Embed Size (px)
Citation preview
Building a PCI Compliance Solution on AWS
Lahav Savir, CEO & ArchitectEmind Cloud Experts
A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions
Top Level Partnership
Under NDA - Commercially Sensitive
A “Cloud-native” MSP
Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015)
“Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.”
https://www.gartner.com/doc/3157620/market-guide-managed-service-providers
“Common Types of MSPs (on AWS) with Example References
● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS-specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
Assessing the Risk:Yes, the Cloud Can Be More
Secure Than Your On-Premises Environment
IDC, July 2015
Why the Cloud is more Secure?
● More segmentation (separation)
● More encryption● Stronger
authentication● More logging and
monitoring
Security in the Cloud
Security of the Cloud
PCI DSS is a standard that specifies best practices and various security controls. ● Build and maintain a secure network● Protect cardholder data● Maintain a vulnerability management
program● Implement strong security measures● Regularly test and monitor networks● Maintain an information security
policy
AWS Service that are PCI Compliance● Auto Scaling● AWS CloudFormation● Amazon CloudFront● AWS CloudHSM● AWS CloudTrail● AWS Direct Connect● Amazon DynamoDB● AWS Elastic Beanstalk● Amazon Elastic Block Store (EBS)● Amazon Elastic Compute Cloud (EC2)● Elastic Load Balancing (ELB)● Amazon Elastic MapReduce (EMR)
● Amazon Glacier● AWS Key Management Service (KMS)● AWS Identity and Access Management (IAM)● Amazon Redshift● Amazon Relational Database Service (RDS)● Amazon Route 53● Amazon SimpleDB● Amazon Simple Storage Service (S3)● Amazon Simple Queue Service (SQS)● Amazon Simple Workflow Service (SWF)● Amazon Virtual Private Cloud (VPC)
PCI Architecture Principles
● Restricted Network Access● Vulnerability Protection● Encryption● Authentication and
Identification● High Availability● Scalability● Change Control● Disaster Recovery● Monitoring● Auditing
Restricted Network Access
The Basics● VPC● NACL● Security Groups
Inbound Traffic● WAF
Outbound Traffic● Web Filtering● Threat Protection
Vulnerability Protection
● File Integrity Monitoring
● Anti Virus● Traffic Content● Traffic Reputation
Encryption
Why Encryption ?Traffic can be captured
Volumes can be accessed
Data may be stolen
Data In Transit
● End-to-End Encryption○ WAF, ELB, App Server○ DB
Data at Rest
● EBS Encryption● RDS Encryption● Sensitive Data (using KMS)
Authentication and Identification
Single Identity Provider
● Single Password Policy
● Single Lock Policy● Single OTP● Single Login Audit● Same username used
across all resources
Where do we Authenticate ?
● AWS Console● Network Access / VPN● Bastion / Jump Server● EC2 Instances● Build Server● Log Server● Monitoring System● ...
● Don't mix Corporate and Cloud Resources
● Minimize Replication● Maximize Federation
Active Directory Integration using
Onelogin Active Directory Connector (ADC)
Login to:● AWS Console Access via
SAML Federation● VPN Using Radius
No need for IAM Users
Login to:● Bastion Server
○ LDAP○ Radius
● EC2 Instance○ LDAP○ Kerberos○ SSH Keys
Login to:● Build Server
○ LDAP○ SAML○ OpenID
● Log Server○ LDAP
Login to:● Monitoring System
○ SAML● Other external systems
○ Pingdom○ New Relic○ Sumo Logic○ ...
High Availability
AWS SLA
“Region Unavailable” and
“Region Unavailability” mean
that more than one Availability
Zone in which you are running
an instance, within the same
Region, is “Unavailable” to
you.
● Multiple EC2 Instance across multiple Availability Zone (Multi-AZ)
● Multi-AZ RDS
Scalability
EC2 Auto Scaling behind ELB
Change Control
● Source Control● Jenkins Build● Versions stored in
S3● Beanstalk Manage
the the deployment● All events are
logged
Disaster Recovery
Disaster Recovery
Why DR ?
Business Continuity Plan● Operations
○ Human Resources○ Offices
● RTO○ Recovery Time Objective
● RPO○ Recovery Point Objective
● Multi Region● Maintain 2nd
Site● Data Replication
Monitoring
What should be monitored● AWS Resources● EC2 Instances● Application health and
Metrics● User experience● Trends
Auditing
Events Sources
● CloudTrail● ELB / S3 / CloudFront
Access Logs● VPC Flow logs● AWS Inspector● Host AV & IPS● Network WAF, IPS, VPN● Evident.io / Dome9● Observeble
● Create Clear Visibility● Set Governance Rules
● Define Actions
