SlideShare a Scribd company logo

Building Highly Sophisticated Environments for Security and Compliance on AWS

Download as PPTX, PDF
Boyan Dimitrov, profile picture
Boyan Dimitrov

The document outlines the implementation of a highly secure and compliant omnichannel payment platform on AWS, achieved through strategic decision-making and adherence to PCI-DSS standards. Key learnings emphasize the importance of collaboration, continuous adaptation, incremental project management, and team care. The successful integration enhances security through various AWS services while improving compliance metrics significantly.

Technology
Related topics:
Amazon Web ServicesPCI DSS Training
1 of 26
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Highly Sophisticated Environments for Security and Compliance on AWS September 2018 Boyan Dimitrov Director Platform Engineering Sixt @nathariel
Building Highly Sophisticated Environments for Security and Compliance on AWS
Q1 2018: Brand New Omnichannel Payment Platform
Early 2017 Redesign our payment channels Adapt business processes Communicate to partners and third parties Plan & Coordinate Teams Early 2017 Payment Environment
Early 2017Requirements In Production in 8 months Integrated to our business Highly Secure Scalable Modular PCI-DSS Compliant
What is PCI-DSS Compliance • Standard for cardholder data environments composed of security best practices and controls. • It’s all about maintaining a secure environment • If you are handling credit card data – this applies to you too!
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel PCI Goals and Requirements
Early 2017Decision to be made Build On The Cloud Build in our DCs Outsource to third party
Security in the Cloud is a Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Requirements mapped to AWS Services VPC Security Group Amazon EC2 Cloudformation S3 EBS CloudHSM KMSRDS Security Group ELB VPN WAF CloudFront Cognito Directory ServiceIAM S3Cloudtrail Inspector Config Lambda Lambda Lambda Lambda
AWS services in scope by PCI-DSS compliance of all services are PCI- Compliant > 55% 47,6% Increase from prev. year 26 In 2016 62 In 2018 42 In 2017
Early 2017Our Decision Build On The Cloud Build in our DCs Outsource to third party
Outcome Learning 1: Bring the right people together early on
Execution Strategy: Learnings from the past https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg Patrick Edwin Moran
OODA in an AWS security context Observe Orient Decide ACT VPC Flow Logs Inspector Agent CloudWatch Insights CloudTrail Config More CloudWatch Inspector Lambda Shield ShieldShieldWAF Machine Learning Config Policies Config Policies CloudWatchWAF WAF SNS Lambda Lambda More MoreMore Guard Duty
VPC Flow Logs CloudWatch Insights CloudTrail Config CloudWatch Config Policies Protected Accounts Security Account Trails Logs Observe…
Orient, Decide, Act! CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Lambda Trails Logs SNS Security Team Security Account OPS Active Scans Corrective Actions
The Controlling Core CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Active Scans Lambda SNS Security Team Security Account Corrective Actions OPS Trails Logs
Learning 2: Have a strategy
Changes had to be made on the way ECSLambda
Learning 3: Break down large projects into small iterations
End to end automation Engineers CodePipeline CodeBuild ECR ECS Deployment Approval Code Review Code Minutes
Learning 4: Know and leverage the ecosystem
Learning 5: Take care of your team
Summary 1. Bring the right people together early on 2. Have a strategy 3. Break down large projects into small iterations 4. Know and leverage the ecosystem 5. Take care of your team
Thank You

More Related Content

PPTX
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PDF
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PDF
Microservice architecture-api-gateway-considerations
Imam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
PDF
Gravitee.io
Knoldus Inc.
 
PPTX
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
Sam Vanhoutte
 
PDF
Demystifying Service Mesh
Mitchell Pronschinske
 
PDF
Service mesh in Microservice World to Manage end to end service communications
Satya Syam
 
PDF
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Mitchell Pronschinske
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Microservice architecture-api-gateway-considerations
Imam Uddin Ahamed - PRINCE2 ® , ITIL ®
 
Gravitee.io
Knoldus Inc.
 
AzureConf 2014 - Azure hybrid connections (Sam Vanhoutte)
Sam Vanhoutte
 
Demystifying Service Mesh
Mitchell Pronschinske
 
Service mesh in Microservice World to Manage end to end service communications
Satya Syam
 
Layer 7 Observability and Centralized Configuration with Consul Service Mesh
Mitchell Pronschinske
 

What's hot (20)

PDF
Microservice Architecture
Rich Lee
 
PDF
An overview of the Eventuate Platform
Chris Richardson
 
PPTX
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
PPTX
Microservices and the Cloud-Based Future of Integration
BizTalk360
 
PPTX
Introduction to Hybrid Connections
Daniel Toomey
 
PPTX
The Internet of things for integration people - UKCSUG - public version
Sam Vanhoutte
 
PDF
Microservices - Hitchhiker's guide to cloud native applications
Stijn Van Den Enden
 
