SlideShare uma empresa Scribd logo

Building Highly Sophisticated Environments for Security and Compliance on AWS

Transferir como PPTX, PDF
Boyan Dimitrov
Boyan Dimitrov

In this talk we share our experience @ Sixt of building a highly secure and PCI-DSS Level 1 compliant environment on top of AWS.

Tecnologia
1 de 26
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Highly Sophisticated Environments for Security and Compliance on AWS September 2018 Boyan Dimitrov Director Platform Engineering Sixt @nathariel
Q1 2018: Brand New Omnichannel Payment Platform
Early 2017 Redesign our payment channels Adapt business processes Communicate to partners and third parties Plan & Coordinate Teams Early 2017 Payment Environment
Early 2017Requirements In Production in 8 months Integrated to our business Highly Secure Scalable Modular PCI-DSS Compliant
What is PCI-DSS Compliance • Standard for cardholder data environments composed of security best practices and controls. • It’s all about maintaining a secure environment • If you are handling credit card data – this applies to you too!
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel PCI Goals and Requirements
Early 2017Decision to be made Build On The Cloud Build in our DCs Outsource to third party
Security in the Cloud is a Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Requirements mapped to AWS Services VPC Security Group Amazon EC2 Cloudformation S3 EBS CloudHSM KMSRDS Security Group ELB VPN WAF CloudFront Cognito Directory ServiceIAM S3Cloudtrail Inspector Config Lambda Lambda Lambda Lambda
AWS services in scope by PCI-DSS compliance of all services are PCI- Compliant > 55% 47,6% Increase from prev. year 26 In 2016 62 In 2018 42 In 2017
Early 2017Our Decision Build On The Cloud Build in our DCs Outsource to third party
Outcome Learning 1: Bring the right people together early on
Execution Strategy: Learnings from the past https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg Patrick Edwin Moran
OODA in an AWS security context Observe Orient Decide ACT VPC Flow Logs Inspector Agent CloudWatch Insights CloudTrail Config More CloudWatch Inspector Lambda Shield ShieldShieldWAF Machine Learning Config Policies Config Policies CloudWatchWAF WAF SNS Lambda Lambda More MoreMore Guard Duty
VPC Flow Logs CloudWatch Insights CloudTrail Config CloudWatch Config Policies Protected Accounts Security Account Trails Logs Observe…
Orient, Decide, Act! CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Lambda Trails Logs SNS Security Team Security Account OPS Active Scans Corrective Actions
The Controlling Core CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Active Scans Lambda SNS Security Team Security Account Corrective Actions OPS Trails Logs
Learning 2: Have a strategy
Changes had to be made on the way ECSLambda
Learning 3: Break down large projects into small iterations
End to end automation Engineers CodePipeline CodeBuild ECR ECS Deployment Approval Code Review Code Minutes
Learning 4: Know and leverage the ecosystem
Learning 5: Take care of your team
Summary 1. Bring the right people together early on 2. Have a strategy 3. Break down large projects into small iterations 4. Know and leverage the ecosystem 5. Take care of your team
Thank You

Recomendados

Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
Microservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsMicroservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsImam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)Sam Vanhoutte
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service MeshMitchell Pronschinske
 
Service mesh in Microservice World to Manage end to end service communications
Service mesh in Microservice World to Manage end to end service communicationsService mesh in Microservice World to Manage end to end service communications
Service mesh in Microservice World to Manage end to end service communicationsSatya Syam
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshLayer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshMitchell Pronschinske
 

Recomendados

Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
Microservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsMicroservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsImam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)Sam Vanhoutte
 
Demystifying Service Mesh
Demystifying Service MeshDemystifying Service Mesh
Demystifying Service MeshMitchell Pronschinske
 
Service mesh in Microservice World to Manage end to end service communications
Service mesh in Microservice World to Manage end to end service communicationsService mesh in Microservice World to Manage end to end service communications
Service mesh in Microservice World to Manage end to end service communicationsSatya Syam
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshLayer 7 Observability and Centralized Configuration with Consul Service Mesh
Layer 7 Observability and Centralized Configuration with Consul Service MeshMitchell Pronschinske
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureRich Lee
 
An overview of the Eventuate Platform
An overview of the Eventuate PlatformAn overview of the Eventuate Platform
An overview of the Eventuate PlatformChris Richardson
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
 
Microservices and the Cloud-Based Future of Integration
Microservices and the Cloud-Based Future of IntegrationMicroservices and the Cloud-Based Future of Integration
Microservices and the Cloud-Based Future of IntegrationBizTalk360
 
