Meeting PCI DSS Requirements     with AWS and CloudPassage       Carson Sweet              Ryan Holland          Philip St...
Session Agenda• What the PCI DSS requires• Shared responsibility model• Amazon Web Services capabilities• CloudPassage Hal...
What the PCI DSS v2 Requires          Build and Maintain a                      Implement Strong Access           Secure N...
What This Means for Cloud Servers*• Secure facilities, physical environment, hypervisors• Robust, auditable network access...
Security & compliance are            shared responsibilities                            between AWS and you.© 2013 CloudPa...
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc.
© 2013 CloudPassage Inc.
Introducing CloudPassage Halo           Security and compliance automation for public,                  private and hybrid...
www-1 Web       UI + REST API    Light-weight agent                      AWS EC2    Grid performs                      ...
www-1Daemons automatically                       AWS EC2deployed to servers bybundling into EC2 AMIs.                   ww...
Unique Hybrid Cloud Capabilities                                                                ec2-                      ...
Halo’s Unique Benefits• Security built into the cloud stack      – Deploy once, automatic provisioning follows      – Tran...
Securing EC2 Guest VMs with Halo    Continuously verify                                  Track sensitive data   integrity ...
Host-based Firewall   Orchestration with Halo© 2012 CloudPassage Inc.
Host-based Firewall Orchestration                                          Load                                         Ba...
Host-based Firewall Orchestration                                          Load                          Load             ...
Host-based Firewall Orchestration                                          Load                          Load             ...
Host-based Firewall Orchestration                                          Load                          Load             ...
Why Halo Firewall Orchestration?• Functional enhancements        – Directly auditable, logged firewall        – Bi-directi...
EC2 Instance Security &   Compliance with Halo© 2012 CloudPassage Inc.
Traditional Operations Model                           www-1    www-2        www-3      www-4                            !...
Stateless Cloud-Server Model                                www-1   www-2   www-3   www-4               www           Gold...
Stateless Server Security Model                                www-1   www-2   www-3   www-4               www            ...
Stateless Server Security Model                                www-1   www-2   www-3   www-4                www           ...
Drift Risk & Threat Monitoring                           www-1   www-2   www-3   www-4                            !       ...
Drift Risk & Threat Monitoring                           www-1   www-2   www-3   www-4                            !      ?...
Drift Risk & Threat Monitoring                           www-1   www-2   www-3   www-4                            !      ?...
Drift Risk & Threat Monitoring                           www-1   www-2   www-3   www-4                            !      ?...
Drift Risk & Threat Monitoring                           www-1   www-2   www-3   www-4                           ?        ...
What There Wasn’t Time For…• Auto-containment of server compromise• Multi-factor auth for root / sysadmins / DBAs• Configu...
Mapping Halo to PCI DSS Milestones© 2013 CloudPassage Inc.
Try Halo: 5 minutes to setup                               Register at                           cloudpassage.com         ...
TAULIA OFFICE LOCATIONS• The leading SaaS provider of supplier portal, e-invoicing  and dynamic discounting software solut...
Questions and AnswersPhilip Stehlik, CTO, Taulia@pstehlikwww.taulia.com  • Tell us a little bit about Taulia.  • How does ...
Thank You                           www.cloudpassage.com                             @cloudpassage© 2013 CloudPassage Inc.
Upcoming SlideShare
Loading in …5
×

Meeting PCI DSS Requirements with AWS and CloudPassage

4,072 views

Published on

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,072
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
83
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • When you are architecting a solution its important to include security at every layer of the architecture, in the AWS environment there will be pieces of this that fall into our control and there are pieces that are in the control of the customer as you can see on this slide. With our shared responsibility model, things such as the physical security and security of the virtualized infrastructure are handled by AWS and on the customer side you’re responsbile for things such as patching your operating systems, and applications as well as security services that run within the guest operating system such as anti-virus and host based firewalls. This is an area where our partner ecosystem can provide solutions to help customers further secure their enviornment. We will hear in the next section about SafeNet’s data encryption products that is specifically architected to run within AWS.
  • Meeting PCI DSS Requirements with AWS and CloudPassage