PPTX
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Starling Bank
 
PPTX
Architecting Microservices in .Net
Richard Banks
 
PPTX
Service mesh in action with onap
Huabing Zhao
 
PDF
[WSO2Con EU 2018] Identity APIs is the New Black
WSO2
 
PPTX
API World: The service-mesh landscape
Christian Posta
 
PDF
AWS Api Gateway by Łukasz Marchewka Scalacc
Scalac
 
PDF
Microservices
ACCESS Health Digital
 
PDF
Api Management with Service Mesh
Lakmal Warusawithana
 
PDF
Overview of the Eventuate Tram Customers and Orders application
Chris Richardson
 
PDF
Developing applications with a microservice architecture (svcc)
Chris Richardson
 
PDF
The Role of IAM in Microservices
WSO2
 
PPTX
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays
 
PPTX
Istio a service mesh
Chandresh Pancholi
 
Microservice Architecture
Rich Lee
 
An overview of the Eventuate Platform
Chris Richardson
 
OAuth and OpenID Connect for PSD2 and Third-Party Access
Nordic APIs
 
Microservices and the Cloud-Based Future of Integration
BizTalk360
 
Introduction to Hybrid Connections
Daniel Toomey
 
The Internet of things for integration people - UKCSUG - public version
Sam Vanhoutte
 
Microservices - Hitchhiker's guide to cloud native applications
Stijn Van Den Enden
 
Building a Reliable Cloud Bank in Java | Starling Bank | QCon 2018
Starling Bank
 
Architecting Microservices in .Net
Richard Banks
 
Service mesh in action with onap
Huabing Zhao
 
[WSO2Con EU 2018] Identity APIs is the New Black
WSO2
 
API World: The service-mesh landscape
Christian Posta
 
AWS Api Gateway by Łukasz Marchewka Scalacc
Scalac
 
Microservices
ACCESS Health Digital
 
Api Management with Service Mesh
Lakmal Warusawithana
 
Overview of the Eventuate Tram Customers and Orders application
Chris Richardson
 
Developing applications with a microservice architecture (svcc)
Chris Richardson
 
The Role of IAM in Microservices
WSO2
 
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays
 
Istio a service mesh
Chandresh Pancholi
 
Ad

Similar to Building Highly Sophisticated Environments for Security and Compliance on AWS (20)

PPTX
Security: Enabling the Journey to the Cloud
Capgemini
 
PDF
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summits
 
PDF
Get ahead of cloud network security trends and practices in 2020
Cynthia Hsieh
 
PDF
AWS - Security & Compliance
Amazon Web Services LATAM
 
PPTX
ShareResponsibilityModel.pptx
BabatundeAbioye2
 
PPTX
Running GxP Compliant SAP Workloads on AWS
Capgemini
 
PDF
Ensuring PCI DSS Compliance in the Cloud
Cognizant
 
PPTX
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
Martin Klie
 
PPTX
Unlock Innovation with AWS Generative AI: Transform Your Business with Scalab...
Akhil Khandelwal
 
PDF
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Cloud Standards Customer Council
 
DOCX
Securing SaaS: Your Roadmap to PCI DSS v4.0 Compliance
rajverma416485
 
PDF
Biznet GIO National Seminar on Digital Forensics
Yusuf Hadiwinata Sutandar
 
PDF
GEN AI EDM -Generative AI: Beyond Chatbots, Shaping the Future
akhilkhandelwal30
 
PPTX
Accelerated Saa S Exec Briefing V2
jeffirby
 
PDF
AWS User Group November
PolarSeven Pty Ltd
 
PDF
AWS November meetup Slides
JacksonMorgan9
 
PPTX
Welcome to the Multi-cloud world
Lew Tucker
 
PDF
Cloud services and it security
East Midlands Cyber Security Forum
 
PDF
Richard Knight: Real world stories from the frontline of enterprise Cloud
De Novo
 
PPTX
Key Capibilities.pptx
MuhammadNaumanAkram1
 
Security: Enabling the Journey to the Cloud
Capgemini
 
AWS Summit Singapore 2019 | Banking in the Cloud: 10 Lessons Learned
AWS Summits
 
Get ahead of cloud network security trends and practices in 2020
Cynthia Hsieh
 
AWS - Security & Compliance
Amazon Web Services LATAM
 
ShareResponsibilityModel.pptx
BabatundeAbioye2
 
Running GxP Compliant SAP Workloads on AWS
Capgemini
 
Ensuring PCI DSS Compliance in the Cloud
Cognizant
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
Martin Klie
 
Unlock Innovation with AWS Generative AI: Transform Your Business with Scalab...
Akhil Khandelwal
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Cloud Standards Customer Council
 
Securing SaaS: Your Roadmap to PCI DSS v4.0 Compliance
rajverma416485
 
Biznet GIO National Seminar on Digital Forensics
Yusuf Hadiwinata Sutandar
 
GEN AI EDM -Generative AI: Beyond Chatbots, Shaping the Future
akhilkhandelwal30
 
Accelerated Saa S Exec Briefing V2
jeffirby
 
AWS User Group November
PolarSeven Pty Ltd
 
AWS November meetup Slides
JacksonMorgan9
 
Welcome to the Multi-cloud world
Lew Tucker
 
Cloud services and it security
East Midlands Cyber Security Forum
 
Richard Knight: Real world stories from the frontline of enterprise Cloud
De Novo
 