Introduction to Hybrid Connections
Introduction to Hybrid ConnectionsIntroduction to Hybrid Connections
Introduction to Hybrid ConnectionsDaniel Toomey
 
The Internet of things for integration people - UKCSUG - public version
The Internet of things for integration people - UKCSUG - public versionThe Internet of things for integration people - UKCSUG - public version
The Internet of things for integration people - UKCSUG - public versionSam Vanhoutte
 
Microservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsMicroservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsStijn Van Den Enden
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Starling Bank
 
Architecting Microservices in .Net
Architecting Microservices in .NetArchitecting Microservices in .Net
Architecting Microservices in .NetRichard Banks
 
Service mesh in action with onap
Service mesh in action with onapService mesh in action with onap
Service mesh in action with onapHuabing Zhao
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New BlackWSO2
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscapeChristian Posta
 
AWS Api Gateway by Łukasz Marchewka Scalacc
AWS Api Gateway by Łukasz Marchewka ScalaccAWS Api Gateway by Łukasz Marchewka Scalacc
AWS Api Gateway by Łukasz Marchewka ScalaccScalac
 
Microservices
MicroservicesMicroservices
MicroservicesACCESS Health Digital
 
Api Management with Service Mesh
Api Management with Service MeshApi Management with Service Mesh
Api Management with Service MeshLakmal Warusawithana
 
Overview of the Eventuate Tram Customers and Orders application
Overview of the Eventuate Tram Customers and Orders applicationOverview of the Eventuate Tram Customers and Orders application
Overview of the Eventuate Tram Customers and Orders applicationChris Richardson
 
Developing applications with a microservice architecture (svcc)
Developing applications with a microservice architecture (svcc)Developing applications with a microservice architecture (svcc)
Developing applications with a microservice architecture (svcc)Chris Richardson
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in MicroservicesWSO2
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service meshChandresh Pancholi
 
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Amazon Web Services
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudCapgemini
 

Mais conteúdo relacionado

Mais procurados

Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureRich Lee
 
An overview of the Eventuate Platform
An overview of the Eventuate PlatformAn overview of the Eventuate Platform
An overview of the Eventuate PlatformChris Richardson
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
 
Microservices and the Cloud-Based Future of Integration
Microservices and the Cloud-Based Future of IntegrationMicroservices and the Cloud-Based Future of Integration
Microservices and the Cloud-Based Future of IntegrationBizTalk360
 
Introduction to Hybrid Connections
Introduction to Hybrid ConnectionsIntroduction to Hybrid Connections
Introduction to Hybrid ConnectionsDaniel Toomey
 
The Internet of things for integration people - UKCSUG - public version
The Internet of things for integration people - UKCSUG - public versionThe Internet of things for integration people - UKCSUG - public version
The Internet of things for integration people - UKCSUG - public versionSam Vanhoutte
 
Microservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsMicroservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsStijn Van Den Enden
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Starling Bank
 
Architecting Microservices in .Net
Architecting Microservices in .NetArchitecting Microservices in .Net
Architecting Microservices in .NetRichard Banks
 
Service mesh in action with onap
Service mesh in action with onapService mesh in action with onap
Service mesh in action with onapHuabing Zhao
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New BlackWSO2
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscapeChristian Posta
 
AWS Api Gateway by Łukasz Marchewka Scalacc
AWS Api Gateway by Łukasz Marchewka ScalaccAWS Api Gateway by Łukasz Marchewka Scalacc
AWS Api Gateway by Łukasz Marchewka ScalaccScalac
 
Overview of the Eventuate Tram Customers and Orders application
Overview of the Eventuate Tram Customers and Orders applicationOverview of the Eventuate Tram Customers and Orders application
Overview of the Eventuate Tram Customers and Orders applicationChris Richardson
 
Developing applications with a microservice architecture (svcc)
Developing applications with a microservice architecture (svcc)Developing applications with a microservice architecture (svcc)
Developing applications with a microservice architecture (svcc)Chris Richardson
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in MicroservicesWSO2
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays
 

Mais procurados (20)

Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice Architecture
 
An overview of the Eventuate Platform
An overview of the Eventuate PlatformAn overview of the Eventuate Platform
An overview of the Eventuate Platform
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party AccessOAuth and OpenID Connect for PSD2 and Third-Party Access
OAuth and OpenID Connect for PSD2 and Third-Party Access
 
Microservices and the Cloud-Based Future of Integration
Microservices and the Cloud-Based Future of IntegrationMicroservices and the Cloud-Based Future of Integration
Microservices and the Cloud-Based Future of Integration
 
Introduction to Hybrid Connections
Introduction to Hybrid ConnectionsIntroduction to Hybrid Connections
Introduction to Hybrid Connections
 
