Embed Size (px)
Citation preview
Page 1 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief
PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELPThe benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application deployment. However, merchants and service providers that process credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS), regardless of whether the transaction occurs in a store or in the cloud. Ultimately, these organizations are responsible for the security of their customer’s cardholder data.
AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility model with its customers. While AWS provides secure facilities and processes, it is up to its customers to protect their operating systems, applications and data running on AWS. It is important to understand the division of shared responsibilities between AWS and the client, and the security solutions organizations need to meet PCI DSS requirements.
If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the AWS infrastructure and the client’s usage of that environment. Ultimately however, the responsibility to ensure cardholder data is secure rests with the client.
Although AWS satisfies all of the requirements under PCI DSS for shared hosting providers and has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0. it’s important to note that AWS customers are responsible for their own PCI DSS compliance. And while some DSS requirements may be satisfied by the customer’s use of AWS (for instance Requirement 9: Restrict physical access to cardholder data), most requirements are either shared responsibilities between the AWS customer and AWS, or entirely the customer’s responsibility. Table 1 summarizes the party responsible for ensuring compliance with each of the PCI DSSrequirements.
”
”
Perhaps the largest point of confusion with regards to the PCI DSS and cloud computing is the question of upon whose shouldersdoes compliance fall?
Andrew Hay, Wired Magazine
Page 2 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
DIVISION OF PCI DSS RESPONSIBILITIES
both = Client & AWs
Source: “Information supplement: PCI DSS Cloud Computing Guidelines” www.pcisecuritystandards.org/pdfs/PCi_Dss_v2_Cloud_Guidelines.pdf
As you can see in the table above, many of the items require both parties to implement security controls. Outsourcing daily management of a subset of PCI DSS requirements to AWS does not remove the client’s responsibility to ensure cardholder data is properly secured and that PCI DSS controls are met. The client therefore must work with AWS to provide evidence only, whereas compliance verifies PCI DSS controls are maintained on an ongoing basis—an Attestation of Compliance (AOC) reflects a single point in time only; compliance requires ongoing monitoring and validation that controls are in place and working effectively.
Even where a cloud service is validated for certain PCI DSS requirements, this validation does not automatically transfer to the client environments within that cloud service. For example, AWS will have validation there is up-to-date antivirus software on AWS systems; however, this validation might not extend to the individual client OS or VMs (such as in an IaaS service on an instance). Additionally, clients must maintain compliance for all of their own operations—for example, ensuring antivirus is installed and updated on all client-side systems used to connect into the cloud environment.
PCI DSS REQUIREMENT RESPONSIBILITY
1. Install and maintain firewall configuration to protect cardholder data Both
2. Do not use vendor-supplied defaults for system passwords and other security parameters Both
3. Protect stored cardholder data Both
4. Encrypt transmission of cardholder data across open, public networks Client
5. Use and regularly update antivirus software or programs Client
6. Develop and maintain secure systems and applications Both
7. Restrict access to cardholder data by business need to know Both
8. Assign a unique ID to each person with computer access Both
9. Restrict physical access to cardholder data AWS
10. Track and monitor all access to network resources and cardholder data Both
11. Regularly test security systems and processes Both
12. Maintain a policy that addresses information security for personnel Both
Page 3 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
TREND MICRO CLOUD AND DATA CENTER SECURITY SOLUTION With its broad cloud and data center solution, Trend Micro complements the security provided by AWS and help achieve PCI DSS compliance.
Trend Micro Deep Security is a comprehensive server security platform that protects AWS instances from data breaches and business disruptions while enabling compliance. This solution simplifies security operations while accelerating the ROI of virtualization and cloud projects. Tightly integrated modules easily expand the platform to ensure server, application, and data security across physical, virtual, and cloud servers, as well as virtual desktops.
With Deep Security, customers can employ any combination of agent-based protection, including anti-malware, web reputation, firewall, intrusion prevention, integrity monitoring, and log inspection. Agentless protection is also available for on premise applications running VMware. The result is an adaptive and efficient server security platform that protects mission-critical enterprise applications and data from breaches and business disruptions without expensive emergency patching.
