The Azure blueprint solution is intended to simplify azure adoption, showcase commonly used reference architecture, and teach how to deploy a secure and compliant PaaS solution for customer considering the complexities of storing sensitive payment card related data. The solution joint developed with Avyan consulting (Microsoft MVP partner) was designed to illustrate an end to end solution that can satisfy the needs in organizations that maybe looking for a cloud solution to reduce the burden, or cost of deployment. This solution enables the ability to:
- Collect, store, and retrieve payment card data while complying with stringent Payment Card Industry, Data Security Standards (PCI DSS 3.2) requirements.
This solution illustrates the management of credit card data including card number, expiration, CVC (Card Verification Check) numbers securely in a four-tier secure and compliant solution could be deployed as an end-to-end Azure solution.
- Reference architecture. The reference architecture provides the design that was used for the Contoso webstore solution.
- Azure Resource Manager templates. In this deployment, JavaScript Object Notation (.JSON) files provide Microsoft Azure the ability to automatically deploy the components of the reference architecture after the configuration parameters are provided during setup.
- PowerShell scripts. The scripts created by Avyan Consulting Corp solution help set up the end-to-end solution. The scripts consist of:
- Module installation, and Global administrator setup script script will install and verify that required PowerShell modules, and Global adminisitrator are configured correctly.
- A installation PowerSHell script that deploys the end to end solution. that includes the components built (https://github.com/Microsoft/azure-sql-security-sample) built by the Microsoft SQL team.
The deployment of this sample requires few steps that all can be run using Microsoft PowerShell v5. To be able to connect to the website, it is required that you provide a custom domain name, such as contoso.com. This is enabled by using the '-customHostName' switch on step2. Details to purchase, and enable a custom domain. A custom domain name is not required to successfully deploy the solution for it to run, however you will not be able to connect to the website for demonstration purposes.
It is also highly advised that a clean installation of PowerShell be used to deploy the solution, or an understanding how to verify that your are running the latest modules required for the scripts to run correctly. For our example we use a Windows 10 VM that we log into, and run the following commands (note we are enabling the custom domain command)
- Install the required modules, and set up the administrator roles correctly.
A - Module installation.
.\0-Setup-AdministrativeAccountAndPermission.ps1
-installModulesB - Global Administrator account setup.
.\0-Setup-AdministrativeAccountAndPermission.ps1
-azureADDomainName contosowebstore.onmicrosoft.com
-tenantId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-subscriptionId XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-configureGlobalAdminreview the 0-Setup-AdministrativeAccountAndPermission for detailed usage instructions
- Install the solution-update-management
.\1-DeployAndConfigureAzureResources.ps1
-resourceGroupName contosowebstore
-globalAdminUserName adminXX@contosowebstore.onmicrosoft.com
-globalAdminPassword **************
-azureADDomainName contosowebstore.onmicrosoft.com
-subscriptionID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
-suffix PCIcontosowebstore
-customHostName contosowebstore.com
-sqlTDAlertEmailAddress edna@contosowebstore.com
-enableADDomainPasswordPolicy review the 1-DeployAndConfigureAzureResources for detailed usage instructions
- Deploy OMS logging and resources
.\2-EnableOMSLoggingOnResources.ps1
-resourceGroupName contosowebstore
-globalAdminUserName adminXX@contosowebstore.onmicrosoft.com
-globalAdminPassword **************
-subscriptionID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXThe Payment processing solution for PCI DSS 3.2 enablement will address the following use case -
This scenario illustrates how a fictitious webstore moved their payment card processing to a cloud based payment processing using Azure services, the solution addresses the collection of basic user information, and their payment information. The solution does not process, or resolve the purchase of the card holder data (CHD)
A small webstore called, 'Contoso webstore' is ready to move their payment system to the cloud. They have selected Microsoft Azure to host the process for purchasing and to allow a clerk to collect credit card payments from their customer.
