Upload
anitian
View
267
Download
0
Embed Size (px)
Citation preview
intelligent information securityAN IT IAN
PCI COMPLIANCE IN AWS
intelligent information securityAN IT IAN
Meet the Speakers
Adam Gaydosh
• Director of Security Intelligence
• Qualified Security Assessor (QSA)
• 15+ years experience in IT and Security
Jordan Wiseman
• Senior Security Intelligence Advisor
• Qualified Security Assessor (QSA)
• 15+ years experience in IT and Security
intelligent information securityAN IT IAN
AN I T I AN
intelligent information securityAN IT IAN
Intent
• Discuss PCI compliance in AWS
• Outline AWS services that help meet PCI requirements
Outline
1. AWS Services for PCI Compliance
2. PCI Reference Architectures
3. Third Party Solutions
4. AWS PCI Best Practices
5. Q&A
Overview
intelligent information securityAN IT IAN
PCI IN AWSOVERVIEW
intelligent information securityAN IT IAN
AWS Compliance Status
• AWS is validated annually as a compliant PCI DSS Level 1 Service Provider
• Available to AWS Customers pursuing PCI compliance:
• Attestation of Compliance (AOC)
• Responsibility Matrix
• Customer’s compliance is not inherited from AWS
intelligent information securityAN IT IAN
Cloud Compliance is a Shared Responsibility
intelligent information securityAN IT IAN
AWS COMPLIANTPCI SERVICES
intelligent information securityAN IT IAN
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• AWS Services• Virtual Private Clouds (VPCs)
• Security Groups
• Network ACLs
• CloudFormation
• Other Strategies and Considerations• Third-party Amazon Machine Images (AMIs)
– Firewall, NGFW/UTM, IDS/IPS
• Scalability and automation
– Security Groups
– Host-based firewalls
intelligent information securityAN IT IAN
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• AWS Services• Elastic Compute Cloud (EC2)
• AWS CloudFormation
• AWS Container Service
• AWS OpsWorks Stacks
• Other Strategies and Considerations• Amazon-supplied AMIs have no default credentials
• Third-party AMIs might have defaults
• Pre-hardened AMIs available from Anitian in AWS Marketplace
• Configuration management platforms (Chef, Puppet, Ansible)
intelligent information securityAN IT IAN
Requirement 3: Protect stored cardholder data
• AWS Services• Elastic Block Store (EBS)
• Simple Storage Service (S3)
• Key Management Service (KMS)
• Relational Database Service (RDS)
• AWS CloudHSM
• AWS SimpleDB
• AWS RedShift
• Other Strategies and Considerations• EBS not OS independent
• Self-managed DBs
intelligent information securityAN IT IAN
Requirement 4: Encrypt transmission of cardholder data across open, public networks
• AWS Services• Elastic load balancers
• Network ACLs
• Security Groups
• Customer Gateways
• Virtual Private Gateways
• VPN Connections
• AWS Direct Connect
• CloudFront
• Other Strategies and Considerations• Setup and manage TLS and VPNs
• Standard encryption strength and algorithms change
• AWS Certificate Manager
intelligent information securityAN IT IAN
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
• AWS Services• AWS does not provide anti-malware for customer AWS instances
• Other Strategies and Considerations• Third-party management AMIs
• Manage from within AWS
• Use existing on premise solutions
intelligent information securityAN IT IAN
Requirement 6: Develop and maintain secure systems and applications
• AWS Services• AWS Config
• AWS CloudFormation
• AWS WAF
• Amazon CloudFront
• Other Strategies and Considerations• Amazon Linux AMI Security Bulletins (ALAS)
– https://alas.aws.amazon.com/
• CodeCommit and CodeDeploy
• Third-party management AMIs
• Separation of production, test, development environments
• AWS Systems Manager
intelligent information securityAN IT IAN
Requirement 7: Restrict access to cardholder data by business need to know
• AWS Services• Identity and Access Management (IAM)
• Directory Service
• Cognito
• Other Strategies and Considerations• IAM controls access AWS itself
– AWS Console
– AWS APIs
intelligent information securityAN IT IAN
Requirement 8: Identify and authenticate access to system components
• AWS Services• Identity and Access Management (IAM)
• Directory Service
• Cognito
• Other Strategies and Considerations• IAM limitations by default (but supports GPOs)
– lockouts for invalid login attempts (Req. 8.1.6)
– minimum lockout durations (Req. 8.1.7)
– idle session timeouts (Req. 8.1.8)
• Hosting your own IAM/Directory service in AWS
intelligent information securityAN IT IAN
Requirement 9: Restrict Physical Access to Cardholder Data
• Amazon’s Attestation of Compliance (AOC)• Fully covers physical security of AWS
• Applies to any PCI components hosted in AWS
• Other Strategies and Considerations• Does not cover in-scope, but on premise components
