DevSecOps Achieves PCI Compliance

bluesentrycloud / May 20, 2021

CASE STUDY: Institutional Crypto Asset Data & Software – DevSecOps for PCI compliance

The Challenge

This company offers tax and accounting services to firms and individuals in the blockchain currency market. Through their Software as a Service (SaaS) platform, they host tools to help their customers stay on top of an ever-changing and volatile regulatory tax environment. Being that this company hosts and is responsible for some of their customer’s most sensitive data they need to ensure that their environment, from infrastructure all the way up to caching layers operates in the most secure manner possible. They also need to be able to move quickly and react to market changes and also need to be able to push new features to their customer base as seamlessly as possible while maintaining strict compliance standards for Personally Identifiable Information. As such this institutional crypto asset data & software company is subject to all of the same standards that a banking entity is responsible for meeting.

The Solution

Blue Sentry approaches every cloud build-out with an Infrastructure as Code (IaC) approach, maintaining their own repository of proven and secure infrastructure components written in Terraform that can be adjusted for individual clients. Using this repository of Terraform templates, Blue Sentry was able to quickly build a multi-stage set of environments for Development, QA, and Production utilizing a master payer account with sub-organizations for the accounts that contain the actual code. Engineers were able to quickly spin up landing zones for this company to start launching code into the cloud while ensuring that all security standards were met and all changes to the environment were tracked utilizing the Git history of the repository where these templates are stored.

This model allows Blue Sentry customer’s development team to concentrate on their code and building new features while Blue Sentry engineers handle the heavy lifting of starting to break apart application components to enable flexibility and scalability in the cloud. To provide this company with the most secure and performant application stack as possible, the decision was made to host the application on Kubernetes utilizing the Elastic Kubernetes service on AWS. Using Blue Sentry pre-configured Terraform modules allowed them to push ahead with making their product the best it can be for their customer base while Blue Sentry engineers were tasked with ensuring security, reliability, and scalability all while keeping an eye on cost optimization. Each Terraform module has the proper rules and restrictions limiting traffic to only needed resources on required ports with all traffic flows being logged and tracked built right in so Blue Sentry is able to provide a framework for our customers to start building immediately. Minor tweaks and optimizations are added as needed from there.

Using this approach allows for maximum speed to a working environment while ensuring that all application components and tiers will pass the required PCI audit with minimal issues to be addressed.

Additionally, Blue Sentry engineers worked with their development team to build out automated CI/CD pipelines to quickly launch new features to the new environments with built-in quality gates and QA testing to ensure new changes to the environment are rolled out through the lower environments for testing as those changes make their way to the Production environment. This model allows developers to focus on new features for their customer base without the stress of worrying about if they are introducing possible security vulnerabilities into the application. In order to ensure that vulnerabilities are addressed and corrected should they occur, the Blue Sentry Site Reliability Engineering team configured AWS native security services, CloudTrail, AWSS Config, GuardDuty, and Security Hub to give their staff a clear picture of their PCI compliance status and overall security health of their environment. These services are combined with Blue Sentry’s 24/7 NOC/SOC that responds to any incidents with a defined SLA and takes steps to address as well as alerting their staff to what has been or what needs to be addressed to rectify a given alert.

The Benefit

This institutional crypto asset data & software company now enjoys a fully scalable and fault-tolerant backend application stack to serve its customer base. All changes are tracked via Git history at the application and infrastructure levels. Additionally, Blue Sentry engineers worked with one of our attestation partners to shepherd their new architecture through the initial PCI compliance audit in record time.

The proven Terraform templates for architecture and security mechanisms allow the auditing team to quickly and efficiently assess compliance and have confidence that PCI compliance standards are met or exceeded without slowing down the development of new features for our client’s customers.

With this new environment in place, their developers are free to concentrate on what is important to their customer base and ensure that security is never compromised along the way.