© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Matt McLimans, Network Security Engineer

Warren Rogers

August 11, 2016

Can You Achieve PCI Compliance in AWS?

So, what is this presentation about?

This is a true story of how I built a PCI Compliant

solution using Palo Alto Networks.

While securing thousands of endpoint devices using

GlobalProtect and Palo Alto Networks VM-Series

Firewalls within Amazon Web Services.

Content

Start Up• About Warren Rogers

• Warren Rogers Data Collection Operation

PCI DSS Compliance• Crash Course

• Levels & Requirements of PCI DSS 3.1

PCI Compliance within AWS• AWS Security as a Whole

• Services & Regions

• Shared Responsibility

Warren Rogers PCI Plan• Using Palo Alto Networks

• GlobalProtect & LSVPN

• Data Filtering & Policy Implementation

Wrap Up• Palo Alto Networks tackling PCI, Tips, & Q&A

Warren Rogers Services

All-Point monitoring system that

provides the most accurate and

complete information of the fueling

operation.

Reporting Options

• Variance reports

• Tank activity

• Sales by hour

• Dispenser/Probe out

summary

• Delivery reports

• Unexplained removals

Customer Store Network

Warren Rogers’ Network

Our Operation

Our device

“OSP”

Aspects to Note

Deployments:

• On-Premise

• AWS Cloud

• Hybridized Deployment

Compliance Regulations:

• PCI DSS 3.1

• HIPAA

• SSAE-16

• And many more…

CRASH COURSE

PCI compliance and why it is important to you.

PCI DSS Players

Card Brands

Created the SSC. They are

responsible for approving

DSS controls and

framework.

PCI SSC

Developed the DSS, PA-

DSS, & PIN Standards.

They conduct training and

certification for QSAs and

ASVs.

Acquirers

Banks and payment

processors that are

responsible for enforcing the

DSS.

Merchants

Responsible for

implementing DSS controls

and demonstrating

compliance.

Merchant Levels

LEVEL 1:

• > 6 million transactions per year.

• Need QSA to validate.

LEVEL 2:

• 1 to 6 million transactions per year.

• Need QSA to validate.

LEVEL 3 & 4:

• < 1 million transactions per year.

• Can self-assess via the SAQ.

Knowing

your level is

critically

important to

achieving PCI

compliance

effectively.

Requirements v. Validation

SAQ v. QSA

A Simple Question

YesDo I have

to be PCI

Compliant?

Do you

handle

CHD?

No

You must

be

compliant.

You do not

need to be

compliant.

But I only

handle 1 card

number!

Myth 1: Compliance makes

my organization secure.

Why?

• Compliance is a snapshot in time.

• One size does not fit all.

• Vagueness among requirements.

“on devices not commonly

affected by malware.”

Usage

• Compliance as a “base-line security

model.”

• Encourage a continuous and vigilant

security culture.

Compliance does not equal security.

Myth 2: One vendor and one

product makes me compliant.

Neither one vendor nor one product

will make you compliant.

• Over-promising and under

delivering.

• “Silver Bullet” effect.

Implement holistic security strategy:

1. Technology

2. Infrastructure

3. People

A WALK THROUGH

PCI Compliance on AWS

AWS Security as a Whole

CISO probably likes AWS Security for

the following reasons:

1. Greater transparency

• All security in a single location.

2. Reinforcement of traditional

security measures

• Controls through automation.

• Relying on best practice

templates specialization.

• Eliminates mistakes.

transparency

AWS is more

secure than

our on-premise

datacenter

CISO

AWS as Level 1 Service Provider

A BA B

Lowest cost PCI

complaint cloud

service.

Reduce and simplify

scoped environment.

If required,

provides forensic

investigations

Is there a special PCI Compliant environment I

need to specify when bringing up servers or

uploading objects to store?

No!

