Leveraging AWS to Simplify IT Security Compliance

CASE STUDY

 

Vesta Corporation
Vesta Corporation, a leading fraud detection provider, wanted to refactor their industry leading FinTech platform and deploy the solution in AWS. To do so, Vesta needed to ensure they remained compliant with IT security regulations.

The architectural design for the new environment included the use of various DevOps and serverless AWS services; these services needed to remain compliant to prescriptive regulatory standards such as the PCI DSS.

The Solution

Online is Vesta’s preferred PCI Assessment provider and had become a trusted advisor for security compliance. Aware of Online’s partnership with AWS, Vesta engaged Online to complete a security compliance assessment of their new Cloud design to ensure best practices were being adopted with the goal of reducing their overall operational overhead.

 

Using a multi-step approach, Online evaluated the proposed AWS architecture for compliance considering people, processes and technology. This included:

 

  • Reviewing the design for compliance with the latest PCI standard. This started by ensuring that the AWS services in use were included in the latest AWS Attestation of Compliance (AOC).

Note: It’s critical to ensure that all services are in the AOC. AWS undergoes a PCI assessment every 6 months so most services are included in their assessment scope as a Service Provider, but any new ones needed to be identified

 

  • Reviewing the AWS Shared Responsibility Model to make sure that Vesta was complying to the requirements set out by AWS for all of the selected AWS services. Failure to comply with the AWS Shared Responsibility Model would mean that Vesta’s platform would not meet AWS security standards.

  • Validating that Vesta’s AWS architecture would help them reduce operational overhead and total cost of ownership, specifically as it relates to regulatory compliance. This was achieved primarily by leveraging serverless technologies in AWS.

Results

Vesta was able to migrate their FinTech platform to AWS and immediately started taking realizing benefits.

By using a serverless model, Vesta no longer needs to manage numerous host-based controls (host hardening, patch and vulnerability management, etc.) that were part the underlying infrastructure hosting their various application components (web services, DBs, etc.). This has freed up their DevOps teams to focus on service delivery and optimizations rather than acting as IT
administrators.
As a result of effectively outsourcing their hosting environment to AWS as a PCI DSS compliant service provider, Vesta has saved time and money. Even more, they have effectively minimized their attack surface area, resulting in reduced organizational risk which is always the end goal of any compliance program.

Would you like more information?

Online is proud to be an Advanced Consulting Partner with AWS.

AWS-Advanced-Badge-1

We'd love to talk to you about how to secure your AWS environment and achieve compliance. Complete the form for more information.