Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv

1.326 visualizaciones

Publicado el

PCI-DSS is one of the most popular compliance regulations facing most customers on the cloud. In this session we will take a look at reference architecture that will provide you with guidelines and strategies to design a PCI compliant environment. By Lahav Savir, Emind CEO & Architect

Publicado en: Tecnología
  • Sé el primero en comentar

Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv

  1. 1. Building a PCI Compliance Solution on AWS Lahav Savir, CEO & Architect Emind Cloud Experts
  2. 2. A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions
  3. 3. Top Level Partnership
  4. 4. Under NDA - Commercially Sensitive
  5. 5. A “Cloud-native” MSP Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015) “Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.” https://www.gartner.com/doc/3157620/market-guide-managed-service-providers “Common Types of MSPs (on AWS) with Example References ● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS- specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
  6. 6. Assessing the Risk: Yes, the Cloud Can Be More Secure Than Your On-Premises Environment IDC, July 2015
  7. 7. Why the Cloud is more Secure? ● More segmentation (separation) ● More encryption ● Stronger authentication ● More logging and monitoring
  8. 8. Security in the Cloud Security of the Cloud
  9. 9. PCI DSS is a standard that specifies best practices and various security controls. ● Build and maintain a secure network ● Protect cardholder data ● Maintain a vulnerability management program ● Implement strong security measures ● Regularly test and monitor networks ● Maintain an information security policy
  10. 10. AWS Service that are PCI Compliance ● Auto Scaling ● AWS CloudFormation ● Amazon CloudFront ● AWS CloudHSM ● AWS CloudTrail ● AWS Direct Connect ● Amazon DynamoDB ● AWS Elastic Beanstalk ● Amazon Elastic Block Store (EBS) ● Amazon Elastic Compute Cloud (EC2) ● Elastic Load Balancing (ELB) ● Amazon Elastic MapReduce (EMR) ● Amazon Glacier ● AWS Key Management Service (KMS) ● AWS Identity and Access Management (IAM) ● Amazon Redshift ● Amazon Relational Database Service (RDS) ● Amazon Route 53 ● Amazon SimpleDB ● Amazon Simple Storage Service (S3) ● Amazon Simple Queue Service (SQS) ● Amazon Simple Workflow Service (SWF) ● Amazon Virtual Private Cloud (VPC)
  11. 11. PCI Architecture Principles ● Restricted Network Access ● Vulnerability Protection ● Encryption ● Authentication and Identification ● High Availability ● Scalability ● Change Control ● Disaster Recovery ● Monitoring ● Auditing
  12. 12. Restricted Network Access
  13. 13. The Basics ● VPC ● NACL ● Security Groups Inbound Traffic ● WAF Outbound Traffic ● Web Filtering ● Threat Protection
  14. 14. Vulnerability Protection
  15. 15. ● File Integrity Monitoring ● Anti Virus ● Traffic Content ● Traffic Reputation
  16. 16. Encryption
  17. 17. Why Encryption ? Traffic can be captured Volumes can be accessed Data may be stolen
  18. 18. Data In Transit ● End-to-End Encryption ○ WAF, ELB, App Server ○ DB Data at Rest ● EBS Encryption ● RDS Encryption ● Sensitive Data (using KMS)
  19. 19. Authentication and Identification
  20. 20. Single Identity Provider ● Single Password Policy ● Single Lock Policy ● Single OTP ● Single Login Audit ● Same username used across all resources
  21. 21. Where do we Authenticate ? ● AWS Console ● Network Access / VPN ● Bastion / Jump Server ● EC2 Instances ● Build Server ● Log Server ● Monitoring System ● ...
  22. 22. ● Don't mix Corporate and Cloud Resources ● Minimize Replication ● Maximize Federation
  23. 23. Active Directory Integration using Onelogin Active Directory Connector (ADC)
  24. 24. Login to: ● AWS Console Access via SAML Federation ● VPN Using Radius No need for IAM Users
  25. 25. Login to: ● Bastion Server ○ LDAP ○ Radius ● EC2 Instance ○ LDAP ○ Kerberos ○ SSH Keys
  26. 26. Login to: ● Build Server ○ LDAP ○ SAML ○ OpenID ● Log Server ○ LDAP
  27. 27. Login to: ● Monitoring System ○ SAML ● Other external systems ○ Pingdom ○ New Relic ○ Sumo Logic ○ ...
  28. 28. High Availability
  29. 29. AWS SLA “Region Unavailable” and “Region Unavailability” mean that more than one Availability Zone in which you are running an instance, within the same Region, is “Unavailable” to you.
  30. 30. ● Multiple EC2 Instance across multiple Availability Zone (Multi-AZ) ● Multi-AZ RDS
  31. 31. Scalability
  32. 32. EC2 Auto Scaling behind ELB
  33. 33. Change Control
  34. 34. ● Source Control ● Jenkins Build ● Versions stored in S3 ● Beanstalk Manage the the deployment ● All events are logged
  35. 35. Disaster Recovery
  36. 36. Disaster Recovery
  37. 37. Why DR ? Business Continuity Plan ● Operations ○ Human Resources ○ Offices ● RTO ○ Recovery Time Objective ● RPO ○ Recovery Point Objective
  38. 38. ● Multi Region ● Maintain 2nd Site ● Data Replication
  39. 39. Monitoring
  40. 40. What should be monitored ● AWS Resources ● EC2 Instances ● Application health and Metrics ● User experience ● Trends
  41. 41. Auditing
  42. 42. Events Sources ● CloudTrail ● ELB / S3 / CloudFront Access Logs ● VPC Flow logs ● AWS Inspector ● Host AV & IPS ● Network WAF, IPS, VPN ● Evident.io / Dome9 ● Observeble
  43. 43. ● Create Clear Visibility ● Set Governance Rules ● Define Actions
  44. 44. Join our Fastlane to a Successful Cloud Deployment Thank you, lahavs@emind.co

×