This document summarizes Udo Seidel's presentation on Docker and PCI compliance at Amadeus. It discusses how Amadeus implemented Docker while meeting PCI requirements for security, access controls, logging, and more. Some key lessons included reusing existing security tools, having a dedicated security architect role, and emphasizing communication between security, operations and development teams. Docker provided benefits like abstraction, ease of use and mobility while allowing Amadeus to port more applications over time in compliance with PCI standards.
4. About me :-)
● Teacher of mathematics and physics
● PhD in experimental physics
● Started with Linux in 1996
● With Amadeus since 2006
● Before:
– Linux/UNIX trainer
– Solution Engineer in HPC and CAx environment
● Now: Architecture & Technical Governance aka CTO
7. The overall trigger
● Customer project
– New customer
– New requirements
– New chances and challenges
● Changes on Amadeus side
– Personnel changes
– Digitalization
– Externally driven
8. Here comes docker
● Huge topic at Red Hat Summit: April 2014
● Internal discussions
– 'Native' joint interest of OPS and DEV
– DEV & OPS Architects: April 2014
– Introduction to project architecture: Summer 2014
● Why?
– The 'usual suspects'
– Solution of traditional OPS-DEV challenge
● Application patch management
● Administrative access
9. Framework details
● Technical
– Openstack as IaaS
● 3 installations
● Vmware based
– Management
● Orchestration via Openshift
● Teaming up with Red Hat
● Security
– Internal
● Corporate Office
● Global Operations Office
● SOC
● Community
– External
● PCI-DSS
● SSAE-16
● ISO 27001
10. PCI-DSS
● Payment Card Industry – Data Security Standard
● VISA, MasterCard, American Express, …
● Administration via Council
● 6 Control objectives
– Build and maintain secure network
– Protect cardholder data
– Maintain a vulnerability management
program
– Implement strong access control
measures
– Regularly monitor and test networks
– Maintain an information security policy
● Current version: 3.1 (115 pages)
11. Some of the hick-ups
The hypervisor is insecure!
Physical separation rules!
Who is responsible for firewall policies?
Who is responsible for network topology?
13. Before you start
Don't overcomplicate things.
Re-use what is already there.
It might be easier than you think.
14. Requirement 2.2.2
Enable only necessary services, protocols, daemons, etc., as required for
the function of the system.
● Outside Docker
– Business as usual
– Re-use existing
● Inside Docker
– Similar to outside
– Review of Docker file and software source
● Overall
– Even better due to separation of software, processes, ..
15. Requirement 2.2.2 - Amadeus
Enable only necessary services, protocols, daemons, etc., as required for
the function of the system.
● See previous slide :-)
● Grouping of Containers
– Openshift Pods
– Smalles Deployable Unit
– Application Unit (Component)
16. Requirement 5.2
Ensure that all anti-virus mechanisms are maintained as follows: Are kept
current, Perform periodic scans, Generate audit logs which are retained per
PCI DSS Requirement 10.7.
● Outside Docker
– Business as usual
– Re-use existing
● Inside Docker
– Similar to outside
– Review of Docker file and software source
● Overall
– No real change to world without Docker
17. Requirement 5.2 - Amadeus
Ensure that all anti-virus mechanisms are maintained as follows: Are kept
current, Perform periodic scans, Generate audit logs which are retained per
PCI DSS Requirement 10.7.
● See previous slide :-)
● Scanning discussion
– Scan engine towards Container - internal
– Container towards Scan engine - external
18. Requirement 8.1.3
Immediately revoke access for any terminated users.
● Outside Docker
– Business as usual
– Re-use existing
● Inside Docker
– Avoid personal users
– Review of Docker file and software source
● Overall
– Even better due separation of software, processes, ..
– Big Plus: 'Hands-off'
19. Requirement 8.1.3 - Amadeus
Immediately revoke access for any terminated users.
● See previous slides :-)
● Jump server for access
– Personal users via directory service
– Only place with personal users
● Application users
– Container and Host level
– Special treatment ..anyway
– Shell to be removed (soon)
20. Requirement 10.2.2
Implement automated audit trails for all system components to reconstruct
all actions taken by any individual with root or administrative privileges.
● Outside Docker
– Business as usual
– Re-use existing
● Inside Docker
– Similar to outside
– Review of Docker file and software source
● Overall
– Even better due separation of software, processes, ..
– Big Plus: 'Hands-off'
21. Requirement 10.2.2 - Amadeus
Implement automated audit trails for all system components to reconstruct
all actions taken by any individual with root or administrative privileges.
● See … (you should be able to complete it yourself)
● Jumpserver only for these activities
– Questions similar to scanning
– Access secured via SSH keys
25. Additional Amadeus inside
● Patching via re-creation
● Self-build Docker registry
● Definitive Media Library
– Source of truth
– Connection to Software Factory
● Different security/network zones
– External separation via Loadbalancer
– Internal via Openshift placement rules
● Encryption for data at
– Flight (SSH, TSL)
– Rest (HSM)
28. Security Architect
● Dedicated role/responsibility
● Technical and soft skills
● Sufficient standing
● Internally
● Externally
Early involvement
● Business goal
● Win-win situation
● Give and take
Common language
● Internal education
● External consultancy
● Vendors
● Customers
● Re-use existing dictionaries
29. SecOps
● Member of DevOps team
● Remember: Security Champions for OPS
● Communication link to security organization
KISS
● Helicopter view for solution finding
● Always different solutions available
Team up
● Internally
● DevOps and security organisation
● DevOps and line organisation
● Externally
● Vendors
● Community
● Partners