dockercon eu 2015: docker and pci-dss - lessons learned in a security sensitive environment
TRANSCRIPT
Docker and PCI-DSS – Lessons learned in a security sensitive environment
Dr. Udo SeidelChief Architect & Digital Evangelist
Agenda
PCI-DSS2.2.25.28.1.310.2.2
Lessons LearnedSecOpsSecurity ArchitektKISS...
IntroductionAbout UdoAbout Amadeus
Behind the scenes
The overall triggerHere comes dockerFramework details
IntroductionAbout Udo and Amadeus
About me :-)
● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:
– Linux/UNIX trainer– Solution Engineer in HPC and CAx environment
● Now: Architecture & Technical Governance aka CTO
Behind the scenesMore details about our Docker journey
The overall trigger
● Customer project– New customer– New requirements– New chances and challenges
● Changes on Amadeus side– Personnel changes– Digitalization– Externally driven
Here comes docker
● Huge topic at Red Hat Summit: April 2014● Internal discussions
– 'Native' joint interest of OPS and DEV – DEV & OPS Architects: April 2014– Introduction to project architecture: Summer 2014
● Why?– The 'usual suspects'– Solution of traditional OPS-DEV challenge
● Application patch management● Administrative access
Framework details
● Technical– Openstack as IaaS
● 3 installations● Vmware based
– Management● Orchestration via Openshift● Teaming up with Red Hat
● Security– Internal
● Corporate Office● Global Operations Office● SOC● Community
– External● PCI-DSS● SSAE-16● ISO 27001
PCI-DSS
● Payment Card Industry – Data Security Standard● VISA, MasterCard, American Express, …● Administration via Council● 6 Control objectives
– Build and maintain secure network– Protect cardholder data– Maintain a vulnerability management
program– Implement strong access control
measures– Regularly monitor and test networks– Maintain an information security policy
● Current version: 3.1 (115 pages)
Some of the hick-ups
The hypervisor is insecure!
Physical separation rules!
Who is responsible for firewall policies?
Who is responsible for network topology?
PCI-DSSSome case studies
Before you start
Don't overcomplicate things.
Re-use what is already there.
It might be easier than you think.
Requirement 2.2.2
Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Similar to outside– Review of Docker file and software source
● Overall– Even better due to separation of software, processes, ..
Requirement 2.2.2 - Amadeus
Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
● See previous slide :-)● Grouping of Containers
– Openshift Pods– Smalles Deployable Unit– Application Unit (Component)
Requirement 5.2
Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Similar to outside– Review of Docker file and software source
● Overall– No real change to world without Docker
Requirement 5.2 - Amadeus
Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7.
● See previous slide :-)● Scanning discussion
– Scan engine towards Container - internal– Container towards Scan engine - external
Requirement 8.1.3
Immediately revoke access for any terminated users.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Avoid personal users– Review of Docker file and software source
● Overall– Even better due separation of software, processes, ..– Big Plus: 'Hands-off'
Requirement 8.1.3 - Amadeus
Immediately revoke access for any terminated users.
● See previous slides :-)● Jump server for access
– Personal users via directory service– Only place with personal users
● Application users– Container and Host level– Special treatment ..anyway– Shell to be removed (soon)
Requirement 10.2.2
Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.
● Outside Docker– Business as usual– Re-use existing
● Inside Docker– Similar to outside– Review of Docker file and software source
● Overall– Even better due separation of software, processes, ..– Big Plus: 'Hands-off'
Requirement 10.2.2 - Amadeus
Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.
● See … (you should be able to complete it yourself)● Jumpserver only for these activities
– Questions similar to scanning– Access secured via SSH keys
Amadeus Big Picture
Amadeus PCI-DSS (8.1.3/10.2.2)
Amadeus PCI-DSS (2.2.2/5.2)
Additional Amadeus inside
● Patching via re-creation● Self-build Docker registry● Definitive Media Library
– Source of truth– Connection to Software Factory
● Different security/network zones– External separation via Loadbalancer– Internal via Openshift placement rules
● Encryption for data at – Flight (SSH, TSL)– Rest (HSM)
Lessons learnedThe information you were coming here
General advice
Don't overcomplicate things.
Re-use what is already there.
People before technology!
Security Architect● Dedicated role/responsibility● Technical and soft skills● Sufficient standing
● Internally● Externally
Early involvement● Business goal● Win-win situation● Give and take
Common language● Internal education● External consultancy
● Vendors● Customers
● Re-use existing dictionaries
SecOps● Member of DevOps team● Remember: Security Champions for OPS● Communication link to security organization
KISS● Helicopter view for solution finding● Always different solutions available
Team up● Internally
● DevOps and security organisation● DevOps and line organisation
● Externally● Vendors● Community● Partners
Added value
Mobility
Abstraction/Separation
Ease to use
Summary30+ slides condensed in one … or two
Take-Away
● Don't underestimate non-technical side
● Don't forget what you already have
● 'Walk&talk' a lot
Outlook
● Journey to be continued
● 'Porting' of other Amadeus applications
● Domino effect
—Louis Pasteur
“Fortune favors the prepared mind.”
34
Thank you!Dr. Udo Seidel@[email protected]