compliance in cloud
Requirements from standards such as the PCI DSS can get tricky to meet in the Cloud. Chaser's DiscrimiNAT Firewall enables organisations to address targeted sections of such standards in a Cloud friendly manner.
PCI DSS v4.0, REQUIREMENT 1.3.2
The requirement states “Outbound traffic from the CDE is restricted as follows: (i) To only traffic that is necessary. (ii) All other traffic is specifically denied.”
In the age of Elastic Load Balancers, Multi-Availability Zone and Multi-Region Deployments, obtaining static IP addresses to feed into AWS Security Groups or Google Cloud Firewall Rules becomes challenging for both the consumer and the supplier.
DiscrimiNAT enables users to simply provide a list of destination hostnames to be allowed from individual applications in the Cloud. Not only is an extremely efficient validation carried out over the wire via Deep Packet Inspection, additional checks for spoofing are carried out too. Any malicious actor within the system would find it impossible to exfiltrate data to outside their service's VPC network, beyond the list of allowed destinations.
The PCI SSC also has been explicit about SSL/early TLS not being an acceptable level of encryption since 30 June 2018.
STRONG PREFERENCE FOR TLS 1.2
Use of at least TLS 1.2 has been indicated by the PCI council in several of their notices. Chaser's DiscrimiNAT Firewall automatically checks for TLS version being at least 1.2 (both ways). Any connections at a lower level will simply be denied and logged.
NIST SP 800-53, AC-4, SC-7 and SC-8
AC-4 INFORMATION FLOW ENFORCEMENT
SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
The DiscrimiNAT helps organisations achieve compliance specifically with the above three controls from the NIST SP 800-53. With features such as the see-thru mode, administrators can not only build a map of the information flows very quickly, but also note and automate the date of expiration of any exceptions in the egress firewall itself.
PENTEST READY
DiscrimiNAT enforces the use of contemporary encryption standards such as TLS 1.2+ and SSH v2 with bidirectional in-band checks. It also conducts out-of-band checks, such as DNS, for robust defence against sophisticated malware and insider threats, therefore preparing your VPCs for a proper pentest.