AWS Control Tower, AWS Security Hub, AWS Shield Advanced, AWS Web Application Firewall
Amazon Web Services
The group company offers national cash handling and international valuables logistics. The national service consists of cash in transit, cash management and complete solutions, while the international service consists of cross border transportation, management and storage of foreign currencies, precious metals and other valuables for different business lines, such as financial companies, retails, education, government, jewelry. The group company operates through an international network in more than 20 countries.
During the digitalization, they want to create a new digital payment gateway solution to provide electronic payment solutions for their customers as well. The group company founded a new company that offers a complete end-to-end payment solution that helps merchants, restaurants and shops run and grow their business. The online payment solution is the first comprehensive service that allows merchants to handle cash, cards and mobile payments through one single provider.
The new online payment gateway solution must be fully compliant with Payment Card Industry (PCI) standards. As a startup, the company needed to achieve PCI compliance in the simplest, fastest, and most cost-effective way possible. They needed to ensure that all systems are physically secure in addition to ensuring that all consumer credit card and personal information acquired at the point of sale is completely encrypted both in transit and at rest. All system and process modifications must also be meticulously documented and periodically inspected for yearly audits. Sufle designed a new well-architected and secure infrastructure on AWS for the customer that they were able to achieve the PCI-DSS Level 1 certification without any hassle.
Sufle used AWS Control Tower to develop a standardized organizational structure for the new organization design. Using isolated accounts, the PCI-DSS scoped environment is limited to the payment gateway application only. Workloads are separated from one another using various accounts, and non-production environments are created for development and testing. By automating the creation of accounts using the Control Tower Account Factory, data residency guardrails, and region deny capabilities, the security posture was maintained through organization.
By leveraging the shared responsibility model and managed security services of AWS, compliance required much less effort compared to any other alternatives. It relieved some of the operational burden because AWS operates, manages, and controls the components from the host operating system and virtualization layer, down to the physical security of the facilities in which the company services operate.
Using AWS Security Hub, Sufle created a single view and also benchmark whole customer organization against standards or frameworks like the CIS AWS Foundations Benchmark, the PCI-DSS regulation requirements, and the AWS Foundational Security Best Practices.
AWS Shield Advanced is enabled to provide enhanced protections for applications running on AWS resources against more sophisticated and larger attacks. With using AWS Shield Advanced, endpoint protection is always-on, flow-based monitoring of network traffic and active application monitoring provides near real-time notifications of suspected DDoS incidents for the company security monitoring teams.
Sufle leveraged AWS WAF to protect web applications against malicious attacks through filtering, monitoring and automatically blocking unwanted/unauthorized requests. AWS Web Application Firewall (WAF) is used to protect applications against web attacks by attaching to Application Load Balancers and Amazon CloudFront distributions. Alongside the AWS Managed Rule sets provided, Sufle developed custom rule sets for applications to limit and restrict traffic, such as management endpoint protections, geographic restrictions etc.
Amazon Image Builder and CIS Benchmarks are used together to ensure continuous system hardening. Using scheduled image creation and distribution features of Amazon Image Builder new hardened images are created, tested and distributed to the whole organization to ensure sustainable security measures. Amazon Inspector is used for continuous scanning of container images and Amazon EC2 instances deployed on the company infrastructure, Kernel Live Patching for Amazon Linux 2 allows to apply security vulnerability and critical bug patches to a running Linux kernel without reboots or disruptions to running applications.