[EXPERTS TALK] Enhancing AWS Security with the PCI DSS Security Standard

Cybersecurity 13 December 2021
  • 7m

The Payment Card Industry Data Security Standard, better known as PCI DSS, is a security standard implemented by the biggest players in the electronic payment chain. It’s purpose is to increase both the security and control over credit card holders’ information when they make purchases and by doing so reduce the possibility of fraudulent use of the card as a means of payment.

You might think that the implementation of this enhanced security protocol is now a standard practice for all companies relying on electronic means of payment to rent or sell their goods and services. Think again! As Linkbynet has witnessed from participating in the audit or security testing of numerous IT systems, this is unfortunately not always the case. 

By Benoit Vernochet

 

pci-dss-compliant-logo-vector

 

Enhanced log management

As it stands, the PCI DSS protocol is particularly restrictive. It includes 12 thoughtful and structured conditions that companies processing financial transactions must strictly adhere to in order to obtain a certificate of compliance that guarantees their recognition by the PCI Security Standards Council. It should be noted that this is not a legal obligation, but rather a contractual agreement common to all payment card companies.

The following examines, in a comprehensive and instructional manner, a method of enhancing the security controls associated with one of these 12 conditions, namely the condition related to monitoring access to network resources and payment card holder information.

For this exercise, we will focus on the collection of all logs associated with an inbound process, their classification, and their storage for future analysis and audit. This is basically log management at its finest and it is particularly crucial when financial transactions are involved.

 

 

Customizing excellence

Many software platform implementations and integrations dating back to the mid-2010s no longer meet the security requirements to safeguard against the very real risks of cyber intrusions that businesses face today. Cloud technologies have actually evolved considerably and, as such, it is wise to seek support in the form of an audit on security practices, especially if a company does not have all the necessary in-house skills to perform such assessments on its own.

Initially, relying on a platform such as the one offered by Amazon Web Services (AWS) is obviously a smart choice, given that its standards in terms of security, agility, adaptability, safety and so forth are all in line with the company’s commitment to excellence.

While AWS also offers customers a best practice guide for PCI DSS compliance, Linkbynet has often found that these best practices are not always followed. The burden on businesses to implement or even reinforce systems through custom developments made possible by the platform’s open architecture can be difficult to ascertain.

That being said, in the event of a breach, businesses are always liable. Our advice to companies is therefore to reinforce their systems upstream in order to offer their customers the guarantee that their practices comply with today’s strictest security standards.

 

 

Going beyond simple logging

(Our example is based on an AWS infrastructure but the logic can be applied to any type of cloud provider).

 

Article Linkbynet_Renforcer la sécurité AWS grâce à PCI DSS_Image 1

 

The AWS platform enables access to its management console through a web interface or a command-line interface (CLI). Regardless of the access method, any activity on the console is recorded in AWS Cloudtrail and, in compliance with the PCI DSS protocol, the data generated automatically at this stage cannot be deleted or modified and any access thereto is strictly regulated.

The data collected in this way are then sent to a log group where they are stored online for 90 days, i. e. the regulatory period imposed by the PCI DSS standard. They must also be available for a minimum of one year (offline if need be) in the event of fraud investigations requiring further historical documentation.

At this point, if no strategic security initiatives are taken, the record data are overwritten and cannot be processed. The risk of losing information vital to deficiency audits is very real. That is why Linkbynet opted to set up an agent at the AWS EC2 instances level. This agent is specifically dedicated to saving logs to ensure optimized event documentation and analysis.

These records are then automated to be exported every 4 hours to an Amazon S3 storage solution. Finally, the data—which have been locked using the Object Lock feature to ensure its integrity—are duplicated. At each stage of the automation, the data are end-to-end encrypted using KMS keys.

 

Article Linkbynet_Renforcer la sécurité AWS grâce à PCI DSS_Image 2

 

As you can see from the illustration below, we have not limited ourselves to instance logs, i.e., the records generated by all applications running on UNIX systems that are centralized on AWS by default.

We have extended this best practice to Virtual Private Cloud (VPC) flow logs (for capturing information about IP traffic) and to EC2 instance session manager logs. Any type of group can be created from any data source.

 

Article Linkbynet_Renforcer la sécurité AWS grâce à PCI DSS_Image 3

 

A security-oriented corporate culture

The main advantage of securing and duplicating logs is the speed and ease of access to analysis data. This makes it possible to trace possible intrusions and to identify potential bugs and fraud attempts.

It also promotes the implementation of company-specific practices and policies, such as alerts, to anticipate situations that could prove catastrophic, both for a company’s finances and its brand’s reputation.

We see it every day: identity theft, data theft, ransomware… basically all forms of fraud attempts for financial purposes are on the rise. It is not enough to simply notice this trend: it must be acted upon. That is why Linkbynet is committed to work with its customers on a daily basis to help them enhance their security protocols. To that end, we rely on the recommendations of reference organizations and the most advanced technology players to encourage companies to establish a genuine security culture.

Corporate 6 January 2022

Youth in Action

Youth in Action is a Mauritian NGO that aims to promote the education of young Mauritians through actions that improve the living standard of the vulnerable. For this purpose, the association has been developing various projects targeting young people.

Corporate 6 January 2022

LABEL EMMAUS

The Emmaus Label is an e-commerce platform that both gives its products a second life and its people, a second chance. The label-emmaus.co shop offers second-hand, creative and fair trade craft products from the Emmaus network and SSE structures. These products are put online on the site by socially excluded members of the community who have received training on how to manage an online shop from A to Z.

Corporate 6 January 2022

SPORT DANS LA VILLE

Sport dans la Ville is a French association that provides a springboard for young people by supporting them in their education, career orientation and entry into the workforce. The purpose of Sport dans la Ville is to promote access of each young person to qualification and employment through a "Job in the City" program.