SlideShare a Scribd company logo

PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

Evident.io
Evident.io

You run a web business on AWS, and due to your specific business requirements you have a need to perform payment processing. Whether you are selling subscriptions or shipping goods, there are both easy and hard ways to manage payments in a PCI compliant way. Learn tips and techniques from the pros to achieve PCI compliance on AWS without making your life more difficult than necessary.

Technology
1 of 20
Download to read offline
AWS Loft PCI Compliance on AWS Justin Lundy, CIO & CTO, Evident.io https://evident.io/ jbl@evident.io twitter.com/justinlundy_ February 26, 2015 AWS Loft San Francisco
©2015 evident.io I confidential I evident.io Agenda - PCI Compliance on AWS 1. Firewalls 2. Avoid Vendor Defaults 3. Protect Cardholder Data At Rest 4. Encrypt data in transit 5. Vulnerability Management 6. Secure Systems and Apps 7. Restrict Access 8. Use Multi-Factor Authentication 9. Restrict Physical Access 10. Regularly Monitor and Test Network 11. Regularly Test Security Systems and Processes 12. Maintain Information Security Policy 13. Parting Advice 3
©2015 evident.io I confidential I evident.io About Evident.io is a team that is laser-focused on cloud security, AWS, risk management, information security, incident response, compliance, growth and innovation. Check us out: https://evident.io/ We also love open source: https://github.com/EvidentSecurity 2/9/15 4
©2015 evident.io I confidential I evident.io Firewalls to Protect Cardholder Data 1. Use VPCs to split nets into public and private subnets. (AWS:VPC-001) 2. Cardholder Data goes in private subnets 3. Limit access based on need-to-know 4. Use Ingress and Egress VPC SG Policy (AWS:VPC-005) and VPC NACLs (AWS:VPC-00{2| 3|9}) - all SG / VPC SG Checks - (CSA CCM IVS-12) 5. ) 6. Institute a formal change management process: pro tip - tickets/code commits for deployment history 7. UTM gateways are nice but not absolutely required 5
©2015 evident.io I confidential I evident.io Avoid Vendor Defaults 1. Operating System Minimization: Remove and Disable unnecessary software and services (AWS::DEMO-EC2-001) 2. Use one primary function per EC2 instance - do not run your web server and database server on the same instance. 3. Use SSH private keys with additional MFA like Duo Security’s PAM module - its awesome 6
©2015 evident.io I confidential I evident.io Protect Cardholder Data At Rest 1. If using EC2, can leverage transparent encryption of EBS volumes (AWS:EC2-032) 2. If using S3, can leverage server side bucket encryption (AWS:SSS-002) 3. Can use commercial or open source encryption tools/ libraries if preferred (os layer, db layer, etc.) 4. Only store minimal card holder data 5. Rotate encryption keys regularly (AWS:IAM-007) 6. Store your encryption keys safely, can use AWS key management service or CloudHSM 7. Limit access to cardholder data based on business need-to- know (e.g. admins) 7
©2015 evident.io I confidential I evident.io Encrypt Data in Transit 1. Encrypt data using SSL with a secure cipher suite (AWS:ELB-008) 2. Terminate SSL at the ELB or at the web server 8
©2015 evident.io I confidential I evident.io Vulnerability Management 1. Apply AV software on EC2 instances and ensure they auto- update 2. Use Vulnerability Scanning to prepare for audits. (CSA CCM AAC-02) 9
©2015 evident.io I confidential I evident.io Develop & Maintain Secure Systems and Apps 1. Review, test and apply security patches regularly. 2. Develop software according to PCI AppSec / OWASP guidelines 3. Separate development, staging and production 4. Use IAM and remove any test IAM users from non-test environments 5. Ensure MFA (AWS:IAM-00{3|4}) and IAM password policy (AWS:IAM-002) are being used (CSA CCM IAM-03) 6. Rotate IAM user keys regularly (AWS:IAM-007) 7. Enable cloudtrail (AWS:CLT-001), ELB and S3 logging and collect the logs for audit trail (AWS:SSS-003) (CSA CCM IVS-01) 8. Any changes to environment are to be documented and approved. 9. Avoid manual deployments. Use CloudFormation, CodeDeploy, Chef, Puppet, etc. 10
©2015 evident.io I confidential I evident.io Restrict Access based on business need 1. Limit number of IAM users and restrict policies to specific capabilities based on business need. (AWS:IAM-008) 2. Optionally Can Use SAML and SSO for AWS Management Console users 11
©2015 evident.io I confidential I evident.io Secure Authentication 1. Do not use the root AWS account at all if possible (AWS:GLO-002) 2. Ensure users are using IAM accounts or SAML/SSO 3. Enable multi-factor authentication for all AWS accounts (AWS:IAM-004) 4. Virtual MFA software is free and runs on mobiles or get hardware tokens 5. Do not use shared credentials anywhere - all users should have unique user ids. That goes for IAM and SSH. 6. Some folks go so far as to launch AMIs without key pairs so logging in via SSH is impossible. A bit extreme. 12
©2015 evident.io I confidential I evident.io Restrict Physical Access to Cardholder Data 1. AWS covers this for you — assuming the scope of your cardholder environment is entirely within AWS. 13
©2015 evident.io I confidential I evident.io Regularly Monitor and Test Network 1. Regularly review CloudTrail logs to identify critical activity 2. Use HIDS/HIPS/centralized logging to monitor login activity, file integrity changes, security events, etc. 3. Ensure your clocks are all sync’d with NTP 14
©2015 evident.io I confidential I evident.io Regularly Test Security Systems and Processes 1. Vulnerability Scanning 2. Penetration Testing 3. Inform AWS before Penetration Testing 4. Have a third party audit the environment 15
©2015 evident.io I confidential I evident.io Maintain an Information Security Policy for All Personnel 1. Security policies should be documented and shared with all personnel 2. AWS inventory, and account information should be regularly updated. 3. Have an Incident Response plan ready before a breach. 4. Put 24x7 monitoring in place to enable rapid response. 16
©2015 evident.io I confidential I evident.io Parting Advice 1. If you can choose your payment gateway - you can save even more time and effort by using Stripe in your App on AWS 2. Only hire a PCI QSA that has experience with AWS and certified environments on AWS before. Otherwise pain. 3. Request your PCI compliance documentation package from AWS for complete details (under NDA) 4. Evident helps clients with PCI compliance control objectives 1, 3, 5, 6, 7, 8, 9, 10 and 11 on AWS. 5. Use Evident to help prepare for PCI audits to save time and headaches! 17
©2015 evident.io I confidential I evident.io Evident.io Loft Feb 26 18
©2015 evident.io I confidential I evident.io Connect February 9, 2015 19 evident.io 11501 Dublin Blvd #200 Dublin, CA 94568 c. 855.933.1337 jbl@evident.io http://evident.io
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

