meeting pci dss requirements with aws and cloudpassage

© 2013 CloudPassage Inc.

Meeting PCI DSS Requirements with AWS and CloudPassageCarson SweetCo-founder & CEOCloudPassage

Philip Stehlik Founder & CTOTaulia

Ryan HollandSolutions ArchitectAmazon EC2

Twitter hashtag #PCIAWS


Session Agenda• What the PCI DSS requires

• Shared responsibility model

• Amazon Web Services capabilities

• CloudPassage Halo security automation tools

• Customer Case: Philip Stehlik, Taulia CTO

• Questions & wrap-up


What the PCI DSS v2 Requires

Build and Maintain a Secure Network*

* The term “Network” includes server and application stacks

Secure Cardholder Data(in transit & in storage)

Maintain a VulnerabilityManagement Program

Implement Strong Access Control Measures

Regularly Monitor and Test Networks*

Maintain an InformationSecurity Policy


What This Means for Cloud Servers*

• Secure facilities, physical environment, hypervisors

• Robust, auditable network access control (firewalls)

• Hardened operating system and application stacks

• Strong server authentication and access mgmt.

• Vulnerability, patch and anti-virus management

• Continuous monitoring, logging, regular testing

* PCI DSS requirements are always open to QSA interpretation


Security & compliance are

shared responsibilitiesbetween AWS and you.


Introducing CloudPassage HaloSecurity and compliance automation for public, private and hybrid cloud servers

Cloud Firewall Automation

Multi-Factor Authentication

Server Account Management

Security Event Alerting

ConfigurationSecurity

Vulnerability Scanning

File Integrity Monitoring

REST API Integrations


www-1

Halo Compute

Grid

UserPortal

https

RESTful API Gateway

https

Clo

udPa

ssag

e

Halo

Policies,Commands, Reports

www-1

Halo

Web UI + REST API

Light-weight agent

Grid performs analytics

SaaS delivery

mysql-1

Halo

bigdata-1

Halo

AWS EC2


Halo Compute

Grid

UserPortal

https

RESTful API Gateway

https

Clo

udPa

ssag

e

Halo

Policies,Commands, Reports

www-1

AWS EC2

www-3

Halo

www-2www-ami

HaloHalo

www-1

Halo

Daemons automatically deployed to servers by bundling into EC2 AMIs.

This ensures consistent security by making it part of the cloud stack itself.


private cloud

1st gen virtualized or traditional data

center

ec2-west

ec2-eu

ec2-east

Single pane of glass across cloud deployments• Scales and bursts with dynamic cloud environments• Not dependant on chokepoints, static networks or fixed IPs• Agnostic to location, hypervisor or hardware

Unique Hybrid Cloud Capabilities


Halo’s Unique Benefits• Security built into the cloud stack

– Deploy once, automatic provisioning follows– Transparently handles cloudbursting and cloning– Automatic updates of re-activated, stale servers

• Security that scales with your environment– Operates identically on one server or one thousand– Halo Grid absorbs 95% or more of compute cycles– Far less worry about security capacity or performance

• Portable Security– Automatic policy updates as servers move (e.g. IP’s)– Operates across EC2 regions, VPC, DirectConnect


Securing EC2 Guest VMs with Halo

Cloud Server VM

FWFW

Provision host-based firewalls (inbound and

outbound)

Automate, automate, automate!

Data

App Code

App Framework Operating System

Track sensitive data and prevent

egress

Continuously verify integrity of binaries,

configurations, code and content

Ensure application stacks locked

down and match gold standards

Verify gold masters and

harden server configurations


Host-based Firewall Orchestration with Halo


Load Balancer

FW

App Server

FW

App Server

FW

DB Master

FW

Host-based Firewall Orchestration


Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW

App Server

FW



App Server

IP


Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW

App Server

FW


App Server

IP

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW



Why Halo Firewall Orchestration?

• Functional enhancements– Directly auditable, logged firewall– Bi-directional filtering– Full control of policy enforcement point

• Other good reasons– Automates host based firewalls1

– PCI DSS typically requires auditable, bidirectional firewalls2

1 See “Amazon Web Services Security White Paper” p. 12-15 media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf

2 See PCI DSS v2 documentation www.pcisecuritystandards.org/security_standards/documents.php


EC2 Instance Security & Compliance with Halo


Traditional Operations Model

traditional datacenter

• Relatively static capacity & slow change

• Servers are long-lived, maintained assets

• Heavy dependence on network defenses

• Machine security drifts, decays over time

www-3 www-4www-2www-1www-1

!www-2

!www-3

!www-4

!


www-1

Stateless Cloud-Server Model

www-3 www-4www-2

wwwwwwwwwwwwwww

Gold Master

• Most instances are clones of a “gold master”

• New servers can be launched in minutes

• Servers are disposable, stateless machines


Stateless Server Security Model

www-2

www

Gold Master

www-2

!www-1 www-3 www-4

• Any deviation from the gold master indicates a risk state (malicious or otherwise)


www-2www

Gold Master

www-1 www-3 www-4www-2

!

Stateless Server Security Model

• Any deviation from the gold master indicates a risk state (malicious or otherwise)

• Automated sequestering and/or replacement of questionable machines is instantaneous


Drift Risk & Threat Monitoring

www-3www-1

!www-2

!www-4www-2www-1


www-3www-1

!www-2

!www-4www-2www-1

?

• Misconfigurations due to deployment, debugging, “tweaking”



• Misconfigurations due to admin/developer tweaking, stale images

www-3www-1

!www-2

!www-4www-2www-1

? ?

• Code changes from unexpected deployment, code tampering




www-3www-1

!www-2

!www-4www-2www-1

? ?


?

• Binary changes from innocent or malicious sources



www-3www-1

!www-2

!www-4www-2www-1

? ? ?


• Unexpected artifacts like listening ports, files, system processes



• Binary changes from innocent or malicious sources

?


What There Wasn’t Time For…

• Auto-containment of server compromise

• Multi-factor auth for root / sysadmins / DBAs

• Configuration compliance management

• Synching AWS instances with your LDAP

• SEIM integration with Halo…

blog.cloudpassage.com for more Halo use case examples


Mapping Halo to PCI DSS Milestones


Try Halo: 5 minutes to setup

Register at cloudpassage.com

Manage security instantly from Halo user portal

Install Halo daemons on EC2 instances


• The leading SaaS provider of supplier portal, e-invoicing and dynamic discounting software solutions through an SAP-certified solution that extends SAP financials beyond the enterprise

• Enables buying organizations to automate and maximize supplier discounts while strengthening supplier relationships

• Worldwide HQ: San Francisco, CAEuropean HQ: Düsseldorf, Germany

• Heritage: Industry experts with 20+ years of experience building market leading AP applications

TAULIA OFFICE LOCATIONS


Questions and Answers

• Tell us a little bit about Taulia.

• How does Taulia use the cloud to enable their business?

• Why did Taulia choose Amazon EC2 as its cloud provider?

• Why did Taulia choose to deploy Halo on its EC2 instances?

• What advice would you offer to businesses adopting AWS?

Philip Stehlik, CTO, [email protected]


Thank Youwww.cloudpassage.com

@cloudpassage

meeting pci dss requirements with aws and cloudpassage

Technology

cloud stack

halo grid

stale servers security

security capacity

halo haloof

www

cloud deployments scales

dynamic cloud environments