    1. 1. Meeting PCI DSS Requirements with AWS and CloudPassage Carson Sweet Ryan Holland Philip Stehlik Co-founder & CEO Solutions Architect Founder & CTO CloudPassage Amazon EC2 Taulia Twitter hashtag #PCIAWS© 2013 CloudPassage Inc.
    2. 2. Session Agenda• What the PCI DSS requires• Shared responsibility model• Amazon Web Services capabilities• CloudPassage Halo security automation tools• Customer Case: Philip Stehlik, Taulia CTO• Questions & wrap-up© 2013 CloudPassage Inc.
    3. 3. What the PCI DSS v2 Requires Build and Maintain a Implement Strong Access Secure Network* Control Measures Secure Cardholder Data Regularly Monitor and (in transit & in storage) Test Networks* Maintain a Vulnerability Maintain an Information Management Program Security Policy * The term “Network” includes server and application stacks© 2013 CloudPassage Inc.
    4. 4. What This Means for Cloud Servers*• Secure facilities, physical environment, hypervisors• Robust, auditable network access control (firewalls)• Hardened operating system and application stacks• Strong server authentication and access mgmt.• Vulnerability, patch and anti-virus management• Continuous monitoring, logging, regular testing * PCI DSS requirements are always open to QSA interpretation© 2013 CloudPassage Inc.
    5. 5. Security & compliance are shared responsibilities between AWS and you.© 2013 CloudPassage Inc.
    6. 6. © 2013 CloudPassage Inc.
    7. 7. © 2013 CloudPassage Inc.
    8. 8. © 2013 CloudPassage Inc.
    9. 9. © 2013 CloudPassage Inc.
    10. 10. © 2013 CloudPassage Inc.
    11. 11. © 2013 CloudPassage Inc.
    12. 12. Introducing CloudPassage Halo Security and compliance automation for public, private and hybrid cloud servers Cloud Firewall File Integrity Automation Monitoring Multi-Factor Server Account Authentication Management Configuration Security Event Security Alerting Vulnerability REST API Scanning Integrations© 2013 CloudPassage Inc.
    13. 13. www-1 Web UI + REST API Light-weight agent AWS EC2 Grid performs www-1 mysql-1 bigdata-1 analytics SaaS delivery Halo Halo Halo User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Halo Compute API Gateway Grid© 2013 CloudPassage Inc.
    14. 14. www-1Daemons automatically AWS EC2deployed to servers bybundling into EC2 AMIs. www-ami www-1 www-2 www-3This ensures consistentsecurity by making it part Halo Haloof the cloud stack itself. Halo Halo User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Halo Compute API Gateway Grid© 2013 CloudPassage Inc.
    15. 15. Unique Hybrid Cloud Capabilities ec2- east 1st gen virtualized or ec2- private traditional data west cloud center ec2-eu Single pane of glass across cloud deployments • Scales and bursts with dynamic cloud environments • Not dependant on chokepoints, static networks or fixed IPs • Agnostic to location, hypervisor or hardware© 2013 CloudPassage Inc.
    16. 16. Halo’s Unique Benefits• Security built into the cloud stack – Deploy once, automatic provisioning follows – Transparently handles cloudbursting and cloning – Automatic updates of re-activated, stale servers• Security that scales with your environment – Operates identically on one server or one thousand – Halo Grid absorbs 95% or more of compute cycles – Far less worry about security capacity or performance• Portable Security – Automatic policy updates as servers move (e.g. IP’s) – Operates across EC2 regions, VPC, DirectConnect© 2013 CloudPassage Inc.
    17. 17. Securing EC2 Guest VMs with Halo Continuously verify Track sensitive data integrity of binaries, and prevent egress configurations, code Data and content App Code Ensure application stacks locked down App Framework and match gold Provision host-based standards firewalls (inbound and FW Operating System FW outbound) Cloud Server VM Verify gold masters and harden server configurations Automate, automate, automate!© 2013 CloudPassage Inc.
    18. 18. Host-based Firewall Orchestration with Halo© 2012 CloudPassage Inc.
    19. 19. Host-based Firewall Orchestration Load Balancer FW App App Server Server FW FW DB Master FW© 2013 CloudPassage Inc.
    20. 20. Host-based Firewall Orchestration Load Load Balancer Balancer FW FW App App App Server Server Server FW FW FW DB DB Master Slave FW FW© 2013 CloudPassage Inc.
    21. 21. Host-based Firewall Orchestration Load Load Balancer Balancer FW FW App App App Server Server App Server FW FW FW Server IP DB DB Master Slave FW FW© 2013 CloudPassage Inc.