Deep security Key benefits • Single solution with broadest set of recommended security capabilities for
AWS instances
• Reduces set up time with flexible deployment options (software or SaaS)
• Supports leading cloud deployment tools (Chef, Puppet, OpsWorks)
• Automatically recognizes and secures new instances and sets security policy without admin intervention
• Eases management with an integrated console including customizable policy rules and templates
Trend Micro SSL provides unlimited SSL certificates, including Extended Validation (EV) certificates, and a management console so you can protect every web page cost-effectively. Trend Micro is a globally trusted Certificate Authority (CA) so you can be sure your websites—and your customers are protected.
The Deep security platform is powerful and optimized for all physical, virtual, and cloud environments.
Page 4 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
PCI DSS REQUIREMENT AWS RESPONSIBILITY CUSTOMER RESPONSIBILITY HOW TREND MICRO CAN HELP
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
All In-Scope Services: AWS maintains instance isolation for host operating systems and the AWS Management Environment including host operating system, hypervisor, firewall configuration and baseline firewall rules.
• Testing and approving network connectivity and configuration for storing cardholder data in AWS services. AWS maintains the firewalls and network management for these services.
• Developing appropriate firewall rules or using additional firewall technologies to develop appropriate DMZ and internal networks.
• Reviewing the connectivity models and exposureof their instances to these data stores, for ensuring that appropriate zones are created, and for determining that access to the data stores that have cardholder data are not directly exposed to the Internet.
• Implementing perimeter firewalls and configuring security groups and ACLs through the AWS API and other user interfaces for their in-scope services.
AWS Security Groups provide a simple yet powerful mechanism for meeting the principal segmentation objectives of Section 1 between various server instances and to the Internet.
Trend Micro Deep Security has advanced firewall capabilities that can complement and extend the built-in AWS Security Group capabilities when finer granularity or control of the segmented traffic is desired or required, such as with full bidirectional stateful inspection or application layer rules.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
All In-Scope Services: AWS develops and maintains configuration and hardening standards for the AWS Management Environment that provides the virtualization tech-nologies and applications for providing the cloud services.
AWS maintains configuration and hardening standards for the underlying operating systems and platforms for these services.
• Documenting, developing and implementing configuration standards for the instances of EC2 and VPC that are within the CDE.
• Documenting the functional and security configuration standards of AWS services used within the CDE to ensure that the secure state designed for the service can be maintained.
• Maintaining configurations and updating them as new vulnerabilities and configuration changes are identified.
• Remaining up-to-date on AWS service information and changes to configurable items with new releases and updating their configuration settings accordingly.
• Applying the appropriate configuration to all EC2 and VPC server instances as well as the configuration of other AWS services that are used for storing, transmitting or processing cardholder data.
• Ensuring that only one primary function is implemented per server instance.
• Ensuring secure communication for administrative access to the server instances such as Windows Remote Desktop (RDP) using “High Encryption” or “FIPS compatible” encryption settings or SSH v2 or above and appropriate SSH keys.
• Ensuring that access to APIs are only allowed over Direct Connect or SSL connections to protect the confidentiality and integrity of the transmission of configuration information.
• Configuring the services to limit access to data stores and servers as outlined throughout the document.
Trend Micro Deep Security has configurable security profiles that can be defined and customized for each type of server role, to ensure that each server instance meets the one function-per-server requirement and that only the necessary services are accessible. Security profiles can include a variety of proactive rules to lock down each server’s role ranging from firewall rules to block access to service ports, to configuration and integrity monitoring of application and service configuration files and registry, to auditing of service and administrative log events for unauthorized changes. Security policies enable consistent configurations to be applied to common groups of servers, simplifying the audit process and ensuring that changes made to the group policy are automatically inherited and applied to all instances/servers assigned that policy. Deep Security does also support local overrides so that additional policy assignments and configurations can be made to further secure particular servers and account for different configuration requirements.
Deep Security’s Recommendation Scan feature profiles each server instance being protected and ensures that each server instance is running the necessary security policy rules (Intrusion Prevention, Integrity Monitoring, and Log Inspection) are applied throughout the lifecycle of server instance/application. The Recommendation Scan feature can be considered the equivalent of ‘auto-tuning’ the security policies of the server instance to ensure optimum protection.
