Boyan Dimitrov, profile picture
Uploaded byBoyan Dimitrov
PPTX, PDF365 views

Building Highly Sophisticated Environments for Security and Compliance on AWS

The document outlines the implementation of a highly secure and compliant omnichannel payment platform on AWS, achieved through strategic decision-making and adherence to PCI-DSS standards. Key learnings emphasize the importance of collaboration, continuous adaptation, incremental project management, and team care. The successful integration enhances security through various AWS services while improving compliance metrics significantly.

Embed presentation

Downloaded 11 times
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Highly Sophisticated Environments for Security and Compliance on AWS September 2018 Boyan Dimitrov Director Platform Engineering Sixt @nathariel
Q1 2018: Brand New Omnichannel Payment Platform
Early 2017 Redesign our payment channels Adapt business processes Communicate to partners and third parties Plan & Coordinate Teams Early 2017 Payment Environment
Early 2017Requirements In Production in 8 months Integrated to our business Highly Secure Scalable Modular PCI-DSS Compliant
What is PCI-DSS Compliance • Standard for cardholder data environments composed of security best practices and controls. • It’s all about maintaining a secure environment • If you are handling credit card data – this applies to you too!
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel PCI Goals and Requirements
Early 2017Decision to be made Build On The Cloud Build in our DCs Outsource to third party
Security in the Cloud is a Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Requirements mapped to AWS Services VPC Security Group Amazon EC2 Cloudformation S3 EBS CloudHSM KMSRDS Security Group ELB VPN WAF CloudFront Cognito Directory ServiceIAM S3Cloudtrail Inspector Config Lambda Lambda Lambda Lambda
AWS services in scope by PCI-DSS compliance of all services are PCI- Compliant > 55% 47,6% Increase from prev. year 26 In 2016 62 In 2018 42 In 2017
Early 2017Our Decision Build On The Cloud Build in our DCs Outsource to third party
Outcome Learning 1: Bring the right people together early on
Execution Strategy: Learnings from the past https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg Patrick Edwin Moran
OODA in an AWS security context Observe Orient Decide ACT VPC Flow Logs Inspector Agent CloudWatch Insights CloudTrail Config More CloudWatch Inspector Lambda Shield ShieldShieldWAF Machine Learning Config Policies Config Policies CloudWatchWAF WAF SNS Lambda Lambda More MoreMore Guard Duty
VPC Flow Logs CloudWatch Insights CloudTrail Config CloudWatch Config Policies Protected Accounts Security Account Trails Logs Observe…
Orient, Decide, Act! CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Lambda Trails Logs SNS Security Team Security Account OPS Active Scans Corrective Actions
The Controlling Core CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Active Scans Lambda SNS Security Team Security Account Corrective Actions OPS Trails Logs
Learning 2: Have a strategy
Changes had to be made on the way ECSLambda
Learning 3: Break down large projects into small iterations
End to end automation Engineers CodePipeline CodeBuild ECR ECS Deployment Approval Code Review Code Minutes
Learning 4: Know and leverage the ecosystem
Learning 5: Take care of your team
Summary 1. Bring the right people together early on 2. Have a strategy 3. Break down large projects into small iterations 4. Know and leverage the ecosystem 5. Take care of your team
Thank You

More Related Content

PDF
Demystifying Service Mesh
byMitchell Pronschinske
 
PPTX
Complex architectures for authentication and authorization on AWS
byBoyan Dimitrov
 
PDF
Complex architectures for authentication and authorization on AWS
byBoyan Dimitrov
 
PDF
Microservice architecture-api-gateway-considerations
byImam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
PDF
Gravitee.io
byKnoldus Inc.
 
PPTX
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
bySam Vanhoutte
 
PDF
Service mesh in Microservice World to Manage end to end service communications
bySatya Syam
 
PDF
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
byMitchell Pronschinske
 
Demystifying Service Mesh
byMitchell Pronschinske
 
Complex architectures for authentication and authorization on AWS
byBoyan Dimitrov
 
Complex architectures for authentication and authorization on AWS
byBoyan Dimitrov
 
Microservice architecture-api-gateway-considerations
byImam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
Gravitee.io
byKnoldus Inc.
 
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
bySam Vanhoutte
 
Service mesh in Microservice World to Manage end to end service communications
bySatya Syam
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
byMitchell Pronschinske
 

What's hot

PDF
Microservice Architecture
byRich Lee
 
PDF
An overview of the Eventuate Platform
byChris Richardson
 
PPTX
OAuth and OpenID Connect for PSD2 and Third-Party Access
byNordic APIs
 
PPTX
Microservices and the Cloud-Based Future of Integration
byBizTalk360
 
PPTX
Introduction to Hybrid Connections
byDaniel Toomey
 
PPTX
The Internet of things for integration people - UKCSUG - public version
bySam Vanhoutte
 
PDF
Microservices - Hitchhiker's guide to cloud native applications
byStijn Van Den Enden
 
