PCI Compliant Environment

bluesentrycloud / May 21, 2021

Case Study: SaaS Company PCI Compliant Environment

The Challenge

A B2B Software-as-a-Service company provides tools to make the completion of consumer finance applications quick and easy. Using the web-based software from this company, employees that work for companies served by them can automate customer finance applications and use tools provided to apply to several financial institutions at once, allowing them to streamline finance applications while automating a very labor-intensive process.

At launch, they chose to build its product initially on Digital Ocean, but it was clear that the software stack must transform into a robust, scalable and secure PCI-compliant environment before going live for their customers. The company discovered it was quickly exceeding its expectations at the development stage. In order to prepare for its commercial availability, it would need to find expertise to help with PCI compliance requirements to ensure their customers’ confidence in the new solution. Blue Sentry also takes full advantage of cloud native services on the. AWS platform to set up comprehensive monitoring and alerting around governance and security incidents.

Building the new environment on AWS in order to take advantage of the tools and services available to any AWS customer was a logical next step, but the Team at this SaaS Company needed some help to do this in a best practice fashion and wanted to avoid pitfalls later on.

The Solution

This SaaS Company began talking with Blue Sentry about the challenges and opportunities it was facing. After an initial consultation, Blue Sentry’s engineering team was able to quickly assess their needs and design a secure best-practice architecture that offered not only the required performance and scalability, but would also ensure the needed security to pass a PCI audit. With its specialty in helping Financial Services firms, Blue Sentry is able to draw on past experience to build, maintain and document high-compliance environments in order to assist customers with any regulatory regime to which they may be required to comply, including PCI, SOC2, FedRAMP, and others. At this SaaS Company, we took advantage of CloudTrail, AWS Config, GuardDuty and Security Hub to give their staff clear insight into their security posture. Additionally, the Blue Sentry SRE team configured TrendMicro’s CloudConformity tool to continuously monitor the host configurations and network infrastructure for best practices and PCI compliance. The SRE team not only alerts their staff in real time if a configuration should change that would breach compliance but also holds a monthly cadence with our clients where we supply an overall picture of risk and compliance and compare and contrast that with previous reports to document improvements made to systems and architecture from a security perspective.

Blue Sentry transformation team engineers build every customer environment utilizing Infrastructure as Code methods. This means the entire stack — from AWS infrastructure to the applications running on the EC2 instances — is controlled and managed by Terraform code that is stored in a source controlled repository. This approach allows for faster and more efficient PCI audits since Git history can be used to summarize and document any changes made to the environment. This also helps give auditors a clear picture of the total stack, as well as what potential changes have been made since the original audit.

This SaaS Company was able to utilize the experience and know-how of the Blue Sentry team to meet its launch goals. Using its Agile methodology and a strong adherence to sprint schedules, Blue Sentry was able to stand up the new environment, migrate the application to this best practice environment, and pass their PCI audit in a very compressed time frame.

“The work Blue Sentry did with the Infrastructure as Code approach gave us what we needed to to get through our audits more quickly and easily, without resorting to taking endless screenshots and documenting security controls by hand. We found it gave our auditors more confidence in us and the way we were doing things.” remembers Alex Flores, the lead developer at this SaaS Company.

The Benefit

Going forward, FromPiper has the ability to move quickly to get value to their customers as they grow and iterate. Their team has higher confidence in their platform and their long term ability to manage resilience, cost, and compliance.

Blue Sentry continues to provide Site Reliability Engineering services to help with the management of the new AWS based environment, including regular security scans, backups, and change management processes. Using Blue Sentry as a trusted partner allowed them to achieve all of its objectives under budget and earlier than expected.

Case Study Author: Todd Bernson – Senior Enterprise Architect