Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:Inforce 2019

640 views

Published on

In this session, we discuss how to successfully architect for proper segmentation involving PCI DSS workloads running on AWS. We show you how the segmentation strategies and controls are different from those designed in a traditional on-premises environment, keeping in mind the unique characteristic of the AWS platform.

  • Be the first to comment

Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Architect proper segmentation for PCI DSS workloads on AWS Avik Mukherjee Senior Consultant AWS Professional Services Amazon Web Services G R C 3 0 6 Aditya Patel Security Architect AWS Professional Services Amazon Web Services
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Goals Understand PCI guidance on scoping and segmentation Learn how to apply the guidance on AWS Learn how to validate segmentation boundaries
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Security Standard (DSS) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI DSS—requirements PCI DSS Requirement 0. Define scope and segmentation boundaries https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI DSS scope People, processes, and technologies that can impact the security of CHD Defined by the entity Validated by the assessor (QSA/ISA) Is required to meet all applicable PCI DSS controls
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Why segmentation? In Scope Out of Scope Organization 1. Reduce the security surface area 2. Reduce the compliance overhead Pro tip! Segmentation is one way of reducing PCI DSS scope—others include using P2PE solutions, PTS devices, outsourcing CHD handling functions
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI scoping and segmentation guidance CDE Systems Connected-to or Security-Impacting Systems Have filtered direct or indirect network connectivity to CDE systems And/or That affect the configuration and security of CDE systems And/or Support PCI DSS requirements Out-of-Scope Systems Information supplement: Guidance for PCI DSS Scoping and Network Segmentation Published Dec. 2016
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. on AWS
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Unique AWS Cloud characteristics Shared responsibility model Security of the cloud & security in the cloud Virtualization of traditional network—SDN Elasticity Abstracted services and API-based infrastructure Automation Hybrid infrastructure
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Communication layers on AWS “The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE.” - Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation Communication on AWS • Network layer (Layer 3-4)—Primarily for AWS Infrastructure Services • Application layer (Layer 7)—Primarily for AWS Containerized and Abstracted Services
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Infrastructure vs. containerizedvs. abstracted services Infrastructure Containerized Abstracted AWS services Amazon EC2, Amazon ECS, Amazon EKS Amazon RDS, AWS Fargate AWS Lambda, Amazon S3 Client responsibility (security) GuestOS + network isolation + logical access + data Network isolation + logical access + data Logical access + data Connectivity Network Network + application Application Segmentation Network isolation Network isolation + data control Data control
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Scope CDE PCI DSS scope identification—decision flow
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture—scope Web application tier Application logic tier Database tier Load balancer
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI scoping and segmentation guidance CDE Systems Connected-to or Security-Impacting Systems Have filtered direct or indirect network connectivity to CDE systems And/or That affect the configuration and security of CDE systems And/or Support PCI DSS requirements Out-of-Scope Systems Information supplement: Guidance for PCI DSS Scoping and Network Segmentation Published Dec. 2016
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 1: Identify CHD data flow Web application tier Application logic tier Database tier Load balancer
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 2: Identify the AWS services
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 3: Type of AWS service
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 3a, 3b: Identify the CDE CDE
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. PCI scoping and segmentation guidance CDE Systems Connected-to or Security-Impacting Systems Have filtered direct or indirect network connectivity to CDE systems And/or That affect the configuration and security of CDE systems And/or Support PCI DSS requirements Out-of-Scope Systems Information supplement: Guidance for PCI DSS Scoping and Network Segmentation Published Dec. 2016
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Step 4: Identify the non-CDE scope CDE
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Final PCI DSS scope CDE
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Scope CDE PCI DSS scope identification—decision flow
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS Network Layer Application Layer
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS—AWS account layer Highest level of segmentation within AWS All resources logically isolated from other AWS accounts By design isolation thus no burden for validation Use AWS Organizations and service control policies (SCPs) Lowest segmentation boundary is an AWS account
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture—multi-account Account A Shared Services Account B Logging Account C Security Account E CDE Systems Account F—Out of Scope Core OU PCI OU Non-PCI OU Org Master Account D Connected-to
