By Paul Mazzucco, Xand Chief Security Officer
Posted February 21, 2014
With the latest round of credit card and personal data breaches in the news, the release of the new PCI DSS 3.0 Security Standard is timely indeed. The overall need of data service providers in every level of the transaction process to develop security best practices is now more important than ever.
With Version 3.0, the PCI Security Standards Council (PCI SSC) focuses on flexibility, education, awareness, and security as a shared responsibility. There are several important changes taking place in the jump from Version 2.0 to the new 3.0 framework, and IT Decision Makers will want to make sure their infrastructure and service providers are up to date to ensure maximum levels of security for their critical data.
Key drivers for PCI DSS Version 3.0 include an overall lack of education and awareness from the Council in terms of coverage responsibility, especially in terms of emerging technologies such as Cloud and Virtualization. Weak passwords and authentications challenges, third party security, slow self-detection in response to malware and other threats, and an inconsistency in assessments were also factors in the update.
When surveying the PCI DSS landscape, it’s critical for those charged with protecting cardholder data to be aware of the multiple access points to their information and where responsibility falls when working with complex infrastructure systems. The PCI Council sets various standards and benchmarks for manufacturers, developers, and providers. For example, at Xand our data center facilities fall into the Service Provider category. This places our company under the PCI Data Security Standards (PCI DSS) umbrella. When searching for a managed services provider, be sure that the level of PCI classification is clearly provided upfront, as this is vitally important in determining lines of demarcation in data protection responsibilities.
Lack of knowledge around payment card security and, more telling, poor implementation and maintenance of the PCI standards are huge contributing factors in why security breaches happen. In my role as Chief Security Officer, I spend each day working to make sure Xand’s systems are up to date with the latest compliances. Although the PCI DSS standards serve as a great guide against which we test ourselves, building an overall security policy and a proper employee training program is key to make sure that the human element of our security standards remains tight. Standards of security are unfortunately always playing catch-up against the newest attack vectors and companies cannot simply allow a stamp of compliance to govern their security mandates.
Security is a dynamic field, and those who rest on their laurels often find themselves quickly exposed. When dealing with outsourced solutions providers or managed services vendors, don’t just accept a logo on their website as a rubber stamp for security. Be sure to ask what version of the compliance they adhere to, when the last update was conducted, and how often the organization undertakes audits. These criteria separate the wheat from the chafe in IT security.
In regards to PCI, the PCI Security Standards Council has made several important improvements in the PCI DSS certification in version 3.0. The updated version of PCI DSS tackles the following:
- Provide stronger focus on some of the greater risk areas in the threat environment
- Provide increased clarity on PCI DSS & PA-DSS requirements
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all entities implementing, assessing, and building to the Standards
- Drive more consistency among assessors
- Help manage evolving risks / threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub-requirements and consolidate documentation
Ask your provider which version of PCI DSS they are certified for. Version 2.0 will be supported until December 2014 and many companies will hold off on updating until the last possible moment. With greater transparency and a more nuanced approach to Cloud, Virtualized, and Multi-Tiered environments, taking the extra steps to ensure your provider is up to date with PCI DSS Version 3.0 may save some tremendous security headaches down the road. Updating frameworks can be a cumbersome process, but I felt it was of upmost importance to secure the latest PCI DSS update for Xand to give our clients the maximum level of protection available. Xand is privately owned and funding is in place to fully support security initiates. However other providers may be hampered by financial restraints, operational shortfalls, or simply a lack of expertise to keep up on the vast changes coming from PCI.
In addition to maintaining a wide scope of compliances and managing several security systems, I’m often called to take part in client meetings at Xand, where I answer questions and scope out security concerns. The point here isn’t to outline my day (busy!) or sell you on Xand (although we love new customers!) but rather to highlight the importance of having dedicated in-house security personnel. Not every Cloud or Managed Services Provider is in a position to have such dedicated security resources. Use this as another benchmark when seeking a partner for PCI DSS compliant systems.
Overall, the jump from PCI DSS Version 2.0 to 3.0 is an important one, not just for MSPs but for the industry as a whole. Even those who don’t deal directly with cardholder data would do well to seek out infrastructure solutions partners who adhere to PCI DSS mandates, as the practices set forth by the framework can do much to hedge against the risk of a unmitigated security disaster.
