Overview

Skill Level: Advanced

Infrastructure Architects, Application Architects

This article focuses on application Infrastructure architecture design on IBM Cloud Involving various components to meet PCI compliance requirements for financial industry applications.

Ingredients

Skills on IBM Cloud architecture.

Step-by-step

  1. Introduction

    IBM Cloud is based on Open standards and allows all kinds of vendor neutral application workloads to be hosted on it,  be it a .Net based workload or Java or anyother. Security and compliance requirements are a necessity for all. IBM Cloud provides multiple solutions to meet such requirements. This article discuss an architecture pattern to Implement PCI compliant application infrastructure on IBM Cloud with one such solution. The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI Data Security Standard Requirements and Security Assessment Procedures requires 12 PCI DSS requirements to be met to confirm the system compliant.

    Image1

     

    PCIDSS certification is ultimately an agreement that a specified level of security is required and certification that it exists. The application Infrastructure comprises of multiple tiers of Implementations like DNS, Load Balancer, Web Server, App Server, DB etc. These tiers could be one or the other security zone (DMZ etc) . The application security could be distributed across these tiers to meet security and compliance needs. Compliance provided by cloud service provider also plays an Imprtant role to meet these security compliance. Used either individually or in conjunction with one another various IBM Cloud components  provides organizations with an extensive array of capabilities to help ensure the security, accessibility, and usability of their business-critical web applications.

    From Infrastructure layer perspective IBM Cloud provides compliance from PCI perspective apart from several other compliances

    Image2

    Source:  https://www.ibm.com/cloud/compliance

     

    When it comes to application infrastructure on IBM Cloud IaaS or PaaS PCI compliance at application perspective would lie on customer. To meet these security requirements customer would need to select appropriate components from cloud catalog.

  2. Application Infrastructure Security

    Web applications vulnerable to attack, they are attractive targets for hackers because they often have direct connectivity with one or more databases containing sensitive customer and company information. Threats against web applications are often devised specifically for a target application, making threat identification by network-level security devices (e.g., intrusion protection systems and network firewalls) impossible. A solution is therefore required to comprehensively addresses the challenge of delivering centralized application- layer security for all web applications and web services.

    IBM Cloud offers citrix netscaler load balancer which not only helps meet application Infrastructure’s load balancing needs but also helps relieve several downstream components from application security implementaiton. This not only helps meeting security requirements at first level of the Infrastructure but also helps acclerate application performance through for e.g SSL offloading. . NetScaler is available in two modes – VPX and MPX. VPX is available in virtual mode and can be installed on VMWare ESXi or any other virtual Images available in IBM Cloud. 

    NetScaler features:

    1. Comprehensive and centralized policy management.
    2. Layer 4 (TCP and UDP) through Layer 7 (FTP, HTTP, and HTTPS) traffic management and load balancing.
    3. Performance and optimization features (e.g., keep-alive, compression, caching, buffering) that reduce transaction times and increase application responsiveness.
    4. Security features (e.g., firewall; authentication/authorization/accounting (AAA); filtering; and denial of service (DoS) protection).
    5. Availability features (e.g., detecting unavailable servers and directing application requests to the remaining servers).
    6. Visibility. NetScaler allows centralized and efficient system configuration and management of traffic, events, and performance. NetScaler uses an intuitive policy builder to create application delivery policies without a need for writing complex programs or scripts.
    7. Citrix NetScaler is the only product that can load balance traffic on both the public and private networks.

     

    Citrix® NetScaler AppFirewallTM is a comprehensive full function ICSA, Common Criteria, FIPS-certified web application firewall that analyzes all bi-directional traffic, including SSL-encrypted communication, to protect against a broad range of security threats. It provides the ability to perform deep-packet inspection of HTTP, HTTPS and XML as well as protection against OWASP top 10. NetScaler AppFirewall threat protection includes and is not limited to SQL injection attacks, cross-site scripting attacks, cookie tampering, form validation and protection, HTTP and XML reply and request format validation, JSON payload inspection, signature and behavior based protections, data loss prevention (DLP) support including the monitoring of traffic for intended and unintended data exposure, DoS protection, authentication, authorization and auditing support and reporting, and policy tools that provide for easier PCI-DSS compliance verification.

    NetScaler AppFirewall aids corporate IT security teams in conforming to governmental privacy regulations and industry mandates. For example, organizations subject to Payment Card Industry Data Security Standard (PCI-DSS) requirements can now fully meet the requirements detailed in PCIDSS Section 6.6, which mandates the installation of web application firewall in front of public- facing applications as one method of maintaining a proper security posture. In support of PCI security audits, NetScaler AppFirewall can generate dedicated reports detailing all security protections defined in the application firewall policy that pertain to PCI requirements. In addition, NetScaler AppFirewall prevents the inadvertent leakage or theft of sensitive information, such as credit card numbers or custom-defined data objects, by either removing or masking content from application responses— before being publicly disclosed.

    NetScaler AppFirewall permits flexible, stepwise deployment of web application protection. The default web application protection profile defends against the most common dangerous threats and adds full protection against both data theft and layer 4-7 denial of service (DoS) attacks.

