Upload
amazon-web-services
View
439
Download
1
Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Matt McLimans, Network Security Engineer
Warren Rogers
August 11, 2016
Can You Achieve PCI Compliance in AWS?
So, what is this presentation about?
This is a true story of how I built a PCI Compliant
solution using Palo Alto Networks.
While securing thousands of endpoint devices using
GlobalProtect and Palo Alto Networks VM-Series
Firewalls within Amazon Web Services.
Content
Start Up• About Warren Rogers
• Warren Rogers Data Collection Operation
PCI DSS Compliance• Crash Course
• Levels & Requirements of PCI DSS 3.1
PCI Compliance within AWS• AWS Security as a Whole
• Services & Regions
• Shared Responsibility
Warren Rogers PCI Plan• Using Palo Alto Networks
• GlobalProtect & LSVPN
• Data Filtering & Policy Implementation
Wrap Up• Palo Alto Networks tackling PCI, Tips, & Q&A
Warren Rogers Services
All-Point monitoring system that
provides the most accurate and
complete information of the fueling
operation.
Reporting Options
• Variance reports
• Tank activity
• Sales by hour
• Dispenser/Probe out
summary
• Delivery reports
• Unexplained removals
Customer Store Network
Warren Rogers’ Network
Our Operation
Our device
“OSP”
Aspects to Note
Deployments:
• On-Premise
• AWS Cloud
• Hybridized Deployment
Compliance Regulations:
• PCI DSS 3.1
• HIPAA
• SSAE-16
• And many more…
CRASH COURSE
PCI compliance and why it is important to you.
PCI DSS Players
Card Brands
Created the SSC. They are
responsible for approving
DSS controls and
framework.
PCI SSC
Developed the DSS, PA-
DSS, & PIN Standards.
They conduct training and
certification for QSAs and
ASVs.
Acquirers
Banks and payment
processors that are
responsible for enforcing the
DSS.
Merchants
Responsible for
implementing DSS controls
and demonstrating
compliance.
Merchant Levels
LEVEL 1:
• > 6 million transactions per year.
• Need QSA to validate.
LEVEL 2:
• 1 to 6 million transactions per year.
• Need QSA to validate.
LEVEL 3 & 4:
• < 1 million transactions per year.
• Can self-assess via the SAQ.
Knowing
your level is
critically
important to
achieving PCI
compliance
effectively.
Requirements v. Validation
SAQ v. QSA
A Simple Question
YesDo I have
to be PCI
Compliant?
Do you
handle
CHD?
No
You must
be
compliant.
You do not
need to be
compliant.
But I only
handle 1 card
number!
Myth 1: Compliance makes
my organization secure.
Why?
• Compliance is a snapshot in time.
• One size does not fit all.
• Vagueness among requirements.
“on devices not commonly
affected by malware.”
Usage
• Compliance as a “base-line security
model.”
• Encourage a continuous and vigilant
security culture.
Compliance does not equal security.
Myth 2: One vendor and one
product makes me compliant.
Neither one vendor nor one product
will make you compliant.
• Over-promising and under
delivering.
• “Silver Bullet” effect.
Implement holistic security strategy:
1. Technology
2. Infrastructure
3. People
A WALK THROUGH
PCI Compliance on AWS
AWS Security as a Whole
CISO probably likes AWS Security for
the following reasons:
1. Greater transparency
• All security in a single location.
2. Reinforcement of traditional
security measures
• Controls through automation.
• Relying on best practice
templates specialization.
• Eliminates mistakes.
transparency
AWS is more
secure than
our on-premise
datacenter
CISO
AWS as Level 1 Service Provider
A BA B
Lowest cost PCI
complaint cloud
service.
Reduce and simplify
scoped environment.
If required,
provides forensic
investigations
Is there a special PCI Compliant environment I
need to specify when bringing up servers or
uploading objects to store?
No!
