Compliance in Cloud

Requirements from standards such as the PCI DSS can get tricky to meet in the Cloud. Chaser’s discrimiNAT firewall enables organisations to address targeted sections of such standards in a Cloud friendly manner.

PCI DSS v3.2, requirement 1.3.4 states “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” In the age of Elastic Load Balancers, Multi-Availability Zone and Multi-Region Deployments, obtaining static IP addresses to feed into AWS Security Groups or GCP Firewall Rules becomes challenging for both the consumer and the supplier.

discrimiNAT enables consumers to simply provide a list of destination hostnames to be allowed from their VPC networks. Not only is an extremely efficient validation carried out over the wire via Deep Packet Inspection, additional checks for spoofing are carried out too. Any malicious actor within the system would find it impossible to exfiltrate data to outside the subscriber’s VPC network, beyond the list of allowed destinations.

The PCI SSC also has been explicit about SSL/early TLS not being an acceptable level of encryption since 30 June 2018. A strong preference for TLS 1.2 has been indicated by the council in several of their notices. Chaser’s discrimiNAT firewall automatically checks for TLS version being at least 1.2 (both ways). Any connections at a lower level will simply be denied and logged.