The Internet of things for integration people - UKCSUG - public version
The Internet of things for integration people - UKCSUG - public versionThe Internet of things for integration people - UKCSUG - public version
The Internet of things for integration people - UKCSUG - public version
 
Microservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applicationsMicroservices - Hitchhiker's guide to cloud native applications
Microservices - Hitchhiker's guide to cloud native applications
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
 
Architecting Microservices in .Net
Architecting Microservices in .NetArchitecting Microservices in .Net
Architecting Microservices in .Net
 
Service mesh in action with onap
Service mesh in action with onapService mesh in action with onap
Service mesh in action with onap
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
API World: The service-mesh landscape
API World: The service-mesh landscapeAPI World: The service-mesh landscape
API World: The service-mesh landscape
 
AWS Api Gateway by Łukasz Marchewka Scalacc
AWS Api Gateway by Łukasz Marchewka ScalaccAWS Api Gateway by Łukasz Marchewka Scalacc
AWS Api Gateway by Łukasz Marchewka Scalacc
 
Microservices
MicroservicesMicroservices
Microservices
 
Api Management with Service Mesh
Api Management with Service MeshApi Management with Service Mesh
Api Management with Service Mesh
 
Overview of the Eventuate Tram Customers and Orders application
Overview of the Eventuate Tram Customers and Orders applicationOverview of the Eventuate Tram Customers and Orders application
Overview of the Eventuate Tram Customers and Orders application
 
Developing applications with a microservice architecture (svcc)
Developing applications with a microservice architecture (svcc)Developing applications with a microservice architecture (svcc)
Developing applications with a microservice architecture (svcc)
 
The Role of IAM in Microservices
The Role of IAM in MicroservicesThe Role of IAM in Microservices
The Role of IAM in Microservices
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
 

Semelhante a Building Highly Sophisticated Environments for Security and Compliance on AWS

Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Amazon Web Services
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudCapgemini
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Amazon Web Services
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summits
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Cynthia Hsieh
 
Mythbusting the Federal Cloud Journey
Mythbusting the Federal Cloud JourneyMythbusting the Federal Cloud Journey
Mythbusting the Federal Cloud JourneyAmazon Web Services
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...
Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...
Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...Amazon Web Services
 
Running GxP Compliant SAP Workloads on AWS
Running GxP Compliant SAP Workloads on AWSRunning GxP Compliant SAP Workloads on AWS
Running GxP Compliant SAP Workloads on AWSCapgemini
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Amazon Web Services
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic
How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic
How Rent-A-Center Stays Secure and Compliant on AWS with Alert LogicAmazon Web Services
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...Martin Klie
 
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAmazon Web Services
 
AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance
AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS ComplianceAWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance
AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS ComplianceAmazon Web Services
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
Digital Transformation: Empowering People to Adapt to the Cloud
Digital Transformation: Empowering People to Adapt to the CloudDigital Transformation: Empowering People to Adapt to the Cloud
Digital Transformation: Empowering People to Adapt to the CloudAmazon Web Services
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 

Semelhante a Building Highly Sophisticated Environments for Security and Compliance on AWS (20)

Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
Disrupting Traditional Payment Systems Architecture with AWS (FSV320) - AWS r...
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons LearnedAWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
Mythbusting the Federal Cloud Journey
Mythbusting the Federal Cloud JourneyMythbusting the Federal Cloud Journey
Mythbusting the Federal Cloud Journey
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...
Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...
Build a Profitable and Customer-Centric Next-Gen MSP Practice (GPSBUS205) - A...
 
Running GxP Compliant SAP Workloads on AWS
Running GxP Compliant SAP Workloads on AWSRunning GxP Compliant SAP Workloads on AWS
Running GxP Compliant SAP Workloads on AWS
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic
How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic
How Rent-A-Center Stays Secure and Compliant on AWS with Alert Logic
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
 
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
 
AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance
AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS ComplianceAWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance
AWS FSI Symposium 2017 NYC- Shared Reponsibility & AWS Compliance
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Digital Transformation: Empowering People to Adapt to the Cloud
Digital Transformation: Empowering People to Adapt to the CloudDigital Transformation: Empowering People to Adapt to the Cloud
Digital Transformation: Empowering People to Adapt to the Cloud
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 

Mais de Boyan Dimitrov

Observability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architecturesObservability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architecturesBoyan Dimitrov
 
Anatomy of the modern application stack
Anatomy of the modern application stackAnatomy of the modern application stack
Anatomy of the modern application stackBoyan Dimitrov
 
Microservices: next-steps
Microservices: next-stepsMicroservices: next-steps
Microservices: next-stepsBoyan Dimitrov
 
