DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment
12 likes7,439 views
This document summarizes Udo Seidel's presentation on Docker and PCI compliance at Amadeus. It discusses how Amadeus implemented Docker while meeting PCI requirements for security, access controls, logging, and more. Some key lessons included reusing existing security tools, having a dedicated security architect role, and emphasizing communication between security, operations and development teams. Docker provided benefits like abstraction, ease of use and mobility while allowing Amadeus to port more applications over time in compliance with PCI standards.
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensitive environment
- 1. Docker and PCI-DSS – Lessons learned in a security sensitive environment Dr. Udo Seidel Chief Architect & Digital Evangelist
- 2. Agenda PCI-DSS 2.2.2 5.2 8.1.3 10.2.2 Lessons Learned SecOps Security Architekt KISS ... Introduction About Udo About Amadeus Behind the scenes The overall trigger Here comes docker Framework details
- 3. Introduction About Udo and Amadeus
- 4. About me :-) ● Teacher of mathematics and physics ● PhD in experimental physics ● Started with Linux in 1996 ● With Amadeus since 2006 ● Before: – Linux/UNIX trainer – Solution Engineer in HPC and CAx environment ● Now: Architecture & Technical Governance aka CTO
- 6. Behind the scenes More details about our Docker journey
- 7. The overall trigger ● Customer project – New customer – New requirements – New chances and challenges ● Changes on Amadeus side – Personnel changes – Digitalization – Externally driven
- 8. Here comes docker ● Huge topic at Red Hat Summit: April 2014 ● Internal discussions – 'Native' joint interest of OPS and DEV – DEV & OPS Architects: April 2014 – Introduction to project architecture: Summer 2014 ● Why? – The 'usual suspects' – Solution of traditional OPS-DEV challenge ● Application patch management ● Administrative access
- 9. Framework details ● Technical – Openstack as IaaS ● 3 installations ● Vmware based – Management ● Orchestration via Openshift ● Teaming up with Red Hat ● Security – Internal ● Corporate Office ● Global Operations Office ● SOC ● Community – External ● PCI-DSS ● SSAE-16 ● ISO 27001
- 10. PCI-DSS ● Payment Card Industry – Data Security Standard ● VISA, MasterCard, American Express, … ● Administration via Council ● 6 Control objectives – Build and maintain secure network – Protect cardholder data – Maintain a vulnerability management program – Implement strong access control measures – Regularly monitor and test networks – Maintain an information security policy ● Current version: 3.1 (115 pages)
- 11. Some of the hick-ups The hypervisor is insecure! Physical separation rules! Who is responsible for firewall policies? Who is responsible for network topology?
- 13. Before you start Don't overcomplicate things. Re-use what is already there. It might be easier than you think.
- 14. Requirement 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system. ● Outside Docker – Business as usual – Re-use existing ● Inside Docker – Similar to outside – Review of Docker file and software source ● Overall – Even better due to separation of software, processes, ..
- 15. Requirement 2.2.2 - Amadeus Enable only necessary services, protocols, daemons, etc., as required for the function of the system. ● See previous slide :-) ● Grouping of Containers – Openshift Pods – Smalles Deployable Unit – Application Unit (Component)
- 16. Requirement 5.2 Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7. ● Outside Docker – Business as usual – Re-use existing ● Inside Docker – Similar to outside – Review of Docker file and software source ● Overall – No real change to world without Docker
- 17. Requirement 5.2 - Amadeus Ensure that all anti-virus mechanisms are maintained as follows: Are kept current, Perform periodic scans, Generate audit logs which are retained per PCI DSS Requirement 10.7. ● See previous slide :-) ● Scanning discussion – Scan engine towards Container - internal – Container towards Scan engine - external
- 18. Requirement 8.1.3 Immediately revoke access for any terminated users. ● Outside Docker – Business as usual – Re-use existing ● Inside Docker – Avoid personal users – Review of Docker file and software source ● Overall – Even better due separation of software, processes, .. – Big Plus: 'Hands-off'
- 19. Requirement 8.1.3 - Amadeus Immediately revoke access for any terminated users. ● See previous slides :-) ● Jump server for access – Personal users via directory service – Only place with personal users ● Application users – Container and Host level – Special treatment ..anyway – Shell to be removed (soon)
- 20. Requirement 10.2.2 Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges. ● Outside Docker – Business as usual – Re-use existing ● Inside Docker – Similar to outside – Review of Docker file and software source ● Overall – Even better due separation of software, processes, .. – Big Plus: 'Hands-off'
- 21. Requirement 10.2.2 - Amadeus Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges. ● See … (you should be able to complete it yourself) ● Jumpserver only for these activities – Questions similar to scanning – Access secured via SSH keys
- 25. Additional Amadeus inside ● Patching via re-creation ● Self-build Docker registry ● Definitive Media Library – Source of truth – Connection to Software Factory ● Different security/network zones – External separation via Loadbalancer – Internal via Openshift placement rules ● Encryption for data at – Flight (SSH, TSL) – Rest (HSM)
- 26. Lessons learned The information you were coming here
- 27. General advice Don't overcomplicate things. Re-use what is already there. People before technology!
- 28. Security Architect ● Dedicated role/responsibility ● Technical and soft skills ● Sufficient standing ● Internally ● Externally Early involvement ● Business goal ● Win-win situation ● Give and take Common language ● Internal education ● External consultancy ● Vendors ● Customers ● Re-use existing dictionaries
- 29. SecOps ● Member of DevOps team ● Remember: Security Champions for OPS ● Communication link to security organization KISS ● Helicopter view for solution finding ● Always different solutions available Team up ● Internally ● DevOps and security organisation ● DevOps and line organisation ● Externally ● Vendors ● Community ● Partners
- 31. Summary 30+ slides condensed in one … or two
- 32. Take-Away ● Don't underestimate non-technical side ● Don't forget what you already have ● 'Walk&talk' a lot
- 33. Outlook ● Journey to be continued ● 'Porting' of other Amadeus applications ● Domino effect
- 34. —Louis Pasteur “Fortune favors the prepared mind.” 3 4
- 35. Thank you! Dr. Udo Seidel @useidel [email protected]