    The advanced web application protection profile adds session-aware protections to protect dynamic elements, such as cookies, form fields and session-specific URLs. Attacks that target the trust between the client and server including cross-site request forgery are stopped; requests are validated by checking for a unique ID inserted by NetScaler. Such protection is imperative for any application that processes user- specific content, such as an e-commerce site. For more details one can refer below link:

    In below use cases Load Balancer relieves application Infrastructure of:

    1. Application Firewall Requirements.
    2. Overheads of SSL processing through SSL Offloads.
    3. Application’s AAA requirements.
    4. Masking the content from application responses where ever required.
    5. Acclerate application performance through compression, caching etc.

    Firewall is not depicted the below architectures but it is assumed that necessary firewall options offered by IBM Cloud are in place before application Infrastructure.  In the below architecture Vyatta is gateway device that helps in NAT and could also be used for IP Whitelisting if required.

     

    Hardware Security

    Intel’s TXT is a trust mechanism that is part of the Xeon processor, enabling administrators to place workloads on trusted pools of hardware.Intel TXT is available on IBM Cloud bare metal servers with Intel Xeon E5-2600 v2, Xeon E3-1200 v3 and Xeon E5-4600 powered servers.Intel TXT analyzes and measures the components of a computing system from the operating system or hypervisor to the computing system’s boot firmware and hardware. The analysis includes the system’s basic input/output system (BIOS), master boot record (MBR), and boot loader. The measurements are compared to a standard baseline to determine if the system is trusted or untrusted. System software and local or remote management software can use the trust decision to permit or deny a workload from running on that particular computing system. Since Intel TXT performs the analysis and measuring during boot up, the added security doesn’t add any performance overhead to applications. Intel TXT is especially advantageous for large enterprises subject to compliance and audit regulations, such as healthcare, financial services, and government organizations. It helps assure that tracking of all trusted resources can be integrated, managed, and reported on with the relevant compliance organizations (HIPAA, PCI, FedRAMP, ISO, FISMA, and SSAE 16). For the first time, these organizations will be able to certify a cloud computing system is appropriately secured for workloads such as:

    1. Governance and enterprise risk
    2. Information and life-cycle management
    3. Compliance and audit
    4. Application security
    5. Identity and access management
    6. Incident response

     

    Image8

     

    IBM Cloud leveraging VMWare and Hytrust
    ————————————————————————
    This solution helps Integrate various architectural elements to create a chain of trust from hardware through the hypervisor and management applications.The component of the solution includes:

    Intel® Trusted Execution Technology (Intel® TXT)
    Trusted Platform Module (TPM), v1.2
    IBM Cloud bare-metal servers
    VMware vCenter* management server
    VMware ESXi* hypervisor (the bare-metal OS and virtual machine monitor)
    HyTrust CloudControl (HTCC)*
    HyTrust DataControl (HTDC)*

    When coupled with VMware vCenter, HyTrust CloudControl (HTCC) and HyTrust DataControl (HTDC), Intel TXT helps verify whether hosts launch into a trusted state, identify the physical location of hosts, and help these systems resist attack in the centralized infrastructure of a cloud. These capabilities can help increase confidentiality and integrity of data in the face of increasingly hostile environments.

     

  3. Use Case 1 : Application Infastructure in Private Network on IBM Cloud

     

    Image3a-1

  4. Use Case 2 : Load Balancer in Public Network and Application Infastructure in Private Network on IBM Cloud

    Image4-1

  5. Use Case 3: Load Balancer in Public Network and Application Infastructure in Customer Data Center

     

    Image5

  6. Use Case 3: Load Balancer in Public Network and PaaS

    Image6

  7. Use Case 4: Public DNS resolution through Load Balancer

    Global server load balancing is a method to split traffic across multiple servers using DNS and geographical locations as the means to determine to which server traffic will be sent. Generally, a global load balancer will send a client request to a server that is closer to the client, decreasing latency and for the most part improving performance. One might not require a full implementation of a global load balancing solution, however. GSLB requires multiple instances of a suitable device that can perform this function, and depending on your needs, other solutions might be more attractive to you.

    The Netscaler is the only customer configurable device that does true global load balancing. Netscaler is a multifunction appliance that can perform DNS based global load balancing lookups. One can delegate via DNS a hostname to resolve to the Netscaler as a DNS server, and the device will look over the servers it is configured to load balance for, perform a distance calculation, and return an A record with the IP of the server closest to the client request.

     

    Image7_GSLB

  8. References

    a) https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/citrix-netscaler-application-firewall-datasheet.pdf

    b) https://docs.citrix.com/zh-tw/netscaler/11/getting-started-with-netscaler/features/security-and-firewall-features.html

    c) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

    d) https://knowledgelayer.softlayer.com

    e) https://knowledgelayer.softlayer.com/faqs/572

    f) https://knowledgelayer.softlayer.com/topic/citrix-netscaler

    g) https://knowledgelayer.softlayer.com/learning/intel-trusted-execution-technology-txt

     h) https://www.intel.com/content/dam/www/public/us/en/documents/guides/trusted-cloud-deployment-guide.pdf

     

     

Join The Discussion