services, was about to launch a compliant cloud offering.

Second, as a hosting service it was uniquely positioned among the event's exhibitor categories. "There are clouds, and there are clouds that can be made compliant, but there is no compliant cloud offering," Reich said at the time.

Then, in September 2012, the company officially launched the Layered Tech Cloud Data Center, a next-generation cloud platform that combines Layer Tech's complete management, security and compliance capabilities with self-service functionality. "Layered Tech's next-gen cloud allows enterprises to run their critical workloads in a cloud environment to accommodate complex security needs and meet PCI-DSS and HIPAA compliance requirements," Kevin Van Mondrans, Layered Tech Vice President of Product stated during the launch.

Reich added that Layered Tech guarantees "that if you host your compliance services with us, you will pass every compliance audit you face," noting that six months after introducing the guarantee, all of the company's compliance hosting clients had passed 100 percent of their compliance audits.

Building a better cloud community

As a founding member of the Cloud Security Alliance with over 30 years experience in risk management and data security, Reich understands the complex compliance methodologies and control techniques that are necessary to create secure shared virtual environments.

"What we're doing is creating what would be called a community cloud by the NIST [National Institute of Standards and Technology] definition," Reich said. "If we have five different customers that want to buy a compliant cloud, if two of them are ISOs, we will put both of them in the ISO component in the community cloud." Competitors may share collective space in the cloud, but built-in security measures prevent cloud neighbors from being aware of one another.

The true advantage of such groupings is that similar businesses tend to share common compliance needs, especially in the area of risk management, Reich said, adding that addressing these core needs greatly diminishes the data security risk spectrum within individual communities. "All of your neighbors have the same concerns and security levels that you have," Reich noted.

Layered Tech works with ISOs at various points, from basic hosting to transmitting data. "If you're going to have any computing hosting needs along the payment chain, what we do is we can branch out on that and get a lot of what you do out of scope ... to make your scope as narrow as possible," Reich said. The company works directly with a number of multichannel merchants, and indirectly with smaller merchants through service providers and aggregators.

Taking on responsibility for compliance issues and managing them on behalf of clients is Layered Tech's specialty. "The compliance and security team only focuses on the compliance and security of and for our customers, period," Reich said. "Secondarily, we work with, in the PCI space in particular, all the QSAs." He believes this combination can shorten the assessment process and reduce overall compliance costs.

To ensure peak performance and system continuity, Layered Tech said it operates multiple data centers at strategic locations throughout the globe; it also boasts a fully redundant infrastructure with automated failover and offsite data replication.

Rising to the challenge

Much like the card brand mandates stipulating U.S. migration to the Europay/MasterCard/Visa payment standard, the heath-care industry and government agencies are responding to mandates to implement standards that will address data security within networks and across the cloud.

When Layered Tech first opened in 2004, it initially offered hosting hardware and software solutions. A few years later the company introduced a cloud hosting and virtualization solution portfolio. It then expanded its hosting and consulting capabilities with the purchase of FastServers.net in 2008.

In 2010, Layered Tech purchased GreenSoft Solutions Inc., a Payment Card Industry (PCI) Data Security Standard (DSS) compliant hosting and managed services provider. In 2012, the company acquired New World Apps, a firm specializing in Federal Information Security Management Act (FISMA) compliant solutions that target government agencies.

Reich sees a tremendous opportunity for service providers who cater to government entities. Nate Brancato, Layered Tech Senior Vice President of Sales and Marketing agreed, noting that commercial solutions for government are needed at every level.

"You have a small, local entity collecting payments for something," Brancato said. "They most likely are going to have to adhere to PCI, but they're going to be sensitive to security just because they're a government entity. We see the market going that direction long term."

Layered Tech also helps medical professionals meet Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. "With the electronic records mandate that exists, they are all going to have to be converting to electronic records," Reich said. "A lot of hospitals don't wish to tackle the learning curve involved.

"That's fine with me. We're not going to do the applications. We're not going to manage those records for them. That's something they have to do. But we are going to be working with the companies that are doing that and say, 'Here's a safe, secure, compliant way to host that.'"

Defining the layers

Layered Tech stated its compliance package delivers four layers of protection. The first layer provides 24/7 monitoring of systems servers and applications, websites, ftp sites, mail services and other network resources. Layer 1 covers up to 10 system monitoring points and one site monitoring check per device; extra units may be added.

For businesses that require supplemental information technology staff support, Layer 2 provides active support of client base management and system configurations. The second layer reportedly can be applied to any system or network device, and offers scalability for enterprise-level management of database software.

Layer 3 provides full management and was designed for business-critical solutions and systems that need to operate at peak performance around the clock.

Geared for more complex business environments, Level 3 delivers a highly customizable, proactive service level and features enhanced system management tools from a variety of resources. Layered Tech maintains a vendor agnostic approach, so tools are constantly upgraded for maximum performance, the company noted.

Layer 4, compliance management, includes the Compliance Guaranteed pledge and targets businesses that employ advanced security measures to satisfy more stringent data security standards, including HIPAA and PCI DSS, among others.

For ISO and multichannel retail clients, Layered Tech monitors and manages all applications and systems including intrusion protection, web application firewalls, system logs, incident responses, defense against denial of distributed service attacks, server compromises, and system patches, among its top priorities.

An ISO/MLS selling framework

According to Brancato, Layered Tech offers both a referral program and a reseller program for ISOs and merchant level salespeople (MLSs). Brancato believes the referral program is especially applicable for ISOs with their own gateways.

ISOs can put Layered Tech's software on the gateway "and have Layered Tech managing the infrastructure and handling all the compliance at that layer - they can still focus on their core competency, which is providing services to the merchant," he said.

Layered Tech's reseller program permits ISOs and MLSs to be more involved in the merchant's managed hosting relationship. "They may want to stay engaged in the relationship," Brancato stated. "It really depends on how close they want to get to the managed services hosting business."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.