Page 5 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
PCI DSS REQUIREMENT AWS RESPONSIBILITY CUSTOMER RESPONSIBILITY HOW TREND MICRO CAN HELP
Requirement 3: Protected stored cardholder data.
All In-Scope Services: AWS does not manage card- holder data or encryption technologies and keys for the customers’ specific cardholder environment.
Maintaining appropriate data retention policies and procedures, encryption technologies and key management processes for maintaining PCI Data Security Standard requirements.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
All In-Scope Services: AWS encrypts access and manages encryption within the AWS Management Environment.
• Configuring web servers or the ELB load balancers with appropriate certificates to protect cardholder data transmission over public networks.
• Cryptography and security protocols for connections to any storage system that is transmitting cardholder data.
• Ensuring the data is encrypted in transit as well as in storage.
• The policies and use of any end-user messaging technologies for transmitting PAN.
Trend Micro SSL includes unlimited SSL certificates to protect cardholder data during transfer by creating a uniquely encrypted channel for communication. There is also a management console and certificate health checks to reduce configuration issues and expiry risk.
The transmission of data can additionally be protected with Deep Security’s firewall which can be configured to block HTTP traffic (port 80) ensuring that all traffic occurs over HTTPS ports (443).
Requirement 5: Use and regularly update antivirus software or programs.
All In-Scope Services: AWS manages antivirus software for the AWS Management Environment and, where appropriate, for the identified services.
Managing antivirus to PCI requirements, as applicable to Requirement 5, for any EC2 and VPC instances.
Trend Micro Deep Security includes an anti-malware module to protect server instances. This protection is powered by Trend Micro’s Smart Protection Network which analyzes over 6TB of data daily to identify and correlate new threats. This insight is immediately shared through the proven cloud infrastructure.
Requirement 6: Develop and maintain secure systems and applications.
All In-Scope Services: AWS maintains security patching, development and change control of the applications that support the services included in the assessment including web interfaces, APIs, access controls, provisioning and deployment mechanisms.
AWS develops and manages changes to the applications that support the services included in the assessment including web interfaces, APIs, access controls, provisioning and deployment mechanisms.
Managing the security patches of their EC2 and VPC server instances.
Reviewing all AWs security bulletins http://aws.amazon.com/security/security-bulletins and ensuring that any recommendations that are applicable to the customer’s environment are reviewed and implemented as necessary.
Maintaining software development standards, change control, and vulnerability management programs to align with PCI requirements for applications developed and deployed into EC2 or VPC.
Any custom configurations that may be created using development criteria that are allowed by the APIs for EBS, S3, RDS, DynamoDB, SimpleDB, ELB, IAM, EMR, Direct Connect and Glacier. This development should utilize the same processes as other applications that are developed by the customer and be compliant with the PCI requirements for development standards.
Changes to configurations for EBS, S3, RDS, DynamoDB, SimpleDB, ELB, IAM, EMR, Direct Connect and Glacier services. AWS customers should have processes developed for managing and controlling changes to these configurations. Change control procedures related to the EC2 and VPC server instances and EC2 and VPC configuration through APIs and other user interfaces.
Trend Micro Deep Security provides virtual patching to protect unpatched vulnerabilities, and can serve as an effective compensating control and risk management strategy for the patching requirements of Section 6.1 until the appropriate patches can be applied.
Page 6 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
PCI DSS REQUIREMENT AWS RESPONSIBILITY CUSTOMER RESPONSIBILITY HOW TREND MICRO CAN HELP
Requirement 7: Restrict access to cardholder data by business need-to-know.
All In-Scope Services: AWS maintains the access controls related to underlying infrastructure systems and the AWS Management Environment.
Managing access to all AWS services that are included in their CDE. AWS provides various mechanisms for controlling access to the services including IAM for integration with corporate directories and granular access controls to the AWS Management Console.
Deep Security maintains a full audit trail of all system and Administrative operations/events which can be forwarded to a centralized SIEM or Syslog server for further correlation and archival.
Requirement 8: Assign a unique ID to each person with computer access.
All In-Scope Services: AWS provides each user in the AWS Management Environment a unique ID.
AWS provides additional security options that enable AWS customers to further protect their AWS Account and control access: AWS Identity and Access Management (AWS IAM), Multi-Factor Authentication (MFA) and Key Rotation.
