intelligent information securityANITIAN

PCI COMPLIANCE

IN AWS

intelligent information securityANITIAN

Meet the SpeakersAdam Gaydosh• Anitian’s Director of Professional Services• Qualified Security Assessor• 15+ years experience in IT and Security

Jordan Wiseman• Certified Risk Assessor• Cloud Security Specialist• 15+ years experience in IT and Security

intelligent information securityANITIAN

Vision: Security is essential for growth, innovation and prosperity.

Mission: Build great security leaders.

ANIT IAN

Rapid Risk Assessment Compliance

Penetration Testing Managed Threat Intelligence

intelligent information securityANITIAN

Intent • Discuss PCI compliance in AWS• Outline AWS services that help meet PCI requirements

Outline1. AWS Services for PCI Compliance2. PCI Reference Architectures3. Third Party Solutions4. AWS PCI Best Practices5. Q&A

Overview

intelligent information securityANITIAN

PCI IN AWSOVERVIEW

intelligent information securityANITIAN

AWS Compliance Status• AWS is validated annually as a compliant PCI DSS Level 1 Service

Provider• Attestation of Compliance (AOC) & Responsibility Matrix

available to customers pursuing their own compliance• Customer’s compliance is not inherited from AWS

intelligent information securityANITIAN

Cloud Compliance is a Shared Responsibility

intelligent information securityANITIAN

AWS COMPLIANTPCI SERVICES

intelligent information securityANITIAN

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• AWS Services• Virtual Private Clouds (VPCs)• Security Groups• Network ACLs

• Other Strategies and Considerations• Third-party Amazon Machine Images (AMIs)

– Firewall– NGFW/UTM– IDS/IPS

intelligent information securityANITIAN

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• AWS Services• Elastic Compute Cloud AMIs

• Other Strategies and Considerations• Amazon-supplied AMIs have no defaults• Third-party AMIs might have defaults• Pre-hardened AMIs available from Anitian in AWS Marketplace

intelligent information securityANITIAN

Requirement 3: Protect stored cardholder data• AWS Services

• Elastic Block Store (EBS)• Simple Storage Service (S3)• Key Management Service (KMS)• Relational Database Service (RDS)

• Other Strategies and Considerations• EBS not OS independent• Self-managed DBs and Transparent Data Encryption

intelligent information securityANITIAN

Requirement 4: Encrypt transmission of cardholder data across open, public networks

• AWS Services• Elastic load balancers• Network ACLs• Security Groups• Customer Gateways• Virtual Private Gateways• VPN Connections• AWS Direct Connect

• Other Strategies and Considerations• Setup and manage TLS and VPNs• Standard encryption strength and algorithms change

intelligent information securityANITIAN

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

• AWS Services• AWS does not provide anti-malware for customer AWS instances

• Other Strategies and Considerations• Third-party management AMIs• Manage from within AWS• Use existing on premise solutions

intelligent information securityANITIAN

Requirement 6: Develop and maintain secure systems and applications

• AWS Services• None

• Other Strategies and Considerations• Amazon Linux AMI Security Bulletins (ALAS)

– https://alas.aws.amazon.com/• CodeCommit and CodeDeploy• Third-party management AMIs

intelligent information securityANITIAN

Requirement 7: Restrict access to cardholder data by business need to know• AWS Services

• Identity and Access Management (IAM)• Directory Service

• Other Strategies and Considerations• IAM controls access AWS itself

– AWS Console– AWS APIs

Requirement 8: Identify and authenticate access to system components• Same as above

intelligent information securityANITIAN

Requirement 9: Restrict Physical Access to Cardholder Data

• N/A

Requirement 10: Track and monitor all access to network resources and cardholder data• AWS Services

• CloudTrail• S3

• Other Strategies and Considerations• S3 supports lifecycle management• Leverage CloudTrail APIs to obtain SEIM data• CloudTrail will log AWS Console and API activity• AWS does not include time synchronization

intelligent information securityANITIAN

Requirement 11: Regularly test security systems and processes

• AWS Services• Amazon’s Attestation of Compliance (AOC)

– Fully covers physical security of AWS– Fully covers rogue Wireless Access Point detection– Applies to any PCI components hosted in AWS– Does not cover in-scope, but on premise components

intelligent information securityANITIAN

Requirement 12: Maintain a policy that addresses information security for all personnel

• AWS Services• None

Requirement A.1: Shared hosting providers must protect the cardholder data environment

• AWS Services• See Requirements 1, 7, and 8

intelligent information securityANITIAN

PCI REFERENCE ARCHITECTURES

intelligent information securityANITIAN

Architecture 1: Dedicated

intelligent information securityANITIAN

Architecture 1: Dedicated• An entire AWS environment dedicated to a web-based e-

commerce application.

• Features• DMZ subnet for webserver and management “Jumpbox”

instances.• Internal subnet for application and AWS RDS instances.

• PCI Scope• Everything

NOTE: While the Jumpbox does not handle cardholder data itself, it does impact the security of the instances and is therefore in-scope.

intelligent information securityANITIAN

Architecture 2: Segmented

intelligent information securityANITIAN

Architecture 2: Segmented• Adding non-PCI systems to the AWS environment hosting our

existing web-based e-commerce application.

• Features• Separate Virtual Private Clouds for PCI and non-PCI

environments• Network segmentation between VPCs

• PCI Scope• Instances in the PCI VPC only

intelligent information securityANITIAN

Architecture 3: Connected

intelligent information securityANITIAN

Architecture 3: Connected• Extending an on premise network to the AWS PCI environment

to leverage existing services.

• Features• Connectivity between on premise systems and AWS PCI

environment.• Network segmentation between PCI and non-PCI

environments.• PCI Scope• AWS CDE VPC• AWS In-scope VPC and In-scope On Premise Network

intelligent information securityANITIAN

THIRD PARTYSOLUTIONS

intelligent information securityANITIAN

Pre-built AMIs• Familiar technologies • Trusted vendors

https://aws.amazon.com/marketplace/

intelligent information securityANITIAN

PCI Compliance Related• AWS Service Gaps

• IDS/IDP• SEIM• Patching• Vulnerability Management• FIM

• Enhance AWS Services• Firewalls• VPN• AWS Automation

intelligent information securityANITIAN

AWS PCIBEST PRACTICES

intelligent information securityANITIAN

Non-technical Actions• Request a copy of the AWS PCI Compliance Package• Requires NDA• AWS AOC• Responsibility Matrix

• Documentation• Config• Trusted Advisor• AMI Identifiers• AWS Console• Resource Groups and Tagging

intelligent information securityANITIAN

Technical Considerations• Monitoring• Cloud Watch

• First things first• Naming conventions• KMS encryption keys

• Elastic Load Balancers (ELB)• Availability• Abstract or conceal real endpoints• ELB all the things!

intelligent information securityANITIAN

Audit Preparation• Readiness assessment • Documentation • Network diagrams and data flows• Scope and inventory• Penetration tests and vulnerability scans• QSA who knows AWS

intelligent information securityANITIAN

QUESTIONS?

intelligent information securityANITIAN

EMAIL: adam.gaydosh@anitian.comjordan.wiseman@anitian.com

WEB: www.anitian.comBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN

THANK YOU