AWS PCI Compliant Services

CloudWatch BeanStalk

SNSSES

FederationIAMCloud TrailCloud FormationOpsWork

SQS Elastic Transcoder Cloud Search SWF

Dynamo ElastiCache RedShift EMR DataPipeline Kinesis CloudFront

Ec2 WorkSpaces S3 Route53ELBDirect ConnectStorage Gateway VPCGlacier

Monitoring Deployment & Management Identity & Access

Application Services

Databases Analytics

Compute Storage Networking

Content Delivery

AppStream

EBS

Dep

loym

en

t

& M

an

ag

em

en

tA

pp

licati

on

Serv

ices

Fo

un

dati

on

Serv

ices

RDS

Is AWS compliance

applicable globally?

Can I rely on the results of the AWS

PCI Report on Compliance?

….or will additional testing be

required to be fully compliant?

What is your responsibility to achieve

compliance?

Security of the Cloud v. Security in the Cloud

Responsibility Matrix

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Client side Data

Encryption & Data Integrity

Authentication

Server-Side

(File System and/or Data)

Network Traffic Protection

Encryption/

Integrity/Identity

Customer Data

Storage Database Networking

Edge LocationsRegions

Availability Zones

Compute

AWS Global

Infrastructure

Customer ResponsibilitySecurity in the Cloud

AWS ResponsibilitySecurity of the Cloud

Shared Responsibility Model

RequirementAWS

Responsibility

Customer

Responsibility

Req.1 Install and maintain a firewall configuration to protect cardholder data.

Req. 2 Do not use supplier-supplied defaults for system passwords and other security parameters.

Req. 3 Protect stored cardholder data.

Req. 4 Encrypt transmission of cardholder data across open, public, networks

Req. 5 Use and regularly update anti-virus software or programs.

Req. 6 Develop and maintain secure systems and applications.

Req. 7 Restrict access to cardholder data by business need-to-know.

Req. 8 Assign a unique ID to each person with computer access.

Req. 9 Restrict physical access to cardholder data.

Req. 10 Track and monitor all access to network resources and cardholder data.

Req. 11 Regularly test security systems and processes.

Req. 12 Maintain a policy that addresses information security for employees and contractors.

Responsibility Matrix

In other words…

Your QSA can rely on AWS’s PCI compliance.

But you are responsible for satisfying all testing requirements

including management and documentation.

WARREN ROGERS PCI PLAN

Using Amazon Web Services & Palo Alto Networks

Customer Store Network

Warren Rogers’ Network

The PCI Challenge for Warren Rogers

How do we protect ourselves?

Obstacles

Challenges1. Previously non-compliant.

2. Thousands of remote devices.

3. Various deployments within diverse customer environments.

Questions to Answer1. How can we secure transmission to

AWS?

2. How do we know if we inadvertently collect cardholder data?

3. How do we ensure all our boxes are running PCI required applications?

4. How can we standardized access to our OSPs?

CIDR: 10.0.0.0/16 CIDR: 172.17.0.0/24 CIDR: 192.168.3.0/8

Customer A Network Customer B Network Customer n Network

What we had…

Warren Rogers Network

VPN

Client 1

VPN

Client 2

VPN

Client nSecure Comm.

One Access

Method

WR Custom IP Range 1 WR Custom IP Range 3WR Custom IP Range 2

Warren Rogers Network

Customer A Network Customer B Network Customer n Network

What we wanted…

Using Palo Alto Networks to

Achieve Our Goal

GlobalProtect

• Encryption

• HIP Profiles

LSVPN

• Reducing latency

• Increasing redundancy

• Increasing global presence

Access Policies

• Data filtering

• Removing uncertainty

• Jump server

GlobalProtect: Use Case

A Unique Deployment

• Installed on OSP

• Pre-Log On

Benefits

• User-ID

• Exceeding PCI requirements.

• Complete insight into data

transmission

• Centrally managed & IP Assignment

• HIP Checks & LDAP Segregation

Control

HIP Check

Stages1. GlobalProtect agent collects information.