PPTX
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
byStarling Bank
 
PPTX
Architecting Microservices in .Net
byRichard Banks
 
PPTX
Service mesh in action with onap
byHuabing Zhao
 
PDF
[WSO2Con EU 2018] Identity APIs is the New Black
byWSO2
 
PPTX
API World: The service-mesh landscape
byChristian Posta
 
PDF
AWS Api Gateway by Łukasz Marchewka Scalacc
byScalac
 
PDF
Microservices
byACCESS Health Digital
 
PDF
Api Management with Service Mesh
byLakmal Warusawithana
 
PDF
Overview of the Eventuate Tram Customers and Orders application
byChris Richardson
 
PDF
Developing applications with a microservice architecture (svcc)
byChris Richardson
 
PDF
The Role of IAM in Microservices
byWSO2
 
PPTX
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
byapidays
 
PPTX
Istio a service mesh
byChandresh Pancholi
 
Microservice Architecture
byRich Lee
 
An overview of the Eventuate Platform
byChris Richardson
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
byNordic APIs
 
Microservices and the Cloud-Based Future of Integration
byBizTalk360
 
Introduction to Hybrid Connections
byDaniel Toomey
 
The Internet of things for integration people - UKCSUG - public version
bySam Vanhoutte
 
Microservices - Hitchhiker's guide to cloud native applications
byStijn Van Den Enden
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
byStarling Bank
 
Architecting Microservices in .Net
byRichard Banks
 
Service mesh in action with onap
byHuabing Zhao
 
[WSO2Con EU 2018] Identity APIs is the New Black
byWSO2
 
API World: The service-mesh landscape
byChristian Posta
 
AWS Api Gateway by Łukasz Marchewka Scalacc
byScalac
 
Microservices
byACCESS Health Digital
 
Api Management with Service Mesh
byLakmal Warusawithana
 
Overview of the Eventuate Tram Customers and Orders application
byChris Richardson
 
Developing applications with a microservice architecture (svcc)
byChris Richardson
 
The Role of IAM in Microservices
byWSO2
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
byapidays
 
Istio a service mesh
byChandresh Pancholi
 

Similar to Building Highly Sophisticated Environments for Security and Compliance on AWS

PPTX
Solutions For PCI Compliance
byJohn Bedrick
 
PPTX
Making Compliance Business as Usual
byControlCase
 
PDF
Secured Hosting of PCI DSS Compliant Web Applications on AWS
byGaurav "GP" Pal
 
PPTX
Automate compliance with cloud guard dome9
byJohn Varghese
 
PPTX
PCI DSS Business as Usual
byControlCase
 
PDF
PCI DSS Business as Usual
byControlCase
 
PPTX
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
PPTX
Presentation: To an efficient tool for securing the card data on the Cloud: C...
byHassan EL ALLOUSSI
 
PPTX
PCI Compliance in Cloud
byControlCase
 
PPTX
PCI Compliance in Cloud
byControlCase
 
PPTX
PCI Compliance in the Cloud
byKimberly Simon MBA
 
PPTX
PCI Compliance in the Cloud
byKimberly Simon MBA
 
PPTX
PCI DSS Business as Usual
byKimberly Simon MBA
 
PPTX
PCI DSS Business as Usual (BAU)
byKimberly Simon MBA
 
PPTX
Making PCI V3.0 Business as Usual (BAU)
byControlCase
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
PPTX
PCI Compliance - Delving Deeper In The Standard
byJohn Bedrick
 
PDF
PCI DSS Success: Achieve Compliance and Increase Web Application Security
byCitrix
 
PPTX
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
byRohan Singh
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
Solutions For PCI Compliance
byJohn Bedrick
 
Making Compliance Business as Usual
byControlCase
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
byGaurav "GP" Pal
 
Automate compliance with cloud guard dome9
byJohn Varghese
 
PCI DSS Business as Usual
byControlCase
 
PCI DSS Business as Usual
byControlCase
 
PCI DSS 3.2 - Business as Usual
byKimberly Simon MBA
 
Presentation: To an efficient tool for securing the card data on the Cloud: C...
byHassan EL ALLOUSSI
 
PCI Compliance in Cloud
byControlCase
 
PCI Compliance in Cloud
byControlCase
 
PCI Compliance in the Cloud
byKimberly Simon MBA
 
PCI Compliance in the Cloud
byKimberly Simon MBA
 
PCI DSS Business as Usual
byKimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
byKimberly Simon MBA
 
Making PCI V3.0 Business as Usual (BAU)
byControlCase
 
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
PCI Compliance - Delving Deeper In The Standard
byJohn Bedrick
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
byCitrix
 
Rohan s w2 - top 5 tools that help in monitoring compliance for pci dss and...
byRohan Singh
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 

More from Boyan Dimitrov

PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
Observability foundations in dynamically evolving architectures
byBoyan Dimitrov
 