Moving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journeyMoving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journeyBoyan Dimitrov
 
Patterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWSPatterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWSBoyan Dimitrov
 
Microservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container ServiceMicroservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container ServiceBoyan Dimitrov
 
Monitoring microservices platform
Monitoring microservices platformMonitoring microservices platform
Monitoring microservices platformBoyan Dimitrov
 
Scaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWSScaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWSBoyan Dimitrov
 
Scaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - HailoScaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - HailoBoyan Dimitrov
 

Mais de Boyan Dimitrov (9)

Observability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architecturesObservability foundations in dynamically evolving architectures
Observability foundations in dynamically evolving architectures
 
Anatomy of the modern application stack
Anatomy of the modern application stackAnatomy of the modern application stack
Anatomy of the modern application stack
 
Microservices: next-steps
Microservices: next-stepsMicroservices: next-steps
Microservices: next-steps
 
Moving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journeyMoving to microservices – a technology and organisation transformational journey
Moving to microservices – a technology and organisation transformational journey
 
Patterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWSPatterns for building resilient and scalable microservices platform on AWS
Patterns for building resilient and scalable microservices platform on AWS
 
Microservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container ServiceMicroservices and elastic resource pools with Amazon EC2 Container Service
Microservices and elastic resource pools with Amazon EC2 Container Service
 
Monitoring microservices platform
Monitoring microservices platformMonitoring microservices platform
Monitoring microservices platform
 
Scaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWSScaling micro-services Architecture on AWS
Scaling micro-services Architecture on AWS
 
Scaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - HailoScaling from 1 to 10 million users - Hailo
Scaling from 1 to 10 million users - Hailo
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Building Highly Sophisticated Environments for Security and Compliance on AWS

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Highly Sophisticated Environments for Security and Compliance on AWS September 2018 Boyan Dimitrov Director Platform Engineering Sixt @nathariel
  • 2.
  • 3. Q1 2018: Brand New Omnichannel Payment Platform
  • 4. Early 2017 Redesign our payment channels Adapt business processes Communicate to partners and third parties Plan & Coordinate Teams Early 2017 Payment Environment
  • 5. Early 2017Requirements In Production in 8 months Integrated to our business Highly Secure Scalable Modular PCI-DSS Compliant
  • 6. What is PCI-DSS Compliance • Standard for cardholder data environments composed of security best practices and controls. • It’s all about maintaining a secure environment • If you are handling credit card data – this applies to you too!
  • 7. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel PCI Goals and Requirements
  • 8. Early 2017Decision to be made Build On The Cloud Build in our DCs Outsource to third party
  • 9. Security in the Cloud is a Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
  • 10. Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Requirements mapped to AWS Services VPC Security Group Amazon EC2 Cloudformation S3 EBS CloudHSM KMSRDS Security Group ELB VPN WAF CloudFront Cognito Directory ServiceIAM S3Cloudtrail Inspector Config Lambda Lambda Lambda Lambda
  • 11. AWS services in scope by PCI-DSS compliance of all services are PCI- Compliant > 55% 47,6% Increase from prev. year 26 In 2016 62 In 2018 42 In 2017
  • 12. Early 2017Our Decision Build On The Cloud Build in our DCs Outsource to third party
  • 13. Outcome Learning 1: Bring the right people together early on
  • 14. Execution Strategy: Learnings from the past https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg Patrick Edwin Moran
  • 15. OODA in an AWS security context Observe Orient Decide ACT VPC Flow Logs Inspector Agent CloudWatch Insights CloudTrail Config More CloudWatch Inspector Lambda Shield ShieldShieldWAF Machine Learning Config Policies Config Policies CloudWatchWAF WAF SNS Lambda Lambda More MoreMore Guard Duty
  • 17. Orient, Decide, Act! CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Lambda Trails Logs SNS Security Team Security Account OPS Active Scans Corrective Actions
  • 18. The Controlling Core CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Active Scans Lambda SNS Security Team Security Account Corrective Actions OPS Trails Logs
  • 19. Learning 2: Have a strategy
  • 20. Changes had to be made on the way ECSLambda
  • 21. Learning 3: Break down large projects into small iterations
  • 22. End to end automation Engineers CodePipeline CodeBuild ECR ECS Deployment Approval Code Review Code Minutes
  • 23. Learning 4: Know and leverage the ecosystem
  • 24. Learning 5: Take care of your team
  • 25. Summary 1. Bring the right people together early on 2. Have a strategy 3. Break down large projects into small iterations 4. Know and leverage the ecosystem 5. Take care of your team

Notas do Editor

  1. Payment Card Industry Data Security Standard