• Does not cover data or media pulled from AWS
intelligent information securityAN IT IAN
Requirement 10: Track and monitor all access to network resources and cardholder data
• AWS Services• CloudTrail
• CloudWatch Logs
• S3
• Other Strategies and Considerations• S3 supports lifecycle management
• Leverage CloudTrail APIs to obtain SEIM data
• CloudTrail will log AWS Console and API activity
• AWS does not include time synchronization
intelligent information securityAN IT IAN
Requirement 11: Regularly test security systems and processes
• AWS Services• Amazon’s Attestation of Compliance (AOC)
– Fully covers physical security of AWS
– Fully covers rogue Wireless Access Point detection– Applies to any PCI components hosted in AWS
– Does not cover in-scope, but on premise components
• Other Strategies and Considerations
– External security testing requires approval, BEFORE it begins
Requirement 12: Maintain a policy that addresses information security for all personnel
• AWS Services• None
intelligent information securityAN IT IAN
Requirement A.1: Additional PCI DSS Requirements for Shared Hosting Providers
• AWS Services• VPCs, Security Groups
• IAM and AD Connector
Requirement A.2: Additional PCI DSS Requirements for Entities using SSL/early TLS
• AWS Services• None
intelligent information securityAN IT IAN
Requirement A.3: Designated Entities Supplemental Validation (DESV)
• AWS Services• None
• Other Strategies and Considerations• AWS Config, CloudTrail, and CloudWatch
– Change detection
– Event monitoring and response
• S3
– API access can help with CHD discovery
• IAM, Directory Service, and AD Connector
– Logical access control
– Access policies within AWS
intelligent information securityAN IT IAN
PCI REFERENCE ARCHITECTURES
intelligent information securityAN IT IAN
Architecture 1: Dedicated
intelligent information securityAN IT IAN
Architecture 1: Dedicated
• An entire AWS environment dedicated to a web-based e-commerce application.
• A cloud formation template in available from Anitian in the AWS Marketplace
• Features
• DMZ subnet for webserver instance
• Management subnet for “Jumpbox” instance
• Internal subnet for application and AWS RDS instances.
• PCI Scope
• Everything
NOTE: While the Jumpbox does not handle cardholder data itself, it does impact the security of the instances and is therefore in-scope.
intelligent information securityAN IT IAN
Architecture 2: Segmented
intelligent information securityAN IT IAN
Architecture 2: Segmented
• Adding non-PCI systems to the AWS environment hosting our existing web-based e-commerce application.
• Features
• Separate Virtual Private Clouds for PCI and non-PCI environments
• Network segmentation between VPCs
• PCI Scope
• Instances in the PCI VPC only
intelligent information securityAN IT IAN
Architecture 3: Connected
intelligent information securityAN IT IAN
Architecture 3: Connected
• Extending an on premise network to the AWS PCI environment to leverage existing services.
• Features
• Connectivity between on premise systems and AWS PCI environment.
• Network segmentation between PCI and non-PCI environments.
• PCI Scope
• AWS CDE VPC
• AWS In-scope VPC and In-scope On Premise Network
intelligent information securityAN IT IAN
THIRD PARTYSOLUTIONS
intelligent information securityAN IT IAN
Pre-built AMIs
• Familiar technologies
• Trusted vendors
https://aws.amazon.com/marketplace/
intelligent information securityAN IT IAN
PCI Compliance Related
• AWS Service Gaps• IDS/IDP
• SEIM
• Patching
• Vulnerability Management
• FIM
• Enhance AWS Services
• Firewalls
• VPN
• AWS Automation
intelligent information securityAN IT IAN
AWS PCIBEST PRACTICES
intelligent information securityAN IT IAN
Non-technical Actions
• Request a copy of the AWS PCI Compliance Package
• Requires NDA
• AWS AOC
• Responsibility Matrix
• Documentation
• Config
• Trusted Advisor
• AMI Identifiers
• AWS Console
• Resource Groups and Tagging
intelligent information securityAN IT IAN
Technical Considerations
• First things first
• Naming conventions
• KMS encryption keys
• Trusted Advisor
• Monitoring
• CloudWatch
• Elastic Load Balancers (ELB)
• Abstract or conceal real endpoints
• ELB all the things!
• Design for the cloud
• Dynamic environments
• Control implementation points
intelligent information securityAN IT IAN
Audit Preparation
• Readiness assessment
• Documentation
• Network diagrams and data flows
• Scope and inventory
• Penetration tests and vulnerability scans
• QSA who knows AWS
intelligent information securityAN IT IAN
QUESTIONS?
intelligent information securityAN IT IAN
EMAIL: [email protected]
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: http://bit.ly/anitian
CALL: 888-ANITIAN
THANK YOU