    22. 22. Host-based Firewall Orchestration Load Load Balancer Balancer FW FW App App Server Server App FW FW Server IP DB DB Master Slave FW FW© 2013 CloudPassage Inc.
    23. 23. Why Halo Firewall Orchestration?• Functional enhancements – Directly auditable, logged firewall – Bi-directional filtering – Full control of policy enforcement point• Other good reasons – Automates host based firewalls1 – PCI DSS typically requires auditable, bidirectional firewalls 2 1 See “Amazon Web Services Security White Paper” p. 12-15 media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf 2 See PCI DSS v2 documentation www.pcisecuritystandards.org/security_standards/documents.php© 2013 CloudPassage Inc.
    24. 24. EC2 Instance Security & Compliance with Halo© 2012 CloudPassage Inc.
    25. 25. Traditional Operations Model www-1 www-2 www-3 www-4 ! ! ! ! traditional datacenter • Relatively static capacity & slow change • Servers are long-lived, maintained assets • Heavy dependence on network defenses • Machine security drifts, decays over time© 2012 CloudPassage Inc.
    26. 26. Stateless Cloud-Server Model www-1 www-2 www-3 www-4 www Gold Master • Most instances are clones of a “gold master” • New servers can be launched in minutes • Servers are disposable, stateless machines© 2012 CloudPassage Inc.
    27. 27. Stateless Server Security Model www-1 www-2 www-3 www-4 www ! Gold Master • Any deviation from the gold master indicates a risk state (malicious or otherwise)© 2012 CloudPassage Inc.
    28. 28. Stateless Server Security Model www-1 www-2 www-3 www-4 www www-2 ! Gold Master • Any deviation from the gold master indicates a risk state (malicious or otherwise) • Automated sequestering and/or replacement of questionable machines is instantaneous© 2012 CloudPassage Inc.
    29. 29. Drift Risk & Threat Monitoring www-1 www-2 www-3 www-4 ! !© 2012 CloudPassage Inc.
    30. 30. Drift Risk & Threat Monitoring www-1 www-2 www-3 www-4 ! ? ! • Misconfigurations due to deployment, debugging, “tweaking”© 2012 CloudPassage Inc.
    31. 31. Drift Risk & Threat Monitoring www-1 www-2 www-3 www-4 ! ? ! ? • Misconfigurations due to admin/developer tweaking, stale images • Code changes from unexpected deployment, code tampering© 2012 CloudPassage Inc.
    32. 32. Drift Risk & Threat Monitoring www-1 www-2 www-3 www-4 ! ? ! ? ? • Misconfigurations due to admin/developer tweaking, stale images • Code changes from unexpected deployment, code tampering • Binary changes from innocent or malicious sources© 2012 CloudPassage Inc.
    33. 33. Drift Risk & Threat Monitoring www-1 www-2 www-3 www-4 ? ! ? ! ? ? • Misconfigurations due to admin/developer tweaking, stale images • Code changes from unexpected deployment, code tampering • Binary changes from innocent or malicious sources • Unexpected artifacts like listening ports, files, system processes© 2012 CloudPassage Inc.
    34. 34. What There Wasn’t Time For…• Auto-containment of server compromise• Multi-factor auth for root / sysadmins / DBAs• Configuration compliance management• Synching AWS instances with your LDAP• SEIM integration with Halo… blog.cloudpassage.com for more Halo use case examples© 2012 CloudPassage Inc.
    35. 35. Mapping Halo to PCI DSS Milestones© 2013 CloudPassage Inc.
    36. 36. Try Halo: 5 minutes to setup Register at cloudpassage.com Install Halo daemons on EC2 instances Manage security instantly from Halo user portal© 2013 CloudPassage Inc.
    37. 37. TAULIA OFFICE LOCATIONS• The leading SaaS provider of supplier portal, e-invoicing and dynamic discounting software solutions through an SAP-certified solution that extends SAP financials beyond the enterprise• Enables buying organizations to automate and maximize supplier discounts while strengthening supplier relationships• Worldwide HQ: San Francisco, CA European HQ: Düsseldorf, Germany• Heritage: Industry experts with 20+ years of experience building market leading AP applications© 2013 CloudPassage Inc.
    38. 38. Questions and AnswersPhilip Stehlik, CTO, Taulia@pstehlikwww.taulia.com • Tell us a little bit about Taulia. • How does Taulia use the cloud to enable their business? • Why did Taulia choose Amazon EC2 as its cloud provider? • Why did Taulia choose to deploy Halo on its EC2 instances? • What advice would you offer to businesses adopting AWS?© 2013 CloudPassage Inc.
    39. 39. Thank You www.cloudpassage.com @cloudpassage© 2013 CloudPassage Inc.

    ×