The Payment Card Industry Data Security Standards (PCI DSS) provide a checklist. All organizations dealing with online credit card payments have to comply with it. Companies follow such lists in order to ascertain appropriate security standards that prevent any breach cases from occurring. Otherwise, merchants who refuse to comply face great financial penalties thereafter.
One of the essential points of this compliance list is to encrypt the data in transit. Amazon Virtual Private Cloud (Amazon VPC) provides a means for organizations to get their data stored on the cloud without their physical interference with it. Furthermore, PCI DSS grasps Amazon VPC as a qualified private network.
Throughout this article, I will discuss in some clear points. They will discuss how to deal with Amazon VPC. This is more particularly when moving inside or outside it in order to eventually meet the PCI DSS Requirements for Data Encryption
Understand the security of Amazon VPC
The first step of the solution is to fundamentally grasp the pure isolation witnessed by Amazon VPC. Several restrictions exist upon Amazon VPC:
- Hosts outside Amazon VPC cannot reach Amazon Elastic Compute Cloud (EC2) instances to communicate without an internet gateway or a virtual private gateway.
- Mapping services, offered by Amazon Web Services (AWS) layer 2 networking features, prevent any guest from entering the Amazon VPC address zone.
- Data inside an Amazon VPC is entirely isolated from all other VPCs through firm restrictions. So, even within this private cloud data is isolated from each other.
- Security groups and Network access control lists (NACLs) monitor and further control inbound and outbound traffic into and from Amazon VPC. This supports the recommendations of PCI Qualified Security Assessor (QSA) in a simple manner.
Understand what the PCI-DSS tells about encryption
PCI-DSS requirements clearly state that transmitted card details or other sensitive data must undergo encryption while passing through open public networks.
- Through public networks, Wide Area Networks (WAN) are utilized to the internet or to partner networks to connect organization’s networks with each other.
- Public networks also allow for inbound and outbound traffic. In this case, this is through physical and referenced gateways on a customer-premises equipment (CPE).
- However, this is not the case for Amazon VPC which is principally a software-defined cloud
- Such private cloud could understand underlying physical hardware and still keep the data on cloud isolated
- PCI-DSS does not require encryption when transmitting data through a private network that has specifications as those of Amazon VPC.
- Therefore, it is not actually important to encrypt the data when using Amazon VPC due to all the aforementioned security options and procedures.
Encrypt the data, but
- Be aware that in order to encrypt data before transferring it into or out of the cloud, you will need Transport Layer Security (TLS) between the original host and Amazon VPC.
- Such end-to-end encryption results in a performance pitfall. This is so because it slows down the processes in operation while transmitting data. Organizations which intend to apply this end-to-end encryption must balance such overhead.
- Look at the following example. It illustrates the notion of slowing down the performance. let’s consider a standard web application basically designed with Elastic Load Balancing (ELB) to include up to 5 encryption/decryption points.
- Now, consider adding two more points for the sake of the proposed end-to-end encryption. This shul depending on the utilization of a web application firewall (WAF). This results in seven encryption/decryption points.
- Whenever there is a new connection to an AWS service or any other applications, there will be an addition of extra encryption/decryption points. The overhead becomes more complicated and performance will increasingly suffer more and more.
- Make sure to balance between all of such elaborated overhead and the actual needed performance for the desired application using Amazon VPC.
Increase the Amazon PCI isolation more
Albeit the enormous isolation that we talked about before, there are some ways to increase this isolation and further strengthen it.
- Security groups and NACLs should be all configured. This even supports the checks of PCI DSS.
- PCI QSA or any other PCI consultants should be always there inside the organization for emergencies or security precautions. Any incident could occur and they have to issue solutions at the spot.
- There should be a minimal number of public subnets, comparably known as the demilitarized zone (DMZ) in the PCI DSS.
- Configure a Network Address Translation (NAT) in the public subnet to outbound the data, whereas the rest of hosts should be located each in private subnets.
- Network traffic isolation of all its instances could be relatively enhanced when source/destination checks are enabled to them.
- Either the WAF layer or the front-end ELB layer should be terminal points of the TLS connections inside the public subnet. Private networks should, on the other hand, communicate without TLS connections.
Use code to encrypt sensitive data (Optional)
This approach is not a mainstream approach as it needs some creative code making. However, this method is really adopted by some organizations to secure their highly sensitive data.
- Allow specific application servers to have access to the keys used for encryption. These servers will be harnessed for the decryption process.
- A stricter method encrypting the data via public keys before transmission through the web server. Moreover, private keys are recognized by certain application servers to ensure that data is encrypted through the entire transmission journey.
- The privilege granted by this method of encryption lies fundamentally on the performance side. No extra encryption/decryption points are added following this technique.
In a nutshell, Amazon VPC is arguably one of the most isolating private cloud in offer by AWS. Not only does it offer a secure place for maintaining sensitive data, but also it fulfills PCI DSS requirements. The addition of Encryption/Decryption points could add more security. However, balancing the performance of the application is necessary while at it. Utilization of alternative ways such as codes is necessary to achieve high data encryption.