Key Capibilities.pptx
MuhammadNaumanAkram1
 
Ad

More from Boyan Dimitrov (9)

PDF
Observability foundations in dynamically evolving architectures
Boyan Dimitrov
 
PDF
Anatomy of the modern application stack
Boyan Dimitrov
 
PPTX
Microservices: next-steps
Boyan Dimitrov
 
PPTX
Moving to microservices – a technology and organisation transformational journey
Boyan Dimitrov
 
PPTX
Patterns for building resilient and scalable microservices platform on AWS
Boyan Dimitrov
 
PDF
Microservices and elastic resource pools with Amazon EC2 Container Service
Boyan Dimitrov
 
PDF
Monitoring microservices platform
Boyan Dimitrov
 
PPTX
Scaling micro-services Architecture on AWS
Boyan Dimitrov
 
PPTX
Scaling from 1 to 10 million users - Hailo
Boyan Dimitrov
 
Observability foundations in dynamically evolving architectures
Boyan Dimitrov
 
Anatomy of the modern application stack
Boyan Dimitrov
 
Microservices: next-steps
Boyan Dimitrov
 
Moving to microservices – a technology and organisation transformational journey
Boyan Dimitrov
 
Patterns for building resilient and scalable microservices platform on AWS
Boyan Dimitrov
 
Microservices and elastic resource pools with Amazon EC2 Container Service
Boyan Dimitrov
 
Monitoring microservices platform
Boyan Dimitrov
 
Scaling micro-services Architecture on AWS
Boyan Dimitrov
 
Scaling from 1 to 10 million users - Hailo
Boyan Dimitrov
 

Recently uploaded (20)

PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
A Presentation on Artificial Intelligence
memembruh336
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Cloud computing and distributed systems.
kkkkkhan
 

Building Highly Sophisticated Environments for Security and Compliance on AWS

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Highly Sophisticated Environments for Security and Compliance on AWS September 2018 Boyan Dimitrov Director Platform Engineering Sixt @nathariel
  • 3. Q1 2018: Brand New Omnichannel Payment Platform
  • 4. Early 2017 Redesign our payment channels Adapt business processes Communicate to partners and third parties Plan & Coordinate Teams Early 2017 Payment Environment
  • 5. Early 2017Requirements In Production in 8 months Integrated to our business Highly Secure Scalable Modular PCI-DSS Compliant
  • 6. What is PCI-DSS Compliance • Standard for cardholder data environments composed of security best practices and controls. • It’s all about maintaining a secure environment • If you are handling credit card data – this applies to you too!
  • 7. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel PCI Goals and Requirements
  • 8. Early 2017Decision to be made Build On The Cloud Build in our DCs Outsource to third party
  • 9. Security in the Cloud is a Shared Responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
  • 10. Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI Requirements mapped to AWS Services VPC Security Group Amazon EC2 Cloudformation S3 EBS CloudHSM KMSRDS Security Group ELB VPN WAF CloudFront Cognito Directory ServiceIAM S3Cloudtrail Inspector Config Lambda Lambda Lambda Lambda
  • 11. AWS services in scope by PCI-DSS compliance of all services are PCI- Compliant > 55% 47,6% Increase from prev. year 26 In 2016 62 In 2018 42 In 2017
  • 12. Early 2017Our Decision Build On The Cloud Build in our DCs Outsource to third party
  • 13. Outcome Learning 1: Bring the right people together early on
  • 14. Execution Strategy: Learnings from the past https://en.wikipedia.org/wiki/OODA_loop#/media/File:OODA.Boyd.svg Patrick Edwin Moran
  • 15. OODA in an AWS security context Observe Orient Decide ACT VPC Flow Logs Inspector Agent CloudWatch Insights CloudTrail Config More CloudWatch Inspector Lambda Shield ShieldShieldWAF Machine Learning Config Policies Config Policies CloudWatchWAF WAF SNS Lambda Lambda More MoreMore Guard Duty
  • 17. Orient, Decide, Act! CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Lambda Trails Logs SNS Security Team Security Account OPS Active Scans Corrective Actions
  • 18. The Controlling Core CloudWatch Logs / Events S3 SIEM Config Policies Protectedaccounts Active Scans Lambda SNS Security Team Security Account Corrective Actions OPS Trails Logs
  • 19. Learning 2: Have a strategy
  • 20. Changes had to be made on the way ECSLambda
  • 21. Learning 3: Break down large projects into small iterations
  • 22. End to end automation Engineers CodePipeline CodeBuild ECR ECS Deployment Approval Code Review Code Minutes
  • 23. Learning 4: Know and leverage the ecosystem
  • 24. Learning 5: Take care of your team
  • 25. Summary 1. Bring the right people together early on 2. Have a strategy 3. Break down large projects into small iterations 4. Know and leverage the ecosystem 5. Take care of your team

Editor's Notes

  • #7: Payment Card Industry Data Security Standard