Recommended

Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 

Recommended

Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application securityJohn Varghese
 
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksCloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech Talks
CloudHSM: Secure, Scalable Key Storage in AWS - AWS Online Tech TalksAmazon Web Services
 
A Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionA Tale of Security & Ops Teamwork for Rapid Security Incident Resolution
A Tale of Security & Ops Teamwork for Rapid Security Incident ResolutionAmazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityAmazon Web Services
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...Amazon Web Services
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-securitykartikaryan4
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Amazon Web Services
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsShrivatsa Upadhye
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals Christopher Caplan
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Understanding AWS security
Understanding AWS securityUnderstanding AWS security
Understanding AWS securityAmazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
AWS Shared Security Model in Practice
AWS Shared Security Model in PracticeAWS Shared Security Model in Practice
AWS Shared Security Model in PracticeAlert Logic
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security CenterUdaiappa Ramachandran
 
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Amazon Web Services
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 

More Related Content

What's hot

The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityAmazon Web Services
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailPawel Rzepa
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...Amazon Web Services
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-securitykartikaryan4
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Amazon Web Services
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsShrivatsa Upadhye
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeAlert Logic
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
AWS Shared Security Model in Practice
AWS Shared Security Model in PracticeAWS Shared Security Model in Practice
AWS Shared Security Model in PracticeAlert Logic
 
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Amazon Web Services
 

What's hot (20)

The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
 
Aws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detailAws(in)security - the devil is in the detail
Aws(in)security - the devil is in the detail
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-security
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
Staying Armed with AWS Cloud HSM and AWS WAF - AWS Public Sector Summit Singa...
 
Better Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern AppsBetter Together: JWT and Hashi Vault in Modern Apps
Better Together: JWT and Hashi Vault in Modern Apps
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 
Understanding AWS security
Understanding AWS securityUnderstanding AWS security
Understanding AWS security
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
 
AWS Shared Security Model in Practice
AWS Shared Security Model in PracticeAWS Shared Security Model in Practice
AWS Shared Security Model in Practice
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
 

Viewers also liked

Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Amazon Web Services
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayEvident.io
 
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...Amazon Web Services
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPAAmazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...Amazon Web Services
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWSAmazon Web Services
 
How to Protect your AWS Environment
How to Protect your AWS EnvironmentHow to Protect your AWS Environment
How to Protect your AWS EnvironmentLahav Savir
 
Getting Started with Amazon Redshift
Getting Started with Amazon RedshiftGetting Started with Amazon Redshift
Getting Started with Amazon RedshiftAmazon Web Services
 