The following updates from Day 2 of VMware Partner Exchange 2013 arrive courtesy of Xand Senior Vice President of Technology Denoid Tucker. Take it away, Denoid!
Live Updates from VMware Partner Exchange – Day 2
By Denoid Tucker
Day 2 of the general conference session brought out the two top VMware executives to talk about the focus for VMware in 2013, starting with newly appointed VMware CEO Pat Gelsinger. Pat kept it pretty high-level and boiled the agenda down to three major initiatives: The Software Defined Data Center, Hybrid Cloud, and End-User Computing.
The “Software Defined Data Center” is a term hot on VMware’s lips this year. Pat describes it as essentially abstracting the fundamental components of the data center-- compute, storage, and network—and then “pooling” those resources to be used across differing workloads, with the end goal of then ultimately automating the delivery and management of those resources.
“Hybrid Cloud” as VMware defines it is their ever-expanding support for the management and integration of other Cloud platforms running alongside VMware products. With VMware’s acquisition of DynamicOps back in July of last year, they now have the ability to provision Cloud services between different hypervisors and Public Cloud providers. The rebranded solution is now called vCloud Automation Center. Based on the features and functionality of the product, vCloud looks to be solidly in line with VMware’s vision for fully managing the entire Cloud ecosystem.
“End User Computing” is VMware’s expanded version of Virtual Desktop Infrastructure (VDI) to include all kinds of devices, including smartphones and tablets, to create an end-to-end platform for workforce mobility. With their newly renamed group of products called Horizon Suite, VMware continues to expand it focus beyond virtualizing desktop environments, with the aim of offering users access anywhere, anytime, and on any device. I believe this will revolutionize the way we all work and interact with the applications we use on a daily basis. Horizon promises to extend the same accessibility that our personal, social, and entertainment mobile apps provide today to enterprise environments. The platform itself is not the end of the discussion, however. The success of End User Computing success will ultimately rely on the end-user’s experience. If not designed, deployed, and managed properly the new suite could create frustration with end-users.
Next up was VMware President and COO Carl Eschenbach. Carl launched right into the numbers and really got the assembled partners fired up about the market opportunity in 2013. Carl reiterated throughout his talk that 85% of all VMware sales come from partners like Xand, and has held steady at that level for several years with no indicators of changing in the future. Eschenbach shared some other interesting statistics as well:
- VMware’s bookings were up 40% from Q3 to Q4 2012.
- They are experiencing 22% Y/Y revenue growth.
- The Managed Services market will grow to $41.5 billion in 2013.
Carl tied these numbers to the fact that VMware sells almost no services to end customers, counting on service providers to provide this role to end-users. VMware continues to be primarily interested in license revenue. Carl also emphasized that the push to the complete Software Defined Data Center resided squarely in the hands of the partner base—VMware is counting on partners to make this future a reality, and their opinion is that the future is bright.
That’s it for today. I will get into some technical details around virtualized storage, sizing and performance pitfalls for high-performance Clouds, and End User Computing later this week.
Denoid Tucker is Xand’s Senior Vice President of Technology.
Members of the Xand Sales, Marketing, Technical, and Operational staff are on site in Las Vegas this week taking part in the VMware Partner Exchange 2013 conference. The VMware Partner Exchange is the year’s largest VMware convention for partners and service providers. The forum is dedicated to educating and enabling providers to sell and deploy VMware products and solutions successfully, as well as to provide them with the latest and greatest updates from VMware.
Our team members provided the following updates live from the convention floor today:
The Software Defined Data Center (SDDC) is the future
Legacy OS dynasties are broken, so it's out with the old and in with the new. The management of these systems has brought the IT industry to its knees.
Traditional Data Centers are still bottlenecks, with the physical network being the #1 roadblock.
- VMware reports that customers who utilize VMware IaaS solutions will save 27% on their IT budgets this year.
- On average, they will also INCREASE revenue through IT operational efficiencies by 22%.
Mobile Solutions on the Horizon
Mobile solutions are complex and nearly impossible for IT managers to handle. VMware’s new Horizon Suite promises to simplify by securely delivering and managing all of these intricate applications across ALL devices
Access corporate apps anywhere, anytime, but corporate IT control allows for administrators to set user-based policies for standardization.
VMware estimates enterprises can increase TOTAL worker productivity by 6% once Horizon is rolled out to all end-users.
