Compliance in Cloud
Requirements from standards such as the PCI DSS can get tricky to meet in the Cloud. Chaser’s discrimiNAT firewall enables organisations to address targeted sections of such standards in a Cloud friendly manner.
PCI DSS v3.2, requirement 1.3.4 …
… states “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” In the age of Elastic Load Balancers, Multi-Availability Zone and Multi-Region Deployments, obtaining static IP addresses to feed into AWS Security Groups or Google Cloud Firewall Rules becomes challenging for both the consumer and the supplier.
discrimiNAT enables users to simply provide a list of destination hostnames to be allowed from their VPC networks. Not only is an extremely efficient validation carried out over the wire via Deep Packet Inspection, additional checks for spoofing are carried out too. Any malicious actor within the system would find it impossible to exfiltrate data to outside their service’s VPC network, beyond the list of allowed destinations.
The PCI SSC also has been explicit about SSL/early TLS not being an acceptable level of encryption since 30 June 2018.
A strong preference for TLS 1.2 …
… has been indicated by the council in several of their notices. Chaser’s discrimiNAT firewall automatically checks for TLS version being at least 1.2 (both ways). Any connections at a lower level will simply be denied and logged.
discrimiNAT enforces the use of contemporary encryption standards such as TLS 1.2+ and SSH v2 with bidirectional in-band checks. It also conducts out-of-band checks, such as DNS, for robust defence against sophisticated malware and insider threats, therefore preparing your VPCs for a proper pentest.