building pci compliance solution on aws - pop-up loft tel aviv
TRANSCRIPT
A “Cloud-native” MSP
Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015)
“Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.”
https://www.gartner.com/doc/3157620/market-guide-managed-service-providers
“Common Types of MSPs (on AWS) with Example References
● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS-specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
Assessing the Risk:Yes, the Cloud Can Be More
Secure Than Your On-Premises Environment
IDC, July 2015
Why the Cloud is more Secure?
● More segmentation (separation)
● More encryption● Stronger
authentication● More logging and
monitoring
PCI DSS is a standard that specifies best practices and various security controls. ● Build and maintain a secure network● Protect cardholder data● Maintain a vulnerability management
program● Implement strong security measures● Regularly test and monitor networks● Maintain an information security
policy
AWS Service that are PCI Compliance● Auto Scaling● AWS CloudFormation● Amazon CloudFront● AWS CloudHSM● AWS CloudTrail● AWS Direct Connect● Amazon DynamoDB● AWS Elastic Beanstalk● Amazon Elastic Block Store (EBS)● Amazon Elastic Compute Cloud (EC2)● Elastic Load Balancing (ELB)● Amazon Elastic MapReduce (EMR)
● Amazon Glacier● AWS Key Management Service (KMS)● AWS Identity and Access Management (IAM)● Amazon Redshift● Amazon Relational Database Service (RDS)● Amazon Route 53● Amazon SimpleDB● Amazon Simple Storage Service (S3)● Amazon Simple Queue Service (SQS)● Amazon Simple Workflow Service (SWF)● Amazon Virtual Private Cloud (VPC)
PCI Architecture Principles
● Restricted Network Access● Vulnerability Protection● Encryption● Authentication and
Identification● High Availability● Scalability● Change Control● Disaster Recovery● Monitoring● Auditing
The Basics● VPC● NACL● Security Groups
Inbound Traffic● WAF
Outbound Traffic● Web Filtering● Threat Protection
Data In Transit
● End-to-End Encryption○ WAF, ELB, App Server○ DB
Data at Rest
● EBS Encryption● RDS Encryption● Sensitive Data (using KMS)
Single Identity Provider
● Single Password Policy
● Single Lock Policy● Single OTP● Single Login Audit● Same username used
across all resources
Where do we Authenticate ?
● AWS Console● Network Access / VPN● Bastion / Jump Server● EC2 Instances● Build Server● Log Server● Monitoring System● ...
AWS SLA
“Region Unavailable” and
“Region Unavailability” mean
that more than one Availability
Zone in which you are running
an instance, within the same
Region, is “Unavailable” to
you.
● Source Control● Jenkins Build● Versions stored in
S3● Beanstalk Manage
the the deployment● All events are
logged
Why DR ?
Business Continuity Plan● Operations
○ Human Resources○ Offices
● RTO○ Recovery Time Objective
● RPO○ Recovery Point Objective
What should be monitored● AWS Resources● EC2 Instances● Application health and
Metrics● User experience● Trends
Events Sources
● CloudTrail● ELB / S3 / CloudFront
Access Logs● VPC Flow logs● AWS Inspector● Host AV & IPS● Network WAF, IPS, VPN● Evident.io / Dome9● Observeble