Meeting PCI DSS Requirements with AWS and CloudPassage

Meeting PCI DSS Requirements
with AWS and CloudPassage

Carson Sweet Ryan Holland Philip Stehlik
Co-founder & CEO Solutions Architect Founder & CTO
CloudPassage Amazon EC2 Taulia

Twitter hashtag #PCIAWS

© 2013 CloudPassage Inc.

Session Agenda
• What the PCI DSS requires

• Shared responsibility model

• Amazon Web Services capabilities

• CloudPassage Halo security automation tools

• Customer Case: Philip Stehlik, Taulia CTO

• Questions & wrap-up


What the PCI DSS v2 Requires
Build and Maintain a Implement Strong Access
Secure Network* Control Measures

Secure Cardholder Data Regularly Monitor and
(in transit & in storage) Test Networks*

Maintain a Vulnerability Maintain an Information
Management Program Security Policy

* The term “Network” includes server and application stacks


What This Means for Cloud Servers*
• Secure facilities, physical environment, hypervisors

• Robust, auditable network access control (firewalls)

• Hardened operating system and application stacks

• Strong server authentication and access mgmt.

• Vulnerability, patch and anti-virus management

• Continuous monitoring, logging, regular testing

* PCI DSS requirements are always open to QSA interpretation


Security & compliance are
shared responsibilities
between AWS and you.


Introducing CloudPassage Halo
Security and compliance automation for public,
private and hybrid cloud servers

Cloud Firewall File Integrity
Automation Monitoring

Multi-Factor Server Account
Authentication Management

Configuration Security Event
Security Alerting

Vulnerability REST API
Scanning Integrations


www-1
 Web UI + REST API
 Light-weight agent AWS EC2

 Grid performs www-1 mysql-1 bigdata-1
analytics
 SaaS delivery
Halo Halo Halo

User
Portal

CloudPassage
https

Halo
Policies,
https
Commands,
RESTful Reports Halo Compute
API Gateway Grid


www-1

Daemons automatically AWS EC2
deployed to servers by
bundling into EC2 AMIs. www-ami www-1
www-2
www-3
This ensures consistent
security by making it part Halo Halo
of the cloud stack itself. Halo
Halo

User
Portal

CloudPassage
https

Halo
Policies,
https
Commands,
RESTful Reports Halo Compute
API Gateway Grid


Unique Hybrid Cloud Capabilities

ec2-
east
1st gen virtualized or ec2-
private traditional data west
cloud center ec2-eu

Single pane of glass across cloud deployments
• Scales and bursts with dynamic cloud environments
• Not dependant on chokepoints, static networks or fixed IPs
• Agnostic to location, hypervisor or hardware


Halo’s Unique Benefits
• Security built into the cloud stack
– Deploy once, automatic provisioning follows
– Transparently handles cloudbursting and cloning
– Automatic updates of re-activated, stale servers

• Security that scales with your environment
– Operates identically on one server or one thousand
– Halo Grid absorbs 95% or more of compute cycles
– Far less worry about security capacity or performance

• Portable Security
– Automatic policy updates as servers move (e.g. IP’s)
– Operates across EC2 regions, VPC, DirectConnect


Securing EC2 Guest VMs with Halo

Continuously verify Track sensitive data
integrity of binaries, and prevent egress
configurations, code Data
and content
App Code Ensure application
stacks locked down
App Framework and match gold
Provision host-based
standards
firewalls (inbound and FW
Operating System FW

outbound)
Cloud Server VM
Verify gold masters
and harden server
configurations

Automate, automate, automate!

Host-based Firewall
Orchestration with Halo


Host-based Firewall Orchestration

Load
Balancer
FW

App App
Server Server
FW FW

DB
Master
FW



Load Load
Balancer Balancer
FW FW

App App App
Server Server Server
FW FW FW

DB DB
Master Slave
FW FW



Load Load
Balancer Balancer
FW FW

App App App
Server Server App
Server
FW FW FW Server
IP

DB DB
Master Slave
FW FW



Load Load
Balancer Balancer
FW FW

App App
Server Server App
FW FW Server
IP

DB DB
Master Slave
FW FW


Why Halo Firewall Orchestration?
• Functional enhancements
– Directly auditable, logged firewall
– Bi-directional filtering
– Full control of policy enforcement point

• Other good reasons
– Automates host based firewalls1
– PCI DSS typically requires auditable, bidirectional firewalls 2

1 See “Amazon Web Services Security White Paper” p. 12-15
media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf

2 See PCI DSS v2 documentation
www.pcisecuritystandards.org/security_standards/documents.php


EC2 Instance Security &
Compliance with Halo


Traditional Operations Model

www-1 www-2 www-3 www-4

! ! ! !
traditional datacenter

• Relatively static capacity & slow change
• Servers are long-lived, maintained assets
• Heavy dependence on network defenses
• Machine security drifts, decays over time

Stateless Cloud-Server Model


www

Gold Master

• Most instances are clones of a “gold master”
• New servers can be launched in minutes
• Servers are disposable, stateless machines


Stateless Server Security Model


www
!
Gold Master

• Any deviation from the gold master indicates a
risk state (malicious or otherwise)


Stateless Server Security Model


www
www-2
!
Gold Master

• Any deviation from the gold master indicates a
risk state (malicious or otherwise)
• Automated sequestering and/or replacement of
questionable machines is instantaneous

Drift Risk & Threat Monitoring


! !




! ?
!

• Misconfigurations due to deployment, debugging, “tweaking”




! ?
! ?

• Misconfigurations due to admin/developer tweaking, stale images

• Code changes from unexpected deployment, code tampering




! ?
! ? ?



• Binary changes from innocent or malicious sources




?
! ?
! ? ?



• Binary changes from innocent or malicious sources

• Unexpected artifacts like listening ports, files, system processes


What There Wasn’t Time For…
• Auto-containment of server compromise

• Multi-factor auth for root / sysadmins / DBAs

• Configuration compliance management

• Synching AWS instances with your LDAP

• SEIM integration with Halo…

blog.cloudpassage.com
for more Halo use case examples

Mapping Halo to PCI DSS Milestones


Try Halo: 5 minutes to setup

Register at
cloudpassage.com

Install Halo daemons on
EC2 instances

Manage security instantly
from Halo user portal


TAULIA OFFICE LOCATIONS
• The leading SaaS provider of supplier portal, e-invoicing
and dynamic discounting software solutions through an
SAP-certified solution that extends SAP financials
beyond the enterprise

• Enables buying organizations to automate and maximize
supplier discounts while strengthening supplier
relationships

• Worldwide HQ: San Francisco, CA
European HQ: Düsseldorf, Germany

• Heritage: Industry experts with 20+ years of experience
building market leading AP applications


Questions and Answers
Philip Stehlik, CTO, Taulia
@pstehlik
www.taulia.com

• Tell us a little bit about Taulia.
• How does Taulia use the cloud to enable their business?
• Why did Taulia choose Amazon EC2 as its cloud provider?
• Why did Taulia choose to deploy Halo on its EC2 instances?
• What advice would you offer to businesses adopting AWS?


Thank You
www.cloudpassage.com
@cloudpassage


Meeting PCI DSS Requirements with AWS and CloudPassage

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Meeting PCI DSS Requirements with AWS and CloudPassage

Similar a Meeting PCI DSS Requirements with AWS and CloudPassage (20)

Más de CloudPassage

Más de CloudPassage (18)

Último

Último (20)

Meeting PCI DSS Requirements with AWS and CloudPassage

Notas del editor