How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
The PCI requirements for encryption for data in transit are different for private networks than they are for public networks. When correctly designed, Amazon Virtual Private Cloud (Amazon VPC), a logically isolated portion of the AWS infrastructure that allows you to extend your existing data center network to the cloud, can be considered a private network, as qualified by the Payment Card Industry Data Security Standards (PCI DSS).
In this blog post, I will review the importance of understanding the logical isolation provided by Amazon VPC and then review some of the key points to consider when designing for PCI workloads that need to transmit sensitive data within or outside the AWS infrastructure. I will also demonstrate how you can use the native isolation provided by Amazon VPC for additional security.
Amazon VPC is the architectural construct of choice for AWS customers deploying workloads that are in scope for a PCI DSS assessment. Within Amazon VPC, Amazon EC2 instances must have an Internet gateway or a virtual private gateway in order to communicate with hosts outside Amazon VPC. Additionally, AWS-designed Layer 2 networking features include the mapping service, which performs checks to ensure that even packets with malformed or modified addresses cannot hop across Amazon VPC boundaries. Network access control lists (NACLs) and security groups may be used to filter inbound and outbound traffic to hosts within Amazon VPC. These controls make it difficult for data to be intercepted or diverted while in transit, and demonstrate the private nature of Amazon VPC.
Encryption of sensitive data in motion is addressed in PCI DSS version 3.1 via Requirement 4 and its corresponding subrequirements. The DSS is clear that the requirements apply to the transmission of payment card data across “open, public networks” that are susceptible to unauthorized access. The PCI DSS and the PCI Glossary describe public networks as network transport providers that connect an organization’s networks to each other over a wide area network (WAN), to the Internet, or to partner networks—and not software-defined cloud constructs such as Amazon VPC.
Typically, such public networks exhibit managed ingress and egress points that act as gateways to a shared network, with the provider managing the routing within the shared network. It is also possible that the ingress and egress points may be represented by dedicated physical hardware called the customer-premises equipment (CPE). On the other hand, the software-defined Amazon VPC abstracts any underlying hardware and allows for logical isolation. Additionally, PCI DSS testing procedures such as 4.1.c require the PCI Qualified Security Assessor (QSA) to “observe a sample of inbound and outbound transmissions as they occur.” Understandably, such procedures can increase the complexity of the assessment and consequentially the cost and the time required to complete an assessment.
Encryption of data during transmission is typically achieved using Transport Layer Security (TLS) between two endpoints. However, there are scenarios where end-to-end encryption during transmission may affect application performance or increase management overhead. For instance, a standard web application designed with Elastic Load Balancing (ELB) and configured to encrypt all data transmission between tiers can have up to five encryption/decryption points, as shown in the following image.
With the addition of a web application firewall (WAF), the number of encryption/decryption points increases to seven.
Upon considering additional connections, such as to other applications and other AWS services, this number can grow even larger. Each additional encryption and decryption point adds key and certificate management overhead. Though the number of encryption and decryption points by itself is not a limiting factor, organizations have to balance that number with application performance requirements and the amount of SSL certificate/key management overhead they are willing to undertake.
AWS recommends that organizations implement encryption of sensitive information in motion wherever possible. Organizations should also leverage the fact that the design of Amazon VPC inherently isolates the components within Amazon VPC from all other VPCs, to help address the PCI requirements. The isolation provided by Amazon VPC can be further enhanced by the following design elements:
- Limit the number of public subnets. Public subnets within Amazon VPC are similar to the demilitarized zone (DMZ) referred to in the PCI DSS.
- Route egress traffic to the Internet through a network address translation (NAT) located in the public subnet and deploy all other hosts in private subnets.
- Enable source/destination checks at the instance level to provide additional safeguards around isolation of network traffic.
- Ensure that security groups and NACLs are configured to address the requirements of the PCI DSS.
- Consider terminating the TLS connections at the front-end ELB layer or the WAF layer in the public subnet of Amazon VPC, and configuring non-TLS connections for traffic between private subnets.
- Engage your PCI QSA and other parties within the organization with a focus on risk or security management early in the process to help educate and drive risk-based decision making.
As an outside-the-box approach, some organizations choose to encrypt sensitive data via code, processing the data while it is in the web servers and before transmitting it to the next tier. Access to the decryption keys is granted to specific application servers that handle decryption requests. This scheme can be extended further, to the user side, by encrypting the sensitive data field using a public key in the client-side code before transmitting it to the web server. The organization can then control access to the private key and thereby ensure that the data is encrypted during transmission all the way through to the application component that is authorized to decrypt the data. These methods help retain the secrecy of the data while reducing the number of decryption and encryption operations in the overall data flow.
Amazon VPC is designed to provide logical isolation for a set of AWS resources, and customers frequently rely on Amazon VPC as a key design element to address PCI DSS requirements around segmentation and network control. The PCI DSS appropriately calls for greater controls on transmission of sensitive data over public networks versus private networks. Organizations may leverage the logical isolation provided by Amazon VPC and the techniques described here to benefit from designs that reduce the number of encryption/decryption operations and balance compliance requirements with application performance. For more information about AWS PCI DSS compliance, see the AWS PCI DSS Level 1 FAQs.
For more information about the PCI DSS, go to the Official PCI Security Standards Council site.