The Inner Circle

Expand all | Collapse all

Remote access to PCI DSS cloud environment

Jump to Best Answer
  • 1.  Remote access to PCI DSS cloud environment

    Posted 11 days ago
    Hi everyone who is interested in a discussion about the topic above. The use cases for remote access are maintenance of the infrastructure (the service is build on AWS VPC, IAM) and application management via Linux on EC2.  Does somebody know a reference implementation? There are possibly multiple options to control access e.g. VPN gateway, federated authentication, bastion host, etc. How to achieve an environment which allows the operators and application admins to securely work from home instead from behind a on-prem firewall? PCI requires endpoints which are connected to the environment must be hardened and controlled.

    ------------------------------
    Michael Nolte
    CISO
    AEVI International GmbH
    ------------------------------


  • 2.  RE: Remote access to PCI DSS cloud environment

    Posted 10 days ago
    If the recent hi visibility ransomeware attacks have proven anything, it's that the notion that a headquarters office network is somehow more secure that remote is dubious at best, arguably naively laughable.  Assume your HQ office is insecure, then work your policy from there.  So the remote case is the same as the office desktop - secure your endpoints.  If BYOD is the case, then you may have to offer budgets to upgrade hardware to minimal baseline.

    that said, finding a good cross platform endpoint solution is challenging. I have reviewed over a dozen of the leaders and a dozen newcomers, and all have issues. No silver bullet sadly.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 3.  RE: Remote access to PCI DSS cloud environment
    Best Answer

    Posted 9 days ago
      |   view attached
    Hi Michael ... I certainly want. AWS VPC (Virtual Private Cloud) and ZafePass VPC (Virtual Private Connectivity) is a match in heaven. The IAM is only needed if yoy have a large installation. Dump the VPN gateways .. you dont need these either ... and there is full support for mobility on steroids .... ALL SECURE and ALL ADMINISTERED from the back-end side. One single pane of glass ... a PDF is enclosed.

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    +4593631300
    ------------------------------

    Attachment(s)



  • 4.  RE: Remote access to PCI DSS cloud environment

    Posted 9 days ago
    Edited by Niels E. Anqvist 9 days ago
    @Robert Ficcaglia .... hmm, maybe not a silver bullet - you wrote:
    If the recent hi visibility ransomeware attacks have proven anything, it's that the notion that a headquarters office network is somehow more secure that remote is dubious at best, arguably naively laughable.
    NEA: if you stick to defending the castle thinking - you're correct. If you go perimeterless and your HQ users use the same access methods that the ones outside .. you will have a range of advantages - resistency to DDoS, immune to MitM, Brute force attacks, Code injection attacks, portscanning, infrastructure vulnerabilities and lateral movement.
    Assume your HQ office is insecure, then work your policy from there. So the remote case is the same as the office desktop - secure your endpoints. If BYOD is the case, then you may have to offer budgets to upgrade hardware to minimal baseline.
    NEA: Correct ... just the fact that using for instance ZafePass on the BOYD will have the same effect as in my first answer and still support full mobility.

    that said, finding a good cross platform endpoint solution is challenging. I have reviewed over a dozen of the leaders and a dozen newcomers, and all have issues. No silver bullet sadly.
    NEA: ... hmm, check us out ... you might like what you see. What are the issues you refer to. I'm keen to know as we have spend a few years take all the ones we know of, out ... so we for instance have NO dependencies to any 3rd party point security i.e. no VPN, no PKI (x509), no IPsec, no TLS, no PIMPAM, no CASB, no DLP ... we can discuss if you need IAM being a larger organisation. The rest is baked in and secure end-to-end. If you think you can breach it - we will gladly give you a go for it. Many have tried - but it doesn't mean we are flawless, but help us find what we don't know - and we'll fix it.

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    +4593631300
    ------------------------------



  • 5.  RE: Remote access to PCI DSS cloud environment

    Posted 9 days ago
    Edited by Niels E. Anqvist 9 days ago
    @Michael Nolte - will gladly provide a demo of ZafePAss for you .. it is simple and does exactly what you need - and you have FULL CONTROL from the admin side. I can give you my login and password - you can get my ZafePass client (or you can download a new one) ... and you will NEVER be able to get access to any of the IT-resource entitled for me.   ​

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    +4593631300
    ------------------------------



  • 6.  RE: Remote access to PCI DSS cloud environment

    Posted 6 days ago
    @Niels E. Anqvist, thank you for pointing to your solution which I will forward to our tech team. Is it correct understanding that the agent is independent from OS? Our endpoints are iOS, macOS, Windows, Android and Linux. Another question, do you have reference customers who operate the solution in their PCI DSS environment? @Rostom Zouaghi what are your thoughts about this? Kind regards, Michael​​

    ------------------------------
    Michael Nolte
    CISO
    AEVI International GmbH
    ------------------------------



  • 7.  RE: Remote access to PCI DSS cloud environment

    Posted 8 days ago
    Hello Michael,
    Just to make sure you considered this deployment guide at your evaluation:
    https://aws.amazon.com/quickstart/architecture/compliance-pci/?nc1=h_ls

    ------------------------------
    Uilson Souza
    Cloud Business Senior Analyst
    MARS Global Services
    ------------------------------



  • 8.  RE: Remote access to PCI DSS cloud environment

    Posted 4 days ago
    Michael,
    Admin workstations are generally always in-scope for PCI compliance, regardless if they go through a jump server, etc.
    Take a look a the PCI scoping guidance that the council published 3-4 years ago.  https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1_1.pdf


    ------------------------------
    Stewart Fey
    Partner
    LBMC
    ------------------------------



  • 9.  RE: Remote access to PCI DSS cloud environment

    Posted 4 days ago
    Hi Stewart ... not here to judge if traditional network based access and the management of tools and the security solutions needed for support, are appropriate or not - just saying that the easy access, simplicity and control the security model SDP / ZT solutions have, provide superior advantages over traditional access - and is on top deliver very user- & mobility-friendly microsegmented session based connectivity to any IT-resource, service, application and/or data. Skip VPN, and even x.509 based 3rd party point security solutions, PIM/PAM, CASB, DLP and in some cases even IAM. Less complexity equals more security - as Einstein said - make things as simple as possible, but not simpler!

    Cheers,


    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    +4593631300
    ------------------------------



  • 10.  RE: Remote access to PCI DSS cloud environment

    Posted 4 days ago
    Hi Michael. We actually just finished the deployment of a PCI DSS project for a client, based in its entirety in AWS.
    We deployed AWS Workspaces for users' day-to-day work. We have a full Active Directory environment based on EC2 instances (not AWS AD Services) and all Workspaces are joined to that domain. For resources that need to be accessible by external users (mainly a web server frontend), we use a VPN SaaS solution called Perimeter81 that allows us to spin up a dedicated gateway in the cloud and whitelist its IP in our AWS firewall. Users download a small utility and hit the connect button when they need access to the webserver.

    Let me know if you would like to hear more.


    ------------------------------
    Sagy Langer
    Philadelphia PA
    ------------------------------