Viewers also liked (11)

Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
Navigating PCI Compliance in the Cloud (SEC206) | AWS re:Invent 2013
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
 
PCI COMPLIANCE REPORT
PCI COMPLIANCE REPORTPCI COMPLIANCE REPORT
PCI COMPLIANCE REPORT
 
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWS
 
How to Protect your AWS Environment
How to Protect your AWS EnvironmentHow to Protect your AWS Environment
How to Protect your AWS Environment
 
Getting Started with Amazon Redshift
Getting Started with Amazon RedshiftGetting Started with Amazon Redshift
Getting Started with Amazon Redshift
 

Similar to PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore apponix123
 
In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15Intuit Inc.
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSShane Peden
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhamzaaqqa7
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Adnene Guabtni
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Lucy Huh Kerner
 
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & ComplianceAmazon Web Services
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
AWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure SecurityAWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure SecurityNutanix Beam
 
AWS Summit Stockholm 2014 – T2 – Understanding AWS security
AWS Summit Stockholm 2014 – T2 – Understanding AWS securityAWS Summit Stockholm 2014 – T2 – Understanding AWS security
AWS Summit Stockholm 2014 – T2 – Understanding AWS securityAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Amazon Web Services
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 
Evident.io corp overview
Evident.io corp overviewEvident.io corp overview
Evident.io corp overviewMark Marquiss
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
Achieve Compliance with Security by Default and By Design
Achieve Compliance with Security by Default and By DesignAchieve Compliance with Security by Default and By Design
Achieve Compliance with Security by Default and By DesignAmazon Web Services
 

Similar to PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015 (20)

Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15In Cloud We Encrypt #GHC15
In Cloud We Encrypt #GHC15
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptxhashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
 
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
(SEC320) Leveraging the Power of AWS to Automate Security & Compliance
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
AWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure SecurityAWS & Infrastructure Hardening - Cloud Infrastructure Security
AWS & Infrastructure Hardening - Cloud Infrastructure Security
 
AWS Summit Stockholm 2014 – T2 – Understanding AWS security
AWS Summit Stockholm 2014 – T2 – Understanding AWS securityAWS Summit Stockholm 2014 – T2 – Understanding AWS security
AWS Summit Stockholm 2014 – T2 – Understanding AWS security
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
Evident.io corp overview
Evident.io corp overviewEvident.io corp overview
Evident.io corp overview
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud Environment
 
Achieve Compliance with Security by Default and By Design
Achieve Compliance with Security by Default and By DesignAchieve Compliance with Security by Default and By Design
Achieve Compliance with Security by Default and By Design
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015