2. Agent submits host information.

3. Gateway matches host information against HIP objects and HIP profiles.

Key Advantages

• Centrally managed from Palo Alto Networks.

• Easy configuration changes & granular policies.

• Custom application IDs.

• Allow box to connect, but notify personnel of compliance mismatch.

• Routine checks on all OSPs, removes worry.

Firewall Status Data Encryption

Patch Management Anti-Virus

Host Information in Policy

Enforcement (HIP)

Data Filtering for CHD

CHD Filtering

• Predefined data pattern.

• Looks for 16 digit card numbers

through hash algorithm (less false

positives)

• Scan all data or only certain file

types (.pdf .txt .csv ….)

Alerting on CHD Detected

• Contact customer immediately

that their network is passing CHD

to our OSP.

CHD Detected

Out of

Scope for

Complianc

e

LSVPN

1. Amazon Data Centers

2. Geo-located OSPs

3. Palo Alto Networks VM-300 Portal

4. Palo Alto Networks VM-300 Satellites

5. Connecting LSVPN.

6. GlobalProtect to WR defined satellites.

Key

LSVPN Tunnel

GlobalProtect

AWS Data Center

OSPs

Palo Alto

Networks

VM-Series

CA.SAT02

OR.SAT01

PORTAL

VA.SAT01

CA.SAT01

ADDS & Group Policy

Break devices into organizational units.

• Geography

• Customer type

• …really anything

Advantages of ADDS

• Sync with Palo Alto Networks Firewalls.

• Addressable remote devices by DNS.

• Powerful tools available.

Group Policy

• “Touch one, configure many.”

• Floor to ceiling security model.

LSVPN

Portal Private

Network

Active Directory

Servers

Oregon

Satellite 1

Virginia

Portal

OSP

Satellite Private

Network

Active Directory

Servers

Default PCI Policy

Customer A

Policy

Site 1

Policy

Group Policy Hierarchy

RDP

Logging & Controlling

Access to OSP Units

PCI Requirement

• “Must control & log access to

PCI DSS Environment.”

Jump Server

• Single access point for

authorized staff.

Log Server

• Central “Log Aggregation” and

alerting.

• Synchronization with tools like

Splunk.

M.F.A

On-Premise

Customer A

Customer B

Customer C

Portal

Satellite 2

Satellite 1

Satellite 3

Jump

Access Policies

• AWS has no preferred access method to Ec2 instances.

• OpenVPN is frequently used.• Cannot base access policies on applications or people.

• No data filtering on policies.

• Policies by IP assignment only.

An Ideal Access Policy for Easy PCI Compliance

Making Compliance Easy

with Palo Alto Networks

Least Access Control• Active Directory

• Proof of policy controls• App-ID

• User-ID

• Content-ID

Logging & Flexibility• Changes are unavoidable for

productive organizations.

Segmentation, segmentation segmentation!

• Reduced Scope = Reduced Cost

• Reduced Scope = Reduced Threat

Flat Network v. Segmented Network

Flat

Network

Segmented

Network

Cardholder servers 4 4

Total servers 100 100

Open to audit scope 100 4

Reduction of audit scope 0% 96%

CHD

Network

Non-CHD

Network

Flat Network Segmented Network

Whole Network

Some Tips Before I Go…

Reach beyond PCI requirements for security.

• If you don’t have a security plan, use PCI as a base line.

Avoid expensive mistakes!

• Involve a QSA, a Palo Alto Networks Engineer, and your team on

all major design decisions.

Remember, a single credit card number is a liability.

• Cost of CHD Compromise > Cost of PCI Compliance

Evaluate whether or not you can eliminate the reasons for

necessary compliance.

• Ensure the benefit of touching CHD is greater than the liability.

Compliance with and without is Palo Alto Networks

• “Uncertainty in Compliance” v. “Certainty in Compliance”

Learn More at

Booth XYZ

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Matt McLimans, Senior Network Security Engineer

August 11, 2016

Thank you

Questions?