meeting pci dss requirements with aws and cloudpassage
TRANSCRIPT
© 2013 CloudPassage Inc.
Meeting PCI DSS Requirements with AWS and CloudPassageCarson SweetCo-founder & CEOCloudPassage
Philip Stehlik Founder & CTOTaulia
Ryan HollandSolutions ArchitectAmazon EC2
Twitter hashtag #PCIAWS
© 2013 CloudPassage Inc.
Session Agenda• What the PCI DSS requires
• Shared responsibility model
• Amazon Web Services capabilities
• CloudPassage Halo security automation tools
• Customer Case: Philip Stehlik, Taulia CTO
• Questions & wrap-up
© 2013 CloudPassage Inc.
What the PCI DSS v2 Requires
Build and Maintain a Secure Network*
* The term “Network” includes server and application stacks
Secure Cardholder Data(in transit & in storage)
Maintain a VulnerabilityManagement Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks*
Maintain an InformationSecurity Policy
© 2013 CloudPassage Inc.
What This Means for Cloud Servers*
• Secure facilities, physical environment, hypervisors
• Robust, auditable network access control (firewalls)
• Hardened operating system and application stacks
• Strong server authentication and access mgmt.
• Vulnerability, patch and anti-virus management
• Continuous monitoring, logging, regular testing
* PCI DSS requirements are always open to QSA interpretation
© 2013 CloudPassage Inc.
Introducing CloudPassage HaloSecurity and compliance automation for public, private and hybrid cloud servers
Cloud Firewall Automation
Multi-Factor Authentication
Server Account Management
Security Event Alerting
ConfigurationSecurity
Vulnerability Scanning
File Integrity Monitoring
REST API Integrations
© 2013 CloudPassage Inc.
www-1
Halo Compute
Grid
UserPortal
https
RESTful API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
Web UI + REST API
Light-weight agent
Grid performs analytics
SaaS delivery
mysql-1
Halo
bigdata-1
Halo
AWS EC2
© 2013 CloudPassage Inc.
Halo Compute
Grid
UserPortal
https
RESTful API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
AWS EC2
www-3
Halo
www-2www-ami
HaloHalo
www-1
Halo
Daemons automatically deployed to servers by bundling into EC2 AMIs.
This ensures consistent security by making it part of the cloud stack itself.
© 2013 CloudPassage Inc.
private cloud
1st gen virtualized or traditional data
center
ec2-west
ec2-eu
ec2-east
Single pane of glass across cloud deployments• Scales and bursts with dynamic cloud environments• Not dependant on chokepoints, static networks or fixed IPs• Agnostic to location, hypervisor or hardware
Unique Hybrid Cloud Capabilities
© 2013 CloudPassage Inc.
Halo’s Unique Benefits• Security built into the cloud stack
– Deploy once, automatic provisioning follows– Transparently handles cloudbursting and cloning– Automatic updates of re-activated, stale servers
• Security that scales with your environment– Operates identically on one server or one thousand– Halo Grid absorbs 95% or more of compute cycles– Far less worry about security capacity or performance
• Portable Security– Automatic policy updates as servers move (e.g. IP’s)– Operates across EC2 regions, VPC, DirectConnect
© 2013 CloudPassage Inc.
Securing EC2 Guest VMs with Halo
Cloud Server VM
FWFW
Provision host-based firewalls (inbound and
outbound)
Automate, automate, automate!
Data
App Code
App Framework Operating System
Track sensitive data and prevent
egress
Continuously verify integrity of binaries,
configurations, code and content
Ensure application stacks locked
down and match gold standards
Verify gold masters and
harden server configurations
© 2013 CloudPassage Inc.
Load Balancer
FW
App Server
FW
App Server
FW
DB Master
FW
Host-based Firewall Orchestration
© 2013 CloudPassage Inc.
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
App Server
FW
Host-based Firewall Orchestration
© 2013 CloudPassage Inc.
App Server
IP
Host-based Firewall Orchestration
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
App Server
FW
© 2013 CloudPassage Inc.
App Server
IP
Load Balancer
FW
App Server
FW
App Server
FW
Load Balancer
FW
DB Master
FW
DB Slave
FW
Host-based Firewall Orchestration
© 2013 CloudPassage Inc.