PDF
Anatomy of the modern application stack
byBoyan Dimitrov
 
PPTX
Microservices: next-steps
byBoyan Dimitrov
 
PPTX
Moving to microservices – a technology and organisation transformational journey
byBoyan Dimitrov
 
PPTX
Patterns for building resilient and scalable microservices platform on AWS
byBoyan Dimitrov
 
PDF
Microservices and elastic resource pools with Amazon EC2 Container Service
byBoyan Dimitrov
 
PDF
Monitoring microservices platform
byBoyan Dimitrov
 
PPTX
Scaling micro-services Architecture on AWS
byBoyan Dimitrov
 
PPTX
Scaling from 1 to 10 million users - Hailo
byBoyan Dimitrov
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
Observability foundations in dynamically evolving architectures
byBoyan Dimitrov
 
Anatomy of the modern application stack
byBoyan Dimitrov
 
Microservices: next-steps
byBoyan Dimitrov
 
Moving to microservices – a technology and organisation transformational journey
byBoyan Dimitrov
 
Patterns for building resilient and scalable microservices platform on AWS
byBoyan Dimitrov
 
Microservices and elastic resource pools with Amazon EC2 Container Service
byBoyan Dimitrov
 
Monitoring microservices platform
byBoyan Dimitrov
 
Scaling micro-services Architecture on AWS
byBoyan Dimitrov
 
Scaling from 1 to 10 million users - Hailo
byBoyan Dimitrov
 

Recently uploaded

PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
How Much Does It Cost To Build Software
bycollinmishell2
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 

Building Highly Sophisticated Environments for Security and Compliance on AWS

  • 1.
    © 2018, AmazonWeb Services, Inc. or its Affiliates. All rights reserved. Building Highly Sophisticated Environments for Security and Compliance on AWS September 2018 Boyan Dimitrov Director Platform Engineering Sixt @nathariel
  • 3.
    Q1 2018: BrandNew Omnichannel Payment Platform
  • 4.
    Early 2017 Redesign ourpayment channels Adapt business processes Communicate to partners and third parties Plan & Coordinate Teams Early 2017 Payment Environment
  • 5.
    Early 2017Requirements In Productionin 8 months Integrated to our business Highly Secure Scalable Modular PCI-DSS Compliant
  • 6.
    What is PCI-DSSCompliance • Standard for cardholder data environments composed of security best practices and controls. • It’s all about maintaining a secure environment • If you are handling credit card data – this applies to you too!
  • 7.
    Build and Maintaina Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel PCI Goals and Requirements
  • 8.
    Early 2017Decision tobe made Build On The Cloud Build in our DCs Outsource to third party
  • 9.
    Security in theCloud is a Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
  • 10.
    Build and Maintaina Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Requirements mapped to AWS Services VPC Security Group Amazon EC2 Cloudformation S3 EBS CloudHSM KMSRDS Security Group ELB VPN WAF CloudFront Cognito Directory ServiceIAM S3Cloudtrail Inspector Config Lambda Lambda Lambda Lambda
  • 11.
    AWS services inscope by PCI-DSS compliance of all services are PCI- Compliant > 55% 47,6% Increase from prev. year 26 In 2016 62 In 2018 42 In 2017
  • 12.
    Early 2017Our Decision BuildOn The Cloud Build in our DCs Outsource to third party
  • 13.
    Outcome Learning 1: Bringthe right people together early on
  • 14.
    Execution Strategy: Learningsfrom the past https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg Patrick Edwin Moran
  • 15.
    OODA in anAWS security context Observe Orient Decide ACT VPC Flow Logs Inspector Agent CloudWatch Insights CloudTrail Config More CloudWatch Inspector Lambda Shield ShieldShieldWAF Machine Learning Config Policies Config Policies CloudWatchWAF WAF SNS Lambda Lambda More MoreMore Guard Duty
  • 16.
  • 17.
    Orient, Decide, Act! CloudWatch Logs/ Events S3 SIEM Config Policies Protectedaccounts Lambda Trails Logs SNS Security Team Security Account OPS Active Scans Corrective Actions
  • 18.
    The Controlling Core CloudWatch Logs/ Events S3 SIEM Config Policies Protectedaccounts Active Scans Lambda SNS Security Team Security Account Corrective Actions OPS Trails Logs
  • 19.
    Learning 2: Havea strategy
  • 20.
    Changes had tobe made on the way ECSLambda
  • 21.
    Learning 3: Breakdown large projects into small iterations
  • 22.
    End to endautomation Engineers CodePipeline CodeBuild ECR ECS Deployment Approval Code Review Code Minutes
  • 23.
    Learning 4: Knowand leverage the ecosystem
  • 24.
    Learning 5: Takecare of your team
  • 25.
    Summary 1. Bring theright people together early on 2. Have a strategy 3. Break down large projects into small iterations 4. Know and leverage the ecosystem 5. Take care of your team
  • 26.

Editor's Notes

  • #7 Payment Card Industry Data Security Standard