A Perspective from Security

Blue Green deployment (or Red/Black, A/B) is a methodology to eliminate downtime from your workloads by bringing up a parallel production environment and implementing required changes before moving the traffic from one group to another. It is an effective technique to minimize risk in application changes ensuring you have appropriate time to test while your users are unaffected and being handled as normal. There are also security events which can be handled similarly.

Let’s take a closer look at some specifics and scenarios.

In this figure, we have a set of Azure VM’s running behind an Azure Load Balancer in production and labeled as Blue. These workloads could be running a number of different services including but not limited to LAMP stack or application logic.

Next, we’ll bring up a parallel architecture that mirrors the blue workloads.   These instances could be in a separate subnet or network security group. You might even place them in the exact same location with an enumerated version in their names. Your next goal will be to apply the change on the green side while blue is still handing production. This change could be new application logic or patch, an operating system hotfix, anything that could cause an outage to your customers that would require testing.

After the change has been made, it’s important to test all aspects of the AzureVM to ensure proper functionality. Since these are about to go into production and the whole purpose of this technique is to eliminate downtime, testing is the most critical stage.

Finally, when you complete your testing, you will promote the green side to production.  You could also just instantiate new instances into the blue side and delete the VM’s running the older code.

As you move back and forth with this code deployment and application development, you can minimize the impact to your users to hopefully zero.

From a security perspective, this also allows you to buy yourself time during a breach or attack. By bringing up a parallel environment, you can test new firewall or intrusion prevention rules, pull in a new security hotfix, or even just remove an attackers footing in the existing instances causing them to start their attack over.  You could also use techniques like quarantining instances into a locked down security group to run forensic analysis on or switching over the deployments automatically in the case of a malware or other alert from your security tool.

The ability to swap back and forth between parallel production environments allows you to deal with many situations since it effectively makes compute disposable. If you can move your workloads seamlessly without loss of user connectivity, it gives your environment resiliency and flexibility to respond to any situation (hopefully automatically).

 

When you’re tasked with meeting the compliance requirements to achieve and maintain PCI DSS compliance, you’ll soon realize that minimizing the number of security tools you use can be a huge asset. When it’s time for your PCI DSS audit, you can hit the accelerator with Trend Micro Deep Security as a Service.

What do I need to know about PCI DSS?

Any organization that has applications that deal with credit or payment card data, you are required to go through a process outlined by the Payment Card Industry (PCI).

If your applications are in the cloud, like Azure, PCI compliance can be easier – as long as you choose the right service provider. Infrastructure as a Service (IaaS) providers like Microsoft Azure have Level 2 PCI DSS certification. This means they have validated their security controls, people and processes with auditors and take care of many aspects that you would be responsible for if your application was in a physical data center. If you’re using SaaS offerings for log management, monitoring or security, they need to be PCI DSS certified, even if the service doesn’t directly deal with cardholder data.

Here is the real question.

Are your SaaS products also PCI Level 1 certified? It’s time to check, as of version 3 of the standard, if you use third party Software as a Service (SaaS) offerings, they are included in the scope of your PCI audit!

We’re happy to announce that Trend MicroTM Deep Security as a ServiceTM is now a PCI DSS Level 1 Service Provider for your Azure workloads! This means you can streamline your PCI DSS certification process with a single tool!

Deep Security as a Service removes the cost and effort of running the security management stack. All of your security policies and events are stored securely and managed by Trend Micro. Best of all you can get up and going with Deep Security as a Service in just a few minutes with our 30 day free trial.

Trend Micro has saved users months of precious resource time on PCI DSS projects by meeting many of the requirements with a single tool, including critical controls that address requirements like 11.4 Intrusion Prevention, 11.5 Integrity Monitoring, 5.1 Anti-malware and many more. Here are just a couple examples,

  • For Royal Gate, Deep Security accelerated PCI DSS compliance for its payment service platform and increased security within its hybrid environment.
  • For Guess?, Inc., Deep Security helped the company segment traffic and fulfill multiple PCI requirements rapidly.

For more detailed information on how Trend Micro Deep Security can help you accelerate PCI compliance, download the detailed matrix of PCI requirements here,  written by the PCI Qualified Security Assessor (QSA) Coalfire.