  • 1.
  • 2. AWS Loft PCI Compliance on AWS Justin Lundy, CIO & CTO, Evident.io https://evident.io/ jbl@evident.io twitter.com/justinlundy_ February 26, 2015 AWS Loft San Francisco
  • 3. ©2015 evident.io I confidential I evident.io Agenda - PCI Compliance on AWS 1. Firewalls 2. Avoid Vendor Defaults 3. Protect Cardholder Data At Rest 4. Encrypt data in transit 5. Vulnerability Management 6. Secure Systems and Apps 7. Restrict Access 8. Use Multi-Factor Authentication 9. Restrict Physical Access 10. Regularly Monitor and Test Network 11. Regularly Test Security Systems and Processes 12. Maintain Information Security Policy 13. Parting Advice 3
  • 4. ©2015 evident.io I confidential I evident.io About Evident.io is a team that is laser-focused on cloud security, AWS, risk management, information security, incident response, compliance, growth and innovation. Check us out: https://evident.io/ We also love open source: https://github.com/EvidentSecurity 2/9/15 4
  • 5. ©2015 evident.io I confidential I evident.io Firewalls to Protect Cardholder Data 1. Use VPCs to split nets into public and private subnets. (AWS:VPC-001) 2. Cardholder Data goes in private subnets 3. Limit access based on need-to-know 4. Use Ingress and Egress VPC SG Policy (AWS:VPC-005) and VPC NACLs (AWS:VPC-00{2| 3|9}) - all SG / VPC SG Checks - (CSA CCM IVS-12) 5. ) 6. Institute a formal change management process: pro tip - tickets/code commits for deployment history 7. UTM gateways are nice but not absolutely required 5
  • 6. ©2015 evident.io I confidential I evident.io Avoid Vendor Defaults 1. Operating System Minimization: Remove and Disable unnecessary software and services (AWS::DEMO-EC2-001) 2. Use one primary function per EC2 instance - do not run your web server and database server on the same instance. 3. Use SSH private keys with additional MFA like Duo Security’s PAM module - its awesome 6
  • 7. ©2015 evident.io I confidential I evident.io Protect Cardholder Data At Rest 1. If using EC2, can leverage transparent encryption of EBS volumes (AWS:EC2-032) 2. If using S3, can leverage server side bucket encryption (AWS:SSS-002) 3. Can use commercial or open source encryption tools/ libraries if preferred (os layer, db layer, etc.) 4. Only store minimal card holder data 5. Rotate encryption keys regularly (AWS:IAM-007) 6. Store your encryption keys safely, can use AWS key management service or CloudHSM 7. Limit access to cardholder data based on business need-to- know (e.g. admins) 7
  • 8. ©2015 evident.io I confidential I evident.io Encrypt Data in Transit 1. Encrypt data using SSL with a secure cipher suite (AWS:ELB-008) 2. Terminate SSL at the ELB or at the web server 8
  • 9. ©2015 evident.io I confidential I evident.io Vulnerability Management 1. Apply AV software on EC2 instances and ensure they auto- update 2. Use Vulnerability Scanning to prepare for audits. (CSA CCM AAC-02) 9
  • 10. ©2015 evident.io I confidential I evident.io Develop & Maintain Secure Systems and Apps 1. Review, test and apply security patches regularly. 2. Develop software according to PCI AppSec / OWASP guidelines 3. Separate development, staging and production 4. Use IAM and remove any test IAM users from non-test environments 5. Ensure MFA (AWS:IAM-00{3|4}) and IAM password policy (AWS:IAM-002) are being used (CSA CCM IAM-03) 6. Rotate IAM user keys regularly (AWS:IAM-007) 7. Enable cloudtrail (AWS:CLT-001), ELB and S3 logging and collect the logs for audit trail (AWS:SSS-003) (CSA CCM IVS-01) 8. Any changes to environment are to be documented and approved. 9. Avoid manual deployments. Use CloudFormation, CodeDeploy, Chef, Puppet, etc. 10
  • 11. ©2015 evident.io I confidential I evident.io Restrict Access based on business need 1. Limit number of IAM users and restrict policies to specific capabilities based on business need. (AWS:IAM-008) 2. Optionally Can Use SAML and SSO for AWS Management Console users 11
  • 12. ©2015 evident.io I confidential I evident.io Secure Authentication 1. Do not use the root AWS account at all if possible (AWS:GLO-002) 2. Ensure users are using IAM accounts or SAML/SSO 3. Enable multi-factor authentication for all AWS accounts (AWS:IAM-004) 4. Virtual MFA software is free and runs on mobiles or get hardware tokens 5. Do not use shared credentials anywhere - all users should have unique user ids. That goes for IAM and SSH. 6. Some folks go so far as to launch AMIs without key pairs so logging in via SSH is impossible. A bit extreme. 12
  • 13. ©2015 evident.io I confidential I evident.io Restrict Physical Access to Cardholder Data 1. AWS covers this for you — assuming the scope of your cardholder environment is entirely within AWS. 13
  • 14. ©2015 evident.io I confidential I evident.io Regularly Monitor and Test Network 1. Regularly review CloudTrail logs to identify critical activity 2. Use HIDS/HIPS/centralized logging to monitor login activity, file integrity changes, security events, etc. 3. Ensure your clocks are all sync’d with NTP 14
  • 15. ©2015 evident.io I confidential I evident.io Regularly Test Security Systems and Processes 1. Vulnerability Scanning 2. Penetration Testing 3. Inform AWS before Penetration Testing 4. Have a third party audit the environment 15
  • 16. ©2015 evident.io I confidential I evident.io Maintain an Information Security Policy for All Personnel 1. Security policies should be documented and shared with all personnel 2. AWS inventory, and account information should be regularly updated. 3. Have an Incident Response plan ready before a breach. 4. Put 24x7 monitoring in place to enable rapid response. 16
  • 17. ©2015 evident.io I confidential I evident.io Parting Advice 1. If you can choose your payment gateway - you can save even more time and effort by using Stripe in your App on AWS 2. Only hire a PCI QSA that has experience with AWS and certified environments on AWS before. Otherwise pain. 3. Request your PCI compliance documentation package from AWS for complete details (under NDA) 4. Evident helps clients with PCI compliance control objectives 1, 3, 5, 6, 7, 8, 9, 10 and 11 on AWS. 5. Use Evident to help prepare for PCI audits to save time and headaches! 17
  • 18. ©2015 evident.io I confidential I evident.io Evident.io Loft Feb 26 18
  • 19. ©2015 evident.io I confidential I evident.io Connect February 9, 2015 19 evident.io 11501 Dublin Blvd #200 Dublin, CA 94568 c. 855.933.1337 jbl@evident.io http://evident.io