AWS PCI Compliant Services
CloudWatch BeanStalk
SNSSES
FederationIAMCloud TrailCloud FormationOpsWork
SQS Elastic Transcoder Cloud Search SWF
Dynamo ElastiCache RedShift EMR DataPipeline Kinesis CloudFront
Ec2 WorkSpaces S3 Route53ELBDirect ConnectStorage Gateway VPCGlacier
Monitoring Deployment & Management Identity & Access
Application Services
Databases Analytics
Compute Storage Networking
Content Delivery
AppStream
EBS
Dep
loym
en
t
& M
an
ag
em
en
tA
pp
licati
on
Serv
ices
Fo
un
dati
on
Serv
ices
RDS
Is AWS compliance
applicable globally?
Can I rely on the results of the AWS
PCI Report on Compliance?
….or will additional testing be
required to be fully compliant?
What is your responsibility to achieve
compliance?
Security of the Cloud v. Security in the Cloud
Responsibility Matrix
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client side Data
Encryption & Data Integrity
Authentication
Server-Side
(File System and/or Data)
Network Traffic Protection
Encryption/
Integrity/Identity
Customer Data
Storage Database Networking
Edge LocationsRegions
Availability Zones
Compute
AWS Global
Infrastructure
Customer ResponsibilitySecurity in the Cloud
AWS ResponsibilitySecurity of the Cloud
Shared Responsibility Model
RequirementAWS
Responsibility
Customer
Responsibility
Req.1 Install and maintain a firewall configuration to protect cardholder data.
Req. 2 Do not use supplier-supplied defaults for system passwords and other security parameters.
Req. 3 Protect stored cardholder data.
Req. 4 Encrypt transmission of cardholder data across open, public, networks
Req. 5 Use and regularly update anti-virus software or programs.
Req. 6 Develop and maintain secure systems and applications.
Req. 7 Restrict access to cardholder data by business need-to-know.
Req. 8 Assign a unique ID to each person with computer access.
Req. 9 Restrict physical access to cardholder data.
Req. 10 Track and monitor all access to network resources and cardholder data.
Req. 11 Regularly test security systems and processes.
Req. 12 Maintain a policy that addresses information security for employees and contractors.
Responsibility Matrix
In other words…
Your QSA can rely on AWS’s PCI compliance.
But you are responsible for satisfying all testing requirements
including management and documentation.
WARREN ROGERS PCI PLAN
Using Amazon Web Services & Palo Alto Networks
Customer Store Network
Warren Rogers’ Network
The PCI Challenge for Warren Rogers
How do we protect ourselves?
Obstacles
Challenges1. Previously non-compliant.
2. Thousands of remote devices.
3. Various deployments within diverse customer environments.
Questions to Answer1. How can we secure transmission to
AWS?
2. How do we know if we inadvertently collect cardholder data?
3. How do we ensure all our boxes are running PCI required applications?
4. How can we standardized access to our OSPs?
CIDR: 10.0.0.0/16 CIDR: 172.17.0.0/24 CIDR: 192.168.3.0/8
Customer A Network Customer B Network Customer n Network
What we had…
Warren Rogers Network
VPN
Client 1
VPN
Client 2
VPN
Client nSecure Comm.
One Access
Method
WR Custom IP Range 1 WR Custom IP Range 3WR Custom IP Range 2
Warren Rogers Network
Customer A Network Customer B Network Customer n Network
What we wanted…
Using Palo Alto Networks to
Achieve Our Goal
GlobalProtect
• Encryption
• HIP Profiles
LSVPN
• Reducing latency
• Increasing redundancy
• Increasing global presence
Access Policies
• Data filtering
• Removing uncertainty
• Jump server
GlobalProtect: Use Case
A Unique Deployment
• Installed on OSP
• Pre-Log On
Benefits
• User-ID
• Exceeding PCI requirements.
• Complete insight into data
transmission
• Centrally managed & IP Assignment
• HIP Checks & LDAP Segregation
Control
HIP Check
Stages1. GlobalProtect agent collects information.