Why Halo Firewall Orchestration?
• Functional enhancements– Directly auditable, logged firewall– Bi-directional filtering– Full control of policy enforcement point
• Other good reasons– Automates host based firewalls1
– PCI DSS typically requires auditable, bidirectional firewalls2
1 See “Amazon Web Services Security White Paper” p. 12-15 media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
2 See PCI DSS v2 documentation www.pcisecuritystandards.org/security_standards/documents.php
© 2012 CloudPassage Inc.
Traditional Operations Model
traditional datacenter
• Relatively static capacity & slow change
• Servers are long-lived, maintained assets
• Heavy dependence on network defenses
• Machine security drifts, decays over time
www-3 www-4www-2www-1www-1
!www-2
!www-3
!www-4
!
© 2012 CloudPassage Inc.
www-1
Stateless Cloud-Server Model
www-3 www-4www-2
wwwwwwwwwwwwwww
Gold Master
• Most instances are clones of a “gold master”
• New servers can be launched in minutes
• Servers are disposable, stateless machines
© 2012 CloudPassage Inc.
Stateless Server Security Model
www-2
www
Gold Master
www-2
!www-1 www-3 www-4
• Any deviation from the gold master indicates a risk state (malicious or otherwise)
© 2012 CloudPassage Inc.
www-2www
Gold Master
www-1 www-3 www-4www-2
!
Stateless Server Security Model
• Any deviation from the gold master indicates a risk state (malicious or otherwise)
• Automated sequestering and/or replacement of questionable machines is instantaneous
© 2012 CloudPassage Inc.
www-3www-1
!www-2
!www-4www-2www-1
?
• Misconfigurations due to deployment, debugging, “tweaking”
Drift Risk & Threat Monitoring
© 2012 CloudPassage Inc.
• Misconfigurations due to admin/developer tweaking, stale images
www-3www-1
!www-2
!www-4www-2www-1
? ?
• Code changes from unexpected deployment, code tampering
Drift Risk & Threat Monitoring
© 2012 CloudPassage Inc.
• Misconfigurations due to admin/developer tweaking, stale images
www-3www-1
!www-2
!www-4www-2www-1
? ?
• Code changes from unexpected deployment, code tampering
?
• Binary changes from innocent or malicious sources
Drift Risk & Threat Monitoring
© 2012 CloudPassage Inc.
www-3www-1
!www-2
!www-4www-2www-1
? ? ?
Drift Risk & Threat Monitoring
• Unexpected artifacts like listening ports, files, system processes
• Misconfigurations due to admin/developer tweaking, stale images
• Code changes from unexpected deployment, code tampering
• Binary changes from innocent or malicious sources
?
© 2012 CloudPassage Inc.
What There Wasn’t Time For…
• Auto-containment of server compromise
• Multi-factor auth for root / sysadmins / DBAs
• Configuration compliance management
• Synching AWS instances with your LDAP
• SEIM integration with Halo…
blog.cloudpassage.com for more Halo use case examples
© 2013 CloudPassage Inc.
Try Halo: 5 minutes to setup
Register at cloudpassage.com
Manage security instantly from Halo user portal
Install Halo daemons on EC2 instances
© 2013 CloudPassage Inc.
• The leading SaaS provider of supplier portal, e-invoicing and dynamic discounting software solutions through an SAP-certified solution that extends SAP financials beyond the enterprise
• Enables buying organizations to automate and maximize supplier discounts while strengthening supplier relationships
• Worldwide HQ: San Francisco, CAEuropean HQ: Düsseldorf, Germany
• Heritage: Industry experts with 20+ years of experience building market leading AP applications
TAULIA OFFICE LOCATIONS
© 2013 CloudPassage Inc.
Questions and Answers
• Tell us a little bit about Taulia.
• How does Taulia use the cloud to enable their business?
• Why did Taulia choose Amazon EC2 as its cloud provider?
• Why did Taulia choose to deploy Halo on its EC2 instances?
• What advice would you offer to businesses adopting AWS?
Philip Stehlik, CTO, [email protected]