As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Venkat Thiruvengadam, the Founder and CEO of DuploCloud, shares some insights on ensuring security and compliance in cloud-based environments.
Compliance can be complex, especially with the growing number of security standards (SOC 2, ISO 27001, PCI, HIPAA, GDPR, etc.). Each standard has a new set of requirements and hard-to-implement security controls. Additionally, the standards, map policies, and rules an organization needs to comply with are different based on the nature of the product, service, geographies served, and customer focus.
Cloud providers like AWS have tried to help. However, they only provide the raw materials necessary to remain compliant, meaning there is still a significant effort for startups to secure their infrastructure. Three essential requirements lead to successful cloud compliance:
- Careful planning and execution
- Automation to provision the necessary controls while building out the infrastructure
- Ongoing maintenance to adapt to changing regulations and standards
Imagine an organization mapping its controls to PCI DSS—they are doing that because they manage payment card data or have security-sensitive customers. The company will need to think through the steps required for a compliant infrastructure by configuring cloud services for each command. This organization will have to enable several PCI requirements and implement each one in AWS to reach compliance. Some of the highlights of these requirements are summarized in the sections below.
Tracking and Monitoring
PCI Requirement 10 outlines the need to track and monitor all access to network resources and cardholder data. IT teams need more help to keep tabs on changes and user activity as the cloud environment grows.
AWS CloudTrail can track user activity and API usage, but there needs to be an assurance to ensure CloudTrail can’t be disabled without the team’s knowledge. AWS IAM and Config services can be used to make sure CloudTrail can’t be disabled and provide an alert if it is. CloudTrail can also cover user activity, but what about infrastructure changes? In this case, users should add another tool, like ELK, to track changes to the infrastructure. The resulting data can then be combined from CloudTrail and ELK into a single SIEM for dashboarding, such as Wazuh.
PCI has several requirements regarding network architecture and firewall barriers. For example, specification 1.1.4 calls for a “firewall at each Internet connection and between any demilitarized zone (DMZ) and the Internal network zone.” Segmentation is the goal because the network can’t allow traffic to move freely. Rules need to be in place to guard sensitive areas of the system carefully.
In AWS, the best approach is to implement this requirement using a mixture of services like testing, staging, and production regions. These should each be in their VPC. Next, there needs to be an intelligent use of Security Groups, IAM, and Instance Profiles, and then lock everything down and only open the necessary ports. WAF should protect the perimeter. IAAS services like RDS and Elasticsearch should be isolated via security groups, while platform services like Dynamo, S3, SQS, and Secrets Manager should be isolated via IAM.
Identifying and Resolving Security Vulnerabilities
PCI control 6.1 states that there “must be a mechanism to identify security vulnerabilities within compliant systems.” How can this be accomplished with AWS?
Automation is critical in application security. As the speed of development increases, security must keep up. While there will always be a place for humans to dig into applications through penetration testing to find tricky vulnerabilities, automation can help find the “low-hanging fruit.” For example, AWS Inspector is an API-based service that proactively scans and assesses an application for vulnerabilities and provides warnings when needed. Once set up, it is an automatic process but requires an administrator to choose what to test.
Other tools to automate application security exist, such as Wazuh and open-source SIEM solutions. As with AWS Inspector, there is effort involved in setting it up initially. But once the configuration is constant, security scans run to find vulnerabilities before they reach production. And should some slip in, the scans will continue to search and find vulnerabilities before attackers exploit them.
Restricting Access to Cardholder Data
PCI Requirement 7 requires the system to “restrict access to cardholder data by business need to know.” IT teams need to know who has access to what within the application and when they access it.
Restricting access in a cloud environment can be challenging because administrators must configure the application’s services. How can there be limited access while allowing the admins to do their jobs?
Orchestrating access control will require careful use of AWS Security Groups, IAM, and federated tokens. Give admins a ticket for access that expires quickly. Whitelist trusted IPs for admission only to the areas of the environment that are necessary for the user’s role. The whitelist of IPs and the security groups will need to be kept up to date to ensure no holes open when personnel changes and keep a tight grip on access control in the cloud environment.
These are just a few basic but necessary requirements to implement PCI compliance in AWS for compliance in the cloud, which is not a “push-button” solution. Remaining compliant with SOC 2, HIPAA, GDPR, NIST, and other standards will require careful planning and execution.
Designing a cloud architecture with security and compliance as a priority is an arduous process that can take months to implement. This manual process of writing code to build infrastructure, stitching together multiple tools, running periodic scans of infrastructure and security, and making additional changes before redeploying the code, is time-consuming and expensive. To reduce friction, developers should ensure their code has a secure foundation by applying the proper security and compliance controls during the initial implementation.
- How to Ensure Security and Compliance in the Cloud - May 6, 2022