Security and Compliance in the Cloud – Do it Right the First Time!
Startups that need compliance must follow a growing number of security standards – SOC 2, ISO 27001, PCI, HIPAA, and GDPR to name a few. Every standard gives rise to a list of hard-to-implement security controls. The nature of your product or service, the customers you sell to and the geographies you operate in will dictate the standards that you either need to comply with or map your policies and controls to align with.
Cloud providers like AWS have tried to help, but there is still significant effort left for startups to secure their infrastructure. Cloud providers give you the raw materials necessary to remain compliant, but you’ll have to learn how to use them.
It may be easier to envision the scale of the compliance challenge by working through an example. Let's take an organization that is mapping their controls with PCI DSS either because they manage payment card data or have security sensitive customers that trust the underlying controls. When considering each control, you’ll have to consider the steps you need to take for a compliant infrastructure by configuring cloud services.
Let’s walk through four PCI requirements and how to implement each one in AWS.
Firewall Requirements
PCI has several requirements regarding network architecture and firewall barriers. For example, specification 1.1.4 calls for a “firewall at each Internet connection and between any demilitarized zone (DMZ) and the Internal network zone.”
Segmentation is the goal. Your network can’t allow traffic to move freely to wherever it wants. You need to set up rules and carefully guard sensitive areas of the system.
In AWS, we’d suggest implementing this requirement using a mixture of services. Testing, staging, and production regions of your application should each be in their own VPC. You’ll also need intelligent use of Security Groups, IAM, and Instance Profiles. Lock everything down and only open the necessary ports. WAF should protect the perimeter.
IAAS services like RDS and Elasticsearch should be isolated via security groups. Platform services like Dynamo, S3, SQS, and Secrets Manager should be isolated via IAM. Lambda has one leg in the Security Group and another in IAM.
Identifying and Resolving Security Vulnerabilities
PCI control 6.1 states that you “must have a mechanism in place to identify security vulnerabilities within your compliant systems.” How can you accomplish this in AWS?
Automation is your best friend in application security. As the speed of development increases, security must keep up. And while there will always be a place for humans to dig into applications through penetration testing to find tricky vulnerabilities, automation will help you find the “low-hanging fruit.”
AWS Inspector is an API-based service that will proactively scan and assess your application for vulnerabilities and warn you about them. It is an automatic process once set up, but it requires an administrator to choose what to test.
Other tools exist to automate application security, such as Wazuh, and open source SIEM solution. As with AWS Inspector, there is effort involved in setting it up initially. But once you complete the configuration, you’ll have a constant security scan running to find vulnerabilities before they reach production. And should some slip in, the scans will continue to search and find vulnerabilities before attackers exploit them.
Restricting Access to Cardholder Data
PCI Requirement 7 states that you must “restrict access to cardholder data by business need to know.” You’ll need to know who has access to what within your application and when they can access it.
Restricting access in a cloud environment can be challenging because you require administrators to configure the services that your application needs to work. How can you limit access while allowing the admins to do their jobs?
Orchestrating access control will require careful use of AWS Security Groups, IAM, and federated tokens. Give your admins a token for access that expires quickly. Whitelist trusted IPs for access only to the areas of your environment that are necessary for the user’s role.
The whitelist of IPs and the security groups will need to be kept up to date to make sure no holes open when personnel changes. Keep a tight grip on access control in your cloud environment.
Tracking and Monitoring
PCI Requirement 10 outlines the need to track and monitor all access to network resources and cardholder data. As your cloud environment grows, you’ll need more help to keep tabs on changes and user activity.
AWS CloudTrail can be used to track user activity and API usage. But you’ll have to make sure that CloudTrail can’t be disabled without your knowledge to hide someone’s illicit activity. AWS IAM and Config services can be used to make sure CloudTrail can’t be disabled and to alert you if it is.
CloudTrail can cover user activity, but what about infrastructure changes? You may need to bring in another tool, such as ELK, to track changes to your infrastructure. You can then marry the data from CloudTrail and ELK into a single SIEM for dashboarding, such as Wazuh.
Recommended by LinkedIn
Current State – Manually Stitch Together Multiple Tools and Periodic Checks
So far, we’ve discussed just a few requirements to implement PCI compliance in AWS. We’ve only scratched the surface of compliance in the cloud.
From just these few requirements, you can see that the cloud is not a “push-button” solution.
And this is only one example. Remaining compliant with SOC 2, HIPAA, GDPR, NIST, and the host of other standards will require the same careful planning and execution.
Currently, most organizations spend months designing and implementing their cloud architecture. That fun cloud proof of concept you created to show off the latest amazing technology to your management stretches into months of architecture, design, and infrastructure before you get to build anything.
First, your team must stitch together many different software tools that help with compliance. Second, you must run periodic scans on your infrastructure and security controls after you provision your resources in an attempt to remediate and always chase after compliance. Instead, applying the proper security and compliance controls during initial implementation places a secure foundation under your developers’ code.
DevOps teams try to maintain control over infrastructure and application deployment processes to avoid any mistakes from developers. While centralizing control and access to a core team of DevOps individuals can improve security, it comes at the cost of developer freedom, self-service and productivity. Suddenly, developing software in the cloud begins to look the same as developing on-prem — delays, disappointment, and frustration.
Three things lead to successful cloud compliance:
You can help developers unlock the power and agility of cloud development while remaining compliant. But you must enable self-service for them as much as possible while maintaining security and compliance. The only way is to give them control of doing the things they want while hiding low-level details that can get them in trouble.
Prefer to Automate this entire process? Use DuploCloud’s Infrastructure as Code Automation Platform
Some companies may be okay spending a year (or more) coming up with the ideal cloud architecture and setting up all the automation required to use DevOps and the cloud safely.
This is some of what you’ll need for AWS:
To that end, we have created a world where all the Infrastructure-as-Code, infrastructure provisioning, including security and compliance controls, as well as application deployment tasks are automated and done right the first time.
What if you could implement all the controls necessary to remain compliant with PCI-DSS, GDPR, SOC 2, and HIPAA with the push of a button? That’s what DuploCloud delivers.
For example, DuploCloud maintains trails in 2 places in addition to CloudTrail. It logs all write events about infrastructure changes in an ELK cluster. A Wazuh agent tracks all activities at the host level. All 3 — CloudTrail, audit and Wazuh agent events are brought together in the Wazuh dashboard.
DuploCloud takes care of 75 out of 79 PCI Requirements for you, out-of-the-box. And that’s only one example. Similar coverage is enabled for HIPAA, SOC 2, HITRUST, GDPR and many other standards. No other software provides more than 40% coverage, leaving the rest to be done via manual automation scripts.
A core differentiation is that DuploCloud implements these during provisioning, not bolted on after the fact.
For more information check out the following resources:
Our platform implements a compliant architecture for developers so they can develop the applications that differentiate your business. Sharpen your architecture skills, because you’ll need them to stay compliant while taking advantage of the latest cloud enhancements and use DuploCloud to speed time to market with a safe, compliant architecture built for you.