Skip to main content

compliance in cloud

Requirements from standards such as the PCI DSS can get tricky to meet in the Cloud. Chaser's discrimiNAT firewall enables organisations to address targeted sections of such standards in a Cloud friendly manner.

PCI DSS v3.2, REQUIREMENT 1.3.4

The requirement states “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.” In the age of Elastic Load Balancers, Multi-Availability Zone and Multi-Region Deployments, obtaining static IP addresses to feed into AWS Security Groups or Google Cloud Firewall Rules becomes challenging for both the consumer and the supplier.

discrimiNAT enables users to simply provide a list of destination hostnames to be allowed from individual applications in the Cloud. Not only is an extremely efficient validation carried out over the wire via Deep Packet Inspection, additional checks for spoofing are carried out too. Any malicious actor within the system would find it impossible to exfiltrate data to outside their service's VPC network, beyond the list of allowed destinations.

The PCI SSC also has been explicit about SSL/early TLS not being an acceptable level of encryption since 30 June 2018.

STRONG PREFERENCE FOR TLS 1.2

Use of at least TLS 1.2 has been indicated by the PCI council in several of their notices. Chaser's discrimiNAT firewall automatically checks for TLS version being at least 1.2 (both ways). Any connections at a lower level will simply be denied and logged.

NIST SP 800-53, AC-4 and SC-7

AC-4 INFORMATION FLOW ENFORCEMENT

SC-7 BOUNDARY PROTECTION

The discrimiNAT helps organisations achieve compliance specifically with the above two controls from the NIST SP 800-53. With features such as the see-thru mode, administrators can not only build a map of the information flows very quickly, but also note and automate the date of expiration of any exceptions in the egress firewall itself.

PENTEST READY

discrimiNAT enforces the use of contemporary encryption standards such as TLS 1.2+ and SSH v2 with bidirectional in-band checks. It also conducts out-of-band checks, such as DNS, for robust defence against sophisticated malware and insider threats, therefore preparing your VPCs for a proper pentest.