Transcript
intelligent information securityANITIAN
PCI COMPLIANCE
IN AWS
intelligent information securityANITIAN
Meet the SpeakersAdam Gaydosh• Anitian’s Director of Professional Services• Qualified Security Assessor• 15+ years experience in IT and Security
Jordan Wiseman• Certified Risk Assessor• Cloud Security Specialist• 15+ years experience in IT and Security
intelligent information securityANITIAN
Vision: Security is essential for growth, innovation and prosperity.
Mission: Build great security leaders.
ANIT IAN
Rapid Risk Assessment Compliance
Penetration Testing Managed Threat Intelligence
intelligent information securityANITIAN
Intent • Discuss PCI compliance in AWS• Outline AWS services that help meet PCI requirements
Outline1. AWS Services for PCI Compliance2. PCI Reference Architectures3. Third Party Solutions4. AWS PCI Best Practices5. Q&A
Overview
intelligent information securityANITIAN
PCI IN AWSOVERVIEW
intelligent information securityANITIAN
AWS Compliance Status• AWS is validated annually as a compliant PCI DSS Level 1 Service
Provider• Attestation of Compliance (AOC) & Responsibility Matrix
available to customers pursuing their own compliance• Customer’s compliance is not inherited from AWS
intelligent information securityANITIAN
Cloud Compliance is a Shared Responsibility
intelligent information securityANITIAN
AWS COMPLIANTPCI SERVICES
intelligent information securityANITIAN
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• AWS Services• Virtual Private Clouds (VPCs)• Security Groups• Network ACLs
• Other Strategies and Considerations• Third-party Amazon Machine Images (AMIs)
– Firewall– NGFW/UTM– IDS/IPS
intelligent information securityANITIAN
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• AWS Services• Elastic Compute Cloud AMIs
• Other Strategies and Considerations• Amazon-supplied AMIs have no defaults• Third-party AMIs might have defaults• Pre-hardened AMIs available from Anitian in AWS Marketplace
intelligent information securityANITIAN
Requirement 3: Protect stored cardholder data• AWS Services
• Elastic Block Store (EBS)• Simple Storage Service (S3)• Key Management Service (KMS)• Relational Database Service (RDS)
• Other Strategies and Considerations• EBS not OS independent• Self-managed DBs and Transparent Data Encryption
intelligent information securityANITIAN
Requirement 4: Encrypt transmission of cardholder data across open, public networks
• AWS Services• Elastic load balancers• Network ACLs• Security Groups• Customer Gateways• Virtual Private Gateways• VPN Connections• AWS Direct Connect
• Other Strategies and Considerations• Setup and manage TLS and VPNs• Standard encryption strength and algorithms change
intelligent information securityANITIAN
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• AWS Services• AWS does not provide anti-malware for customer AWS instances
• Other Strategies and Considerations• Third-party management AMIs• Manage from within AWS• Use existing on premise solutions
intelligent information securityANITIAN
Requirement 6: Develop and maintain secure systems and applications
• AWS Services• None
• Other Strategies and Considerations• Amazon Linux AMI Security Bulletins (ALAS)
– https://alas.aws.amazon.com/• CodeCommit and CodeDeploy• Third-party management AMIs
intelligent information securityANITIAN
Requirement 7: Restrict access to cardholder data by business need to know• AWS Services
• Identity and Access Management (IAM)• Directory Service
• Other Strategies and Considerations• IAM controls access AWS itself
– AWS Console– AWS APIs
Requirement 8: Identify and authenticate access to system components• Same as above
intelligent information securityANITIAN
Requirement 9: Restrict Physical Access to Cardholder Data
• N/A
Requirement 10: Track and monitor all access to network resources and cardholder data• AWS Services
• CloudTrail• S3
• Other Strategies and Considerations• S3 supports lifecycle management• Leverage CloudTrail APIs to obtain SEIM data• CloudTrail will log AWS Console and API activity• AWS does not include time synchronization
intelligent information securityANITIAN
Requirement 11: Regularly test security systems and processes
• AWS Services• Amazon’s Attestation of Compliance (AOC)
– Fully covers physical security of AWS– Fully covers rogue Wireless Access Point detection– Applies to any PCI components hosted in AWS– Does not cover in-scope, but on premise components
intelligent information securityANITIAN
Requirement 12: Maintain a policy that addresses information security for all personnel
• AWS Services• None
Requirement A.1: Shared hosting providers must protect the cardholder data environment
• AWS Services• See Requirements 1, 7, and 8
intelligent information securityANITIAN
PCI REFERENCE ARCHITECTURES
intelligent information securityANITIAN
Architecture 1: Dedicated
intelligent information securityANITIAN
Architecture 1: Dedicated• An entire AWS environment dedicated to a web-based e-
commerce application.
• Features• DMZ subnet for webserver and management “Jumpbox”
instances.• Internal subnet for application and AWS RDS instances.
• PCI Scope• Everything
NOTE: While the Jumpbox does not handle cardholder data itself, it does impact the security of the instances and is therefore in-scope.
intelligent information securityANITIAN
Architecture 2: Segmented
intelligent information securityANITIAN
Architecture 2: Segmented• Adding non-PCI systems to the AWS environment hosting our
existing web-based e-commerce application.
• Features• Separate Virtual Private Clouds for PCI and non-PCI
environments• Network segmentation between VPCs
• PCI Scope• Instances in the PCI VPC only
intelligent information securityANITIAN
Architecture 3: Connected
intelligent information securityANITIAN
Architecture 3: Connected• Extending an on premise network to the AWS PCI environment
to leverage existing services.
• Features• Connectivity between on premise systems and AWS PCI
environment.• Network segmentation between PCI and non-PCI
environments.• PCI Scope• AWS CDE VPC• AWS In-scope VPC and In-scope On Premise Network
intelligent information securityANITIAN
THIRD PARTYSOLUTIONS
intelligent information securityANITIAN
Pre-built AMIs• Familiar technologies • Trusted vendors
https://aws.amazon.com/marketplace/
intelligent information securityANITIAN
PCI Compliance Related• AWS Service Gaps
• IDS/IDP• SEIM• Patching• Vulnerability Management• FIM
• Enhance AWS Services• Firewalls• VPN• AWS Automation
intelligent information securityANITIAN
AWS PCIBEST PRACTICES
intelligent information securityANITIAN
Non-technical Actions• Request a copy of the AWS PCI Compliance Package• Requires NDA• AWS AOC• Responsibility Matrix
• Documentation• Config• Trusted Advisor• AMI Identifiers• AWS Console• Resource Groups and Tagging
intelligent information securityANITIAN
Technical Considerations• Monitoring• Cloud Watch
• First things first• Naming conventions• KMS encryption keys
• Elastic Load Balancers (ELB)• Availability• Abstract or conceal real endpoints• ELB all the things!
intelligent information securityANITIAN
Audit Preparation• Readiness assessment • Documentation • Network diagrams and data flows• Scope and inventory• Penetration tests and vulnerability scans• QSA who knows AWS
intelligent information securityANITIAN
QUESTIONS?
intelligent information securityANITIAN
EMAIL: adam.gaydosh@anitian.comjordan.wiseman@anitian.com
WEB: www.anitian.comBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN
THANK YOU
top related