2. Agent submits host information.
3. Gateway matches host information against HIP objects and HIP profiles.
Key Advantages
• Centrally managed from Palo Alto Networks.
• Easy configuration changes & granular policies.
• Custom application IDs.
• Allow box to connect, but notify personnel of compliance mismatch.
• Routine checks on all OSPs, removes worry.
Firewall Status Data Encryption
Patch Management Anti-Virus
Host Information in Policy
Enforcement (HIP)
Data Filtering for CHD
CHD Filtering
• Predefined data pattern.
• Looks for 16 digit card numbers
through hash algorithm (less false
positives)
• Scan all data or only certain file
types (.pdf .txt .csv ….)
Alerting on CHD Detected
• Contact customer immediately
that their network is passing CHD
to our OSP.
CHD Detected
Out of
Scope for
Complianc
e
LSVPN
1. Amazon Data Centers
2. Geo-located OSPs
3. Palo Alto Networks VM-300 Portal
4. Palo Alto Networks VM-300 Satellites
5. Connecting LSVPN.
6. GlobalProtect to WR defined satellites.
Key
LSVPN Tunnel
GlobalProtect
AWS Data Center
OSPs
Palo Alto
Networks
VM-Series
CA.SAT02
OR.SAT01
PORTAL
VA.SAT01
CA.SAT01
ADDS & Group Policy
Break devices into organizational units.
• Geography
• Customer type
• …really anything
Advantages of ADDS
• Sync with Palo Alto Networks Firewalls.
• Addressable remote devices by DNS.
• Powerful tools available.
Group Policy
• “Touch one, configure many.”
• Floor to ceiling security model.
LSVPN
Portal Private
Network
Active Directory
Servers
Oregon
Satellite 1
Virginia
Portal
OSP
Satellite Private
Network
Active Directory
Servers
Default PCI Policy
Customer A
Policy
Site 1
Policy
Group Policy Hierarchy
RDP
Logging & Controlling
Access to OSP Units
PCI Requirement
• “Must control & log access to
PCI DSS Environment.”
Jump Server
• Single access point for
authorized staff.
Log Server
• Central “Log Aggregation” and
alerting.
• Synchronization with tools like
Splunk.
M.F.A
On-Premise
Customer A
Customer B
Customer C
Portal
Satellite 2
Satellite 1
Satellite 3
Jump
Access Policies
• AWS has no preferred access method to Ec2 instances.
• OpenVPN is frequently used.• Cannot base access policies on applications or people.
• No data filtering on policies.
• Policies by IP assignment only.
An Ideal Access Policy for Easy PCI Compliance
Making Compliance Easy
with Palo Alto Networks
Least Access Control• Active Directory
• Proof of policy controls• App-ID
• User-ID
• Content-ID
Logging & Flexibility• Changes are unavoidable for
productive organizations.
Segmentation, segmentation segmentation!
• Reduced Scope = Reduced Cost
• Reduced Scope = Reduced Threat
Flat Network v. Segmented Network
Flat
Network
Segmented
Network
Cardholder servers 4 4
Total servers 100 100
Open to audit scope 100 4
Reduction of audit scope 0% 96%
CHD
Network
Non-CHD
Network
Flat Network Segmented Network
Whole Network
Some Tips Before I Go…
Reach beyond PCI requirements for security.
• If you don’t have a security plan, use PCI as a base line.
Avoid expensive mistakes!
• Involve a QSA, a Palo Alto Networks Engineer, and your team on
all major design decisions.
Remember, a single credit card number is a liability.
• Cost of CHD Compromise > Cost of PCI Compliance
Evaluate whether or not you can eliminate the reasons for
necessary compliance.
• Ensure the benefit of touching CHD is greater than the liability.
Compliance with and without is Palo Alto Networks
• “Uncertainty in Compliance” v. “Certainty in Compliance”
Learn More at
Booth XYZ
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Matt McLimans, Senior Network Security Engineer
August 11, 2016
Thank you
Questions?