Dizzion’s Path to Providing PCI Compliant Virtual Desktops

The announcement of our PCI compliance ROC is the manifestation of a plan we’ve been following for four years. Compliance has been top of mind since the inception of our business. I remember sharing our first product roadmap with our Board or Directors in late 2012 and illustrating the importance of PCI and HIPAA compliance as a future state. Fast forward four years, and here we are…I love it when a plan comes together!

Early on, we knew that compliance and security were big drivers of our flagship product, the cloud delivered desktop. We hung our hat on high performance with security and controls delivered through our desktops. We also knew that we had to build the entire platform from the ground up to prove the security and controls were auditable. This is really what compliance is. It involves taking all the security and controls and proving they are enforced via technology, policy, processes and procedures. We’ve spent the recent months maturing our technology, policies, processes, procedures, controls and alerting to confidently pursue PCI and HIPAA compliance. This set of technology and practices is now built into everything we do. We believe that by having compliance interwoven into how we operate holistically, it makes it easier for us to comply long-term and differentiates us in the market. In order to get here, we had to address four key areas:

1. Ensure we had a solid set of processes and procedures to govern how we operate.

We had volumes of documentation around how we operate with compliance DNA running through it all. The problem was aligning this documentation to distinct policies and procedures to reference each other with consistency. Our approach to solving this was to treat documentation as an ecosystem from the top down. This top down approach allowed us to create solid controls and documentation with a clear hierarchy vs. loosely coupled words on paper that never happen in reality.

2. Evolving our platform architecture to deliver a high-end user experience, despite the additional encryption and monitoring on the network, storage and compute.

One of the key differentiators of our desktops is performance and we could not sacrifice that for compliance. To marry the two, we doubled our storage performance increased CPU and RAM density. We also reduced our storage failover time from 30 seconds to 8 seconds. The net result is a faster, more resilient platform that maintains or improves upon past performance.

3. Overlay new technology on the platform that directly corresponds to and delivers on the PCI controls.

This essentially means ensuring operational excellence while rapidly adopting new technology.  We accomplished this with relative ease because of the time spent writing and practicing our policies and procedures. The organized, hierarchical documentation created a blueprint to implement the technology. It’s amazing what you can build and how quickly it can be done when you have a clear roadmap.

4. Finding the right partner to go through the process with.

Being nimble, accurate and quick is essential to how we operate at Dizzion. Choosing a partner who could keep up with us and not get bogged down in bureaucracy was critical. We chose Coalfire as our partner because of their deep experience working with cloud companies.  Additionally, their thorough approach and attention to detail set them apart. Because they have worked with so many other cloud and managed services companies, they knew the potential hurdles and pitfalls we may encounter during the entire audit process.  The great thing was we were prepared and met every requirement they challenged us on.

We are so excited about the new compliance suite of products because it solves huge pain points our customers feel every day. Many of our customers have to be compliant, it’s not a choice. It is a business requirement and most likely a massive distraction from that company’s core business. The nature of our cloud delivered desktops inherently means greater security, data control and end user governance. With the addition of the compliance controls we’ve added for PCI and HIPAA, our solutions can drive even more value to our customers by significantly reducing the amount of work to meet and maintain these standards.