Docker and PCI-DSS – Lessons learned in a security sensitive environment

Dr. Udo SeidelChief Architect & Digital Evangelist

Agenda

PCI-DSS2.2.25.28.1.310.2.2

Lessons LearnedSecOpsSecurity ArchitektKISS...

IntroductionAbout UdoAbout Amadeus

Behind the scenes

The overall triggerHere comes dockerFramework details

IntroductionAbout Udo and Amadeus

About me :-)

● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:

– Linux/UNIX trainer– Solution Engineer in HPC and CAx environment

● Now: Architecture & Technical Governance aka CTO

Behind the scenesMore details about our Docker journey

The overall trigger

● Customer project– New customer– New requirements– New chances and challenges

● Changes on Amadeus side– Personnel changes– Digitalization– Externally driven

Here comes docker

● Huge topic at Red Hat Summit: April 2014● Internal discussions

– 'Native' joint interest of OPS and DEV – DEV & OPS Architects: April 2014– Introduction to project architecture: Summer 2014

● Why?– The 'usual suspects'– Solution of traditional OPS-DEV challenge

● Application patch management● Administrative access

Framework details

● Technical– Openstack as IaaS

● 3 installations● Vmware based

– Management● Orchestration via Openshift● Teaming up with Red Hat

● Security– Internal

● Corporate Office● Global Operations Office● SOC● Community

– External● PCI-DSS● SSAE-16● ISO 27001

PCI-DSS

● Payment Card Industry – Data Security Standard● VISA, MasterCard, American Express, …● Administration via Council● 6 Control objectives

– Build and maintain secure network– Protect cardholder data– Maintain a vulnerability management

program– Implement strong access control

measures– Regularly monitor and test networks– Maintain an information security policy

● Current version: 3.1 (115 pages)

Some of the hick-ups

The hypervisor is insecure!

Physical separation rules!

Who is responsible for firewall policies?

Who is responsible for network topology?

PCI-DSSSome case studies

Before you start

Don't overcomplicate things.

Re-use what is already there.

It might be easier than you think.

Requirement 2.2.2

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

● Outside Docker– Business as usual– Re-use existing

● Inside Docker– Similar to outside– Review of Docker file and software source

● Overall– Even better due to separation of software, processes, ..

Requirement 2.2.2 - Amadeus

Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

● See previous slide :-)● Grouping of Containers

– Openshift Pods– Smalles Deployable Unit– Application Unit (Component)

Requirement 5.2

Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.

● Outside Docker– Business as usual– Re-use existing

● Inside Docker– Similar to outside– Review of Docker file and software source

● Overall– No real change to world without Docker

Requirement 5.2 - Amadeus

Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.

● See previous slide :-)● Scanning discussion

– Scan engine towards Container - internal– Container towards Scan engine - external

Requirement 8.1.3

Immediately revoke access for any terminated users.

● Outside Docker– Business as usual– Re-use existing

● Inside Docker– Avoid personal users– Review of Docker file and software source

● Overall– Even better due separation of software, processes, ..– Big Plus: 'Hands-off'

Requirement 8.1.3 - Amadeus

Immediately revoke access for any terminated users.

● See previous slides :-)● Jump server for access

– Personal users via directory service– Only place with personal users

● Application users– Container and Host level– Special treatment ..anyway– Shell to be removed (soon)

Requirement 10.2.2

Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.

● Outside Docker– Business as usual– Re-use existing

● Inside Docker– Similar to outside– Review of Docker file and software source

● Overall– Even better due separation of software, processes, ..– Big Plus: 'Hands-off'

Requirement 10.2.2 - Amadeus

Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.

● See … (you should be able to complete it yourself)● Jumpserver only for these activities

– Questions similar to scanning– Access secured via SSH keys

Amadeus Big Picture

Amadeus PCI-DSS (8.1.3/10.2.2)

Amadeus PCI-DSS (2.2.2/5.2)

Additional Amadeus inside

● Patching via re-creation● Self-build Docker registry● Definitive Media Library

– Source of truth– Connection to Software Factory

● Different security/network zones– External separation via Loadbalancer– Internal via Openshift placement rules

● Encryption for data at – Flight (SSH, TSL)– Rest (HSM)

Lessons learnedThe information you were coming here

General advice

Don't overcomplicate things.

Re-use what is already there.

People before technology!

Security Architect● Dedicated role/responsibility● Technical and soft skills● Sufficient standing

● Internally● Externally

Early involvement● Business goal● Win-win situation● Give and take

Common language● Internal education● External consultancy

● Vendors● Customers

● Re-use existing dictionaries

SecOps● Member of DevOps team● Remember: Security Champions for OPS● Communication link to security organization

KISS● Helicopter view for solution finding● Always different solutions available

Team up● Internally

● DevOps and security organisation● DevOps and line organisation

● Externally● Vendors● Community● Partners

Added value

Mobility

Abstraction/Separation

Ease to use

Summary30+ slides condensed in one … or two

Take-Away

● Don't underestimate non-technical side

● Don't forget what you already have

● 'Walk&talk' a lot

Outlook

● Journey to be continued

● 'Porting' of other Amadeus applications

● Domino effect

—Louis Pasteur

“Fortune favors the prepared mind.”

34

Thank you!Dr. Udo Seidel@useideluseidel@amadeus.com