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS AWS Account Application Layer
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS—network layer Use security groups as segmentation boundaries Acts as stateful virtual firewall to control network traffic at instance level By default does not meet PCI DSS requirements—open outbound connection Additionally, third-party host–based/network firewalls can also be used Lowest segmentation boundary is an elastic network interface (ENI)
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture―network layer Account E – CDE VPC Peering Account D – Connected-to VPC Virtual private cloud Availability Zone 1 Availability Zone 2 Security group Security group Security group Security groupSecurity group Security group VPC Availability Zone 1 Availability Zone 2 Virtual private cloud In-scope instances Out-of-scope resources
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS AWS Account Network Layer
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation on AWS―application layer (layer 7) Network isolation is by design (AWS responsibility) Scoping = data driven If two API endpoints exchange CHD, they are in scope, otherwise they are not Segmentation = application driven Application logic should ensure segmentation (because of abstraction) Lowest segmentation boundary is an application logic
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Reference architecture―API layer Account E―CDEAccount D―Connected-to VPC Virtual private cloud VPC Virtual private cloud Lambda function handling CHD Amazon Simple Queue Service (Amazon SQS) Amazon DynamoDB
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 1. Hybrid environments―scoping PCI scope spread over on-premises data center and AWS Cloud CDE Connected to/Security Impacting Corporate data center Out of Scope AWS Cloud CDE Connected to/Security Impacting Out of Scope Pro tip! For defense in depth use multiple layers of segmentation boundaries
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 2. Custom application APIs Use Amazon API Gateway for segmentation between CDE resources and custom APIs (non–PCI validated services) Provides connection brokerage (it is like a jump host) Pro tip! API Gateway provides additional security benefits such as custom authentication & authorization, retrofitting to micro-services architecture, API life cycle management, attaching a WAF
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 2. Segmentation using API Gateway API Gateway* Lambda Other Supported AWS Services Endpointon Amazon EC2/ AWS Elastic Beanstalk Account E—CDE PCI DSS In-Scope Systems Custom App1 Custom App2 Corporate data center AWS Cloud VPC
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 3. Microservices—network layer segmentation Amazon ECS—run containerized applications Launch Type—Amazon EC2 instance, AWS Fargate Amazon EC2 instance type—group into one or related clusters Fargate type—group into one or related tasks Use security groups for cluster and task isolation
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation control validation PCI DSS requirement 11.3.4—perform penetration testing at-least annually (bi- annually for service providers) and after any changes to segmentation controls. Information Supplement: Penetration Testing Guidance “It should verify that all out-of-scope LANs truly have no access to the CDE.” “Each unique segmentation methodology should be tested to ensure that all security controls are functioning as intended.”
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation control validation on AWS Segmentation validation AWS account AWS network (SDN) AWS API (abstracted services) Custom API (non-PCI validated) Client responsibility Validation procedure Validated as part of AWS PCI DSS Level 1 service provider assessment Validate security group ACL through network pen testing Validate application logic through application pen testing Validate both network and application logic isolation through pen testing
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Penetration testing on AWS—pointers Make sure that you understand the AWS Acceptable Use Policy. Review the AWS Vulnerability and Penetration Testing guidelines. Customer Service Policy for Pen Testing Tips for Security Testing AWS Policy Regarding the Use of Security Assessment Tools and Services AWS recommends vetting potential penetration testing vendors/third parties
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Segmentation controls—life cycle management Identify Protect DetectRespond Recover — https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
  45. 45. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventive, detective, and reactive controls Have proactive security controls to prevent any unauthorized modification of the segmentation controls Make use of infrastructure as code, automation, and enhanced alerting capabilities Use automated response to fix deviations PreventiveDirective Detective Responsive AWS CAF Security Perspective
  46. 46. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  47. 47. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Putting it all together Scope CDE
  48. 48. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Further reading Whitepaper: Architecting for PCI DSS Scoping and Segmentation on AWS (https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf) Whitepaper: AWS Security Best Practices (https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf) Quick Start: Standardized Architecture for PCI DSS on the AWS Cloud (https://docs.aws.amazon.com/quickstart/latest/compliance-pci/welcome.html) AWS Shared Responsibility Model (https://aws.amazon.com/compliance/shared-responsibility-model/)
  49. 49. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Avik Mukherjee mukavik@amazon.com Aditya Patel adityapa@amazon.com

×