Case Study: Helping UNIGLOBE Travel achieve PCI DSS 3.1 Compliance on AWS
UNIGLOBE is a leading provider of travel management services in Western Canada. In order to ensure that their latest online platform had the highest level of security, UNIGLOBE reached out to Casey Labs to ensure PCI compliance on their AWS deployment.
Through Amazon’s Shared Responsibility Model, and the guidelines described in the PCI DSS policy outline, Casey Labs helped architect a secure deployment for UNIGLOBE.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, established to reduce credit card fraud.
AWS is a PCI-compliant Level 1 service provider. Because AWS is a PCI-compliant service provider, it is not necessary for organizations hosting at AWS to assess the AWS infrastructure as part of the organization’s PCI compliance.
However, AWS operates on a shared responsibility model, where AWS customers are responsible for all aspects of PCI compliance related to their environment within AWS. This includes AWS service configurations, guest operating systems, and requisite security controls (IDS, anti-virus, etc.).
Shared Responsibility Model
Security of the cloud: AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run Amazon Web Services.
Security on the cloud: the customer (you!) is responsible for security measures related to the platform of customer content and applications that make use of AWS services (e.g. operating system/AWS service/web application config, etc).
Achieving PCI Compliance
The PCI Data Security Standard specifies twelve requirements for compliance:
1) Install and maintain a firewall configuration to protect cardholder data
- AWS services involved: VPCs, Security Groups, and Web Application Firewalls (WAF)
2) Do not use vendor-supplied defaults for system passwords and other security parameters
- AWS services involved: Identity and Access Management (IAM)
3) Protect stored cardholder data
- AWS services involved: EBS encrypted volumes, S3 encryption at rest, RDS encryption
4) Encrypt transmission of cardholder data across open, public networks
- AWS services involved: TLS and HTTPS via Elastic Load Balancers (ELB), VPC VPN connectivity, and Security Groups.
- Note: PCI DSS 3.1 states that “SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016.”
5) Protect all systems against malware and regularly update anti-virus software or programs
- AWS services involved: Anti-virus on EC2 instances.
6) Develop and maintain secure systems and applications
- AWS services involved: updated AMIs with OS level security patching.
7) Restrict access to cardholder data by business need to know
- AWS services involved: IAM user, groups, and roles.
8) Identify and authenticate access to system components
- AWS services involved: IAM password policies.
9) Restrict Physical Access to Cardholder Data
- The AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 3.1, successfully covers this requirement.
10) Track and monitor all access to network resources and cardholder data
- AWS services involved: CloudTrail, S3 retention policies.
- Note: You must configure EC2 instances for network time protocol (NTP) to comply with Requirement 10.4.
11) Regularly test security systems and processes
- AWS’s AOC fully covers detection of rogue wireless access points (Req. 11.1). AWS does not provide vulnerability scanning, (Req. 1.2), penetration testing (Req. 11.3), intrusion prevention (Req. 11.4) or file change detection (Req. 11.5) within EC2 instances.
12) Maintain a policy that addresses information security for all personnel
- AWS does not provide any of the policy documentation as defined in Requirement 12 (and other PCI requirements). The customer will need to write this material on their own.