How to Address the PCI DSS Requirements for Data Encryption in Transit Using HAQM VPC

The PCI requirements for encryption for data in transit are different for private networks than they are for public networks. When correctly designed, HAQM Virtual Private Cloud (HAQM VPC), a logically isolated portion of the AWS infrastructure that allows you to extend your existing data center network to the cloud, can be considered a private network, as qualified by the Payment Card Industry Data Security Standards (PCI DSS).

In this blog post, I will review the importance of understanding the logical isolation provided by HAQM VPC and then review some of the key points to consider when designing for PCI workloads that need to transmit sensitive data within or outside the AWS infrastructure. I will also demonstrate how you can use the native isolation provided by HAQM VPC for additional security.

HAQM VPC is the architectural construct of choice for AWS customers deploying workloads that are in scope for a PCI DSS assessment. Within HAQM VPC, HAQM EC2 instances must have an Internet gateway or a virtual private gateway in order to communicate with hosts outside HAQM VPC. Additionally, AWS-designed Layer 2 networking features include the mapping service, which performs checks to ensure that even packets with malformed or modified addresses cannot hop across HAQM VPC boundaries. Network access control lists (NACLs) and security groups may be used to filter inbound and outbound traffic to hosts within HAQM VPC. These controls make it difficult for data to be intercepted or diverted while in transit, and demonstrate the private nature of HAQM VPC.

Encryption of sensitive data in motion is addressed in PCI DSS version 3.1 via Requirement 4 and its corresponding subrequirements. The DSS is clear that the requirements apply to the transmission of payment card data across “open, public networks” that are susceptible to unauthorized access. The PCI DSS and the PCI Glossary describe public networks as network transport providers that connect an organization’s networks to each other over a wide area network (WAN), to the Internet, or to partner networks—and not software-defined cloud constructs such as HAQM VPC.

Typically, such public networks exhibit managed ingress and egress points that act as gateways to a shared network, with the provider managing the routing within the shared network. It is also possible that the ingress and egress points may be represented by dedicated physical hardware called the customer-premises equipment (CPE). On the other hand, the software-defined HAQM VPC abstracts any underlying hardware and allows for logical isolation. Additionally, PCI DSS testing procedures such as 4.1.c require the PCI Qualified Security Assessor (QSA) to “observe a sample of inbound and outbound transmissions as they occur.” Understandably, such procedures can increase the complexity of the assessment and consequentially the cost and the time required to complete an assessment.

Encryption of data during transmission is typically achieved using Transport Layer Security (TLS) between two endpoints. However, there are scenarios where end-to-end encryption during transmission may affect application performance or increase management overhead. For instance, a standard web application designed with Elastic Load Balancing (ELB) and configured to encrypt all data transmission between tiers can have up to five encryption/decryption points, as shown in the following image.

With the addition of a web application firewall (WAF), the number of encryption/decryption points increases to seven.

Upon considering additional connections, such as to other applications and other AWS services, this number can grow even larger. Each additional encryption and decryption point adds key and certificate management overhead. Though the number of encryption and decryption points by itself is not a limiting factor, organizations have to balance that number with application performance requirements and the amount of SSL certificate/key management overhead they are willing to undertake.

AWS recommends that organizations implement encryption of sensitive information in motion wherever possible. Organizations should also leverage the fact that the design of HAQM VPC inherently isolates the components within HAQM VPC from all other VPCs, to help address the PCI requirements. The isolation provided by HAQM VPC can be further enhanced by the following design elements:

• Limit the number of public subnets. Public subnets within HAQM VPC are similar to the demilitarized zone (DMZ) referred to in the PCI DSS.
• Route egress traffic to the Internet through a network address translation (NAT) located in the public subnet and deploy all other hosts in private subnets.
• Enable source/destination checks at the instance level to provide additional safeguards around isolation of network traffic.
• Ensure that security groups and NACLs are configured to address the requirements of the PCI DSS.
• Consider terminating the TLS connections at the front-end ELB layer or the WAF layer in the public subnet of HAQM VPC, and configuring non-TLS connections for traffic between private subnets.
• Engage your PCI QSA and other parties within the organization with a focus on risk or security management early in the process to help educate and drive risk-based decision making.

As an outside-the-box approach, some organizations choose to encrypt sensitive data via code, processing the data while it is in the web servers and before transmitting it to the next tier. Access to the decryption keys is granted to specific application servers that handle decryption requests. This scheme can be extended further, to the user side, by encrypting the sensitive data field using a public key in the client-side code before transmitting it to the web server. The organization can then control access to the private key and thereby ensure that the data is encrypted during transmission all the way through to the application component that is authorized to decrypt the data. These methods help retain the secrecy of the data while reducing the number of decryption and encryption operations in the overall data flow.

HAQM VPC is designed to provide logical isolation for a set of AWS resources, and customers frequently rely on HAQM VPC as a key design element to address PCI DSS requirements around segmentation and network control. The PCI DSS appropriately calls for greater controls on transmission of sensitive data over public networks versus private networks. Organizations may leverage the logical isolation provided by HAQM VPC and the techniques described here to benefit from designs that reduce the number of encryption/decryption operations and balance compliance requirements with application performance. For more information about AWS PCI DSS compliance, see the AWS PCI DSS Level 1 FAQs.

For more information about the PCI DSS, go to the Official PCI Security Standards Council site.

– Balaji

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.