Accelerating PCI Compliance in AWS using Deep Security

Whether you are building out a new PCI-compliant infrastructure in AWS, or bringing your current environment into compliance, Deep Security can help you accelerate the process. This guide should be used as a supplement to our Coalfire White Paper, Meeting PCI Compliance with Deep Security, to quickly deploy your security framework for an upcoming audit.   Rather than stepping through each requirement, I’ll share specific tips and tricks to speed up the overall process. Also, your auditors will be happy to know that each and every security event is automatically tracked by our strong audit log capabilities. Let’s dive in to the first tip…


Tip #1: Creating a New Policy Using an Existing Computer’s Configuration

NewPolicy-ExistingComputer

I’m listing this one first because it’s the quickest way to protect a group of similarly configured systems like your web interface or application layer in a standard N-tier architecture.   You can build a single instance’s security controls and then turn that protection into a policy which can be applied to all like-machines.

Let’s use your payment applications as an example. These instances will need access to your web or presentation layer as well as the payment card database servers. You might have a base policy which is already assigning Anti-Malware to all instances, but it’s within this layers security policy where we can define our Intrusion Prevention Rules to quickly roll out deep packet inspection to all of our application instances but more on that later. Firewall policies should be set here to receive information from the presentation tier as well as strict rules to allow access into the database tier. This leads me into my next tip.


Tip #2: Using a Firewall Naming Convention and Rule Set which Makes Sense

Firewall-PCI-Naming

Your AWS Security Groups should be defined to allow the traffic between the Tiers, but to fulfill PCI requirements; your payment applications should be the only applications that can access the payment card databases. By creating specifically labeled rules for your PCI compliance mandates, you can quickly build and apply a rule set which makes sense.

I just took a customer through this same deployment process. We had Firewall labels for PCI, as well as the type of services in use. This allowed us to make sure the proper rules were applied to the policy. Is this a PCI server -> Yes, assign all rules with PCI. Does it have this application -> Yes, assign all rules with the Application name. You might also notice in the screenshot that we have Lists applied to the Source and Destination IPs. I’m glad you noticed and asked about this because…


Tip #3 : Using Lists to Eliminate Rule Set Bloat

Lists

By using lists to define common IP Addresses or Port Numbers, you can reduce the number of rules required for each server and service. In the example above, you can list all your applications and database servers within the PCI environment. By defining your specific assets in the lists, you only have to apply that list to the firewall rule to incorporate all the servers. Also, by using specific subnets when bringing up PCI resources in AWS, you can also have firewall rules which can scale with your workloads. Specify a mask of IPs in the list and only deploy those applications or databases in AWS using that subnet. This trims your rules down, making it easier to manage and quicker to deploy.


Tip #4: Using Recommendation Scans to Create and Update Policies

Recommendation scan

When creating a new policy from a computer (Tip 1), use the automatic implement recommendations operation regardless if you’ll turn this feature on in the future or not. By having it automatically implement the recommendations on a new instance and scan, you save time having to select all the recommendations and applying them. This will give you a baseline protection model for these application types for your policy for both Intrusion Prevention as well as Integrity Monitoring.

I would also recommend leaving this setting as ‘Yes’ after Policy Deployment so you can automatically update your protection much like an Anti-Malware pattern. When new rule sets are updated from Trend Micro or when you roll out a new Application patch or Operating System kernel, these rules can be automatically implemented to keep your security posture up to date.   This setting along with having a weekly Recommendation Scan scheduled can keep your security posture up to date without having to constantly maintain it.

By implementing these tips, you can drastically reduce your deployment time to meet your compliance audits much like MatchMove did within their environment. To help you further through navigating the PCI Compliance maze visit https://www.trendmicro.com/cloudpci

Any questions, please don’t hesitate to reach out to our team at aws@trendmicro.com

Post written by Jason Dablow