• Controlling the creation of user accounts. This includes access controls to all AWS Services included in scope as well as to the server instances and applications that customers may be hosting in EC2 and VPC
• Control over the authentication mechanisms to the management consoles and APIs for managing their EC2 and VPC accounts. AWS provides an opt-in Multi-Factor Authentication (MFA) solution to support AWS customers’ in meeting the requirement for two-factor authentication
• The processes and creation of accounts and access controls using the various authentication mechanisms offered by AWS and IAM. This includes access controls to all AWS Services included in scope as well as to the server instances and applications that customers may be hosting in EC2 and VPC.
Deep Security supports role-based access control ensuring that administrative privileges can be restricted on a per administrator basis.
This is further supplemented by Deep Security’s multi-tenant capability where different departments, business units can be created as separate tenants ensuring complete isolation from a security management perspective.
Requirement 9: Restrict physical access to cardholder data.
All In-Scope Services: AWS maintains the physical security and media handling controls for the services included in the assessment.
Backup and destruction of media outside of the AWS environment.
Requirement 10: Track and monitor all access to network resources and cardholder data.
All In-Scope Services: AWS maintains the physical security and media handling controls for the services included in the assessment.
• Logging and monitoring their systems and EC2 and VPC server instances in alignment with PCI requirements.
• Obtaining and monitoring access to cardholder data. AWS provides customer accessible transaction logs.
• Appropriately managing time service (NTP) configuration for customer EC2 and VPC server instances and applications.
Trend Micro Deep Security has modules for monitoring operating system events, application events and the integrity of key files—these can be used to monitor the target system for security related incidents, and forward on to a SIEM or Syslog server for correlation in real time.
Page 7 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
PCI DSS REQUIREMENT AWS RESPONSIBILITY CUSTOMER RESPONSIBILITY HOW TREND MICRO CAN HELP
Requirement 11: Regularly test security systems and processes.
All In-Scope Services: AWS conducts wireless rogue access point detection, vulnerability and penetration testing, intrusion detection and file integrity monitoring for the AWS Management Environment and the identified services.
All scanning, penetration testing, file integrity monitoring and intrusion detection for their EC2 and VPC server instances and applications.
Trend Micro Deep Security provides file integrity monitoring of critical OS, application and configuration files and registry to meet Sections 11.4 and 11.5. Both AWS-supplied AMIs as well as custom AMIs can be conveniently used as reference baselines for integrity scans.
In addition, Deep Security’s Recommen-dation Scan feature profiles each server instance being protected and ensures that each server instance is running the necessary security policy rules (Intrusion Prevention, Integrity Monitoring, and Log Inspection) are applied throughout the lifecycle of server instance/application. The Recommendation Scan feature can be considered the equivalent of ‘auto-tuning’ the security policies of the server instance to ensure optimum protection.
Requirement 12: Maintain a policy that addresses information security for all personnel.
All In-Scope Services: AWS maintains security policies and procedures, security awareness training, security incident response plan, and human resource processes that align with PCI requirements.
Maintaining appropriate policies and processes applicable to their cardholder data environment and align with the PCI Requirement 12 to maintain their compliance with the PCI Data Security Standards.
Trend Micro Deep Security provides alerts that are integral to a security incident response plan. And because it can prevent attacks as well, Deep Security reduces the number of incidents requiring a response. Deep Security’s integration with leading SIEM vendors enables a consolidated view of security incidents.
Page 8 of 8 • solution brief • PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
©2015 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, Smart Protection Network, and Deep Security are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [SB01_AWS_PCI_Compliance_150806US]
Securing Your Journey to the Cloud
ABOUT TREND MICRO
As a global leader in cloud security, Trend Micro develops security solutions that make the world safe for businesses and consumers to exchange digital information. With more than 25 years of experience, Trend Micro delivers top-ranked security that fits customers’ needs, stops new threats faster, and protects data in physical, virtualized, and cloud environments.
for more information, watch a webinar on PCi cloud compliance at www.trendmicro.com/cloudpci
Visit trend Micro Alliance Partner page at www.trendmicro.com/us/business/strategic-alliances for more information on the AWs-trend Micro alliance.