Jaguar/Land Rover just rolled out Horizon to all of their worldwide employees.
Be sure to check back here at info.xand.com later in the week for more updates from VMware Conference Exchange 2013.
Xand is excited to announce the promotion of Yatish Mishra to President and CEO. Mr. Mishra brings over 26 years of senior IT and executive leadership experience to the Xand team with an extensive background in the data center industry.
“Xand is excited to have landed such an outstanding executive with Yatish’s proven industry track record to lead the company’s continued growth and strategic vision moving forward,” said Brian St. Jean, Partner at ABRY Partners. “His deep understanding of the data center, managed services and cloud computing sectors will strengthen Xand’s ability to maintain their leadership position in the Northeast region.”
Since first coming to Xand in July of 2012, Mishra has overseen tremendous revenue growth, a vast amount of new construction projects, as well as the successful integration of three companies into one leading data center platform.
“I’m thrilled to have been given this opportunity to lead such a talented, well-positioned company as Xand,” said Yatish Mishra. “The ideal geographic location of Xand’s six facilities in the Northeast, combined with our flexible cloud, managed services and business continuity offerings and strong focus upon customer service excellence make us a very attractive play for enterprises with demanding IT infrastructure requirements.”
Please click the link below for the full press release announcement and join us in offering a big congratulations to Yatish!
Click here to download PDF copy of the release.
Our Operations team reports that all Xand data centers are functioning normally, with additional staff onsite at all six locations.
Xand New England’s Marlboro, Mass. site is reporting over 20” of snow on the ground and still more coming down, with wind gusts upwards of 35 MPH. Our Marlboro facility proactively converted to Emergency Generator late last night to avoid stress on the UPS systems, but commercial power remains live at the location.
Please check back here for the latest storm updates, and also follow Xand on Twitter @XandLLC. As always, our Network Operations Centers are available 24x7 to provide updates and information - http://www.xand.com/support/
The National Weather Service is predicting significant snowfall for Massachusetts and Connecticut beginning Friday, February 8, through Saturday, February 9.
Xand has taken precautionary measures to guard against any potential interruption of service during this storm. Our backup generators have been topped off and all fuel vendors are standing by to make further deliveries in the event of an extended commercial power interruption. Special arrangements have also been made to increase staffing levels in order to maintain operations during and after the storm across all Xand facilities.
As always, our New England Network Operations Center (NOC) is available 24x7x365 to provide current status reports. The NOC may be reached by phone at 508-281-7600 x4 or via email at email@example.com. For support in our New York and Pennsylavia facilities, please see www.xand.com/support. You may also reference the Xand website (www.xand.com) and follow us on Twitter @XandLLC for the latest information. Stay safe and thank you for choosing Xand!
Exciting news hitting the wires today by way of a press release-- Xand is adding 35,000 square feet of new Disaster Recovery workspace.
When Hurricane Sandy struck the East Coast last fall, our six facilities provided a home to nearly 1,000 customer staff members on site during the storm and throughout its aftermath, with the Valley Forge, Pennsylvania facility hosting nearly half of those alone.
We were even able to accommodate several new clients whose previous providers were unable to meet their Recovery Time Objectives (RTOs). Leveraging our cloud platform, workspace recovery seats and other technologies, we were successfully able to accommodate every client request during the storm, turning no one away, while safely maintaining 100% uptime in all of their data center facilities.
Our CEO, Yatish Mishra, had this to say about Xand's storm response in the press release:
“During Hurricane Sandy, we enabled a multitude of businesses and organizations to rapidly
rebound from the devastating effects of the storm,” said Yatish Mishra, Xand’s President &
CTO. “With the addition of over 35,000 square feet of brand new workspace, we’re excited to
offer even more disaster recovery options for our existing customers, while continuing to
welcome new clients who are reassessing their current business continuity needs.”
Please follow the link to our Press Release section to read "Xand Adds Over 35,000 Square Feet of Disaster Recovery Workspace"
Interested in learning how Xand can help your organization meet its Disaster Recovery objectives? Click here to contact our team today.
A new report from highly cited global analyst firm 451 Research praises Xand's six data center footprint and disaster recovery offerings.
"Xand has chosen its assets wisely," analyst Michael Levy states in the report. "By purchasing facilities on the periphery or outside of city centers on the East Coast, it positions itself as a primary disaster-recovery provider for Boston, New York and Philadelphia. Its geography redundancy is strong and its operations are neat and seamless."
Click here to download the full 451 Research report
The report also highlights Xand's concentrated efforts to expand Data Center and Disaster Recovery square footage across all locations and also praises the strategic location and stability of our Westchester County facility, which services the NYC Metro market.
"The area has faced three major incidents in the past 10 years that disrupted datacenter services – 9/11, the 2003 blackout and most recently, Hurricane Sandy – Xand believes the market will take disaster recovery very seriously from this point forward and look not only to its Hawthorne facility, but its Pennsylvania and Massachusetts locations as well. Xand did not suffer a single minute of downtime during any of these events," the report states.
The report goes on to cover the increased demand for Xand's proven Disaster Recovery services following the devestating events of Hurricane Sandy.
To learn more about how Xand can help your organization develop primary, secondary, and even tertiary business continuity and disaster recovery plans, please visit www.xand.com.
Please join Xand this week at a pair of technology trade shows:
I.) The Connecticut Technology Council’s Annual IT Summit – Thursday, November 29 at Mohegan Sun in Uncasville, CT.Xand will participate in the afternoon panel forum, “The Cloud for SMBs: Three Case Studies” from 1:00 p.m. to 2:15 p.m.
II.) IMN Data Center Conference –
Thursday, November 29 and Friday, November 30 in Santa Clara, CA. Xand will be participating in the morning panel, “Competing against the Amazon Model” from 11:55 a.m. to 12:40 p.m.
HAWTHORNE, N.Y, September 13, 2012 – Xand, a leading northeast data center, cloud and managed services provider for the enterprise, today announced the appointment of Yatish Mishra as President and Chief Technology Officer. In this role, Mishra will lead both the business and technology strategy for the company, including colocation, cloud, managed services and business continuity products and services. He brings over 26 years of senior IT and executive leadership experience to the Xand team, most recently as the co-founder, President and CEO of RagingWire, a leading California-based data center firm with multiple facilities across the United States.
Brian St. Jean of ABRY Partners commented on the hiring by saying "Adding a data center veteran like Yatish is a tremendous victory for Xand. Our customers will now have the benefit of his strong business leadership and technology background to guide future Xand cloud and managed services offerings, as well as to shape the corporate vision.”
Xand recently acquired DBSi of Pennsylvania and Access Northeast of Massachusetts to become one of the largest data center firms on the east coast, with six facilities within the region.
“I'm excited to come onboard with Xand at such an important time for the company,” said Mishra. “I look forward to scaling the company and continue the momentum built by the existing management team to become a dominant player in the east coast region while continuing to deliver exceptional support to our valued customers.”
As part of his twelve year stint at RagingWire, Mishra served as President and CEO and led the company from inception to record growth in revenue and profitability during his tenure. Prior to that, he was the corporate Vice President of Information Technology at Photronics, Inc., a public company servicing the semiconductor industry, where he oversaw all global IT infrastructure and applications. Mishra was a finalist in both 2007 and 2010 for the Ernst and Young Entrepreneur of the Year Program. He was granted both United States and European patents in the field of IT systems automation and data center power designs. Mishra holds a degree in Applied Physics with a specialty in Physical Electronics from the University of California, Davis.
Xand is a highly resilient facilities-based provider of data center managed services. For more than two decades, Xand has designed, built and managed IT infrastructure services which allow enterprises to maximize their critical application performance and availability. With data centers in New York, Pennsylvania, Connecticut and Massachusetts, Xand is able to offer colocation, cloud, enterprise hosting, managed services, business continuity, disaster recovery and wide area networking throughout the region via its best-in-class facilities, engineering expertise, and commitment to customer service excellence.
For more information, please visit http://www.xand.com.
About ABRY Partners
Founded in 1989, ABRY is one of the most experienced media, communications, and business information services sector-focused private equity investment firms in North America. ABRY has completed over $27 billion of transactions, representing investments in more than 450 properties. The firm is currently managing over $3.5 billion of total capital and investing out of a $1.6 billion private equity fund, $750 million senior equity/mezzanine fund and a $1.2 billion senior debt fund. ABRY has extensive data center and communications investing experience through investments such as CyrusOne, Datapipe, e-Shelter, Hosted Solutions, Masergy, Sidera, Sentrum Holdings, Telx, and Q9 Networks.