The administrator is looking for a solution that can be quickly deployable to achieve his goals in illustrating a cloud born solution. He will use this proof-of-concept (POC) to discuss with his stakeholders how Azure can be used to accomplish:
- Collect, store, and retrieve payment card data while complying with stringent Payment Card Industry, Data Security Standards (PCI DSS) requirements
You will be responsible for conducting appropriate security and compliance reviews of any solution built with the architecture used by this POC, as requirements may vary based on the specifics of your implementation and geography. PCI DSS requires that you work directly with an accredited Qualified Security Assessor to certify your production ready solution.
The POC solution is designed with the following fictitious elements
Domain site contosowebstore.com
User roles used to illustrate the use case, and provide insight into the user interface.
| Item | Example |
|---|---|
| Username: | [email protected] |
| Name: | Global Admin Azure PCI Samples |
| User type: | Subscription Administrator and Azure Active Directory Global Administrator |
- admin cannot read credit card information unmasked. In addition, all actions are logged.
- admin cannot manage or log into SQL database.
- admin can manage active directory, and subscription
| Item | Example |
|---|---|
| Username: | [email protected] |
| Name: | SQLADAdministrator PCI Samples |
| First name: | SQL AD Administrator |
| Last name: | PCI Samples |
| User type: | Administrator |
- sqladmin cannot view unfiltered credit card information. In addition, all actions are logged.
- sqladmin can manage SQL database.
| Item | Example |
|---|---|
| Username: | [email protected] |
| Name: | Edna Benson |
| First name: | Edna |
| Last name: | Benson |
| User type: | Member |
Edna Benson is the receptonist, and business manager. She is responsible to ensure that customer information is accurate, and billing is completed. Edna is the user loged in for all interactions of the POC DEMO website. Edna's rightsare as followes:
- Edna can Create, read customer information *
- Edna will be able to modify customer information.
- Edna can overwrite (or replace) credit card number, expiration, and CVC verification information.
In the
Contoso webstoreDemo User Application, you will be logged in to is configured to use Edna and able to test the capabilities of the deployed environment.
The solution cost sample has a monthly fee structure and a use per hr. to consider when sizing the solution. This example deployment estimate cost using the Azure costing calculator. The solution consist of the following items:
| Service type | Custom name | Region | Description | Estimated Cost |
|---|---|---|---|---|
| Virtual Machines | Virtual Machines | South Central US | 1 Standard virtual machine(s), 1 Standard virtual machine(s), A2 v2 (2 cores, 4 GB RAM, 20 GB disk) size: 744 hours | $101.18 |
| App Service | App Service | South Central US | 1 instance(s), 744 hours, size: P1, premium tier, 0 SNI connection(s), 0 IP connection(s) | $223.20 |
| IP Addresses | IP Addresses | East US | arm type, 2 public IP Address(es) x 744 hours | $5.95 |
| SQL Database | SQL Database | East US | 1 standard database(s) x 1 months, size: s0 | $15.03 |
| Storage | Storage | East US | 5/GB storage: Block blob type, Basic tier, LRS redundancy | $0.10 |
| Storage | Storage | East US | 1 GB storage Table and Queue type. Basic tier, LRS redundancy, 1 x100,000 transactions | $0.07 |
| Storage | Storage | East US | standard-s4 Disk type with 1 Managed disks | $0.77 |
| Application Insights | Application Insights | East US | basic tier in us-east region with 2 GBs and 0 multi-step web test(s). | $2.30 |
| Log Analytics | Log Analytics | East US | 1 GB(s), standalone tier | $2.30 |
| Security Center | Security Center | East US | $15.00 | |
| Key Vault | Key Vault | East US | 1000 operations, 0 certificate renewals, 0 HSM keys in the us-east region | $0.03 |
| Azure Active Directory | Azure Active Directory | East US | free tier, per-user MFA billing model, 10 MFA user(s), 25001-100000 directory objects, 0 hours | $14.00 |
| Application Gateway | Application Gateway | East US | 1 instance(s) x 1 months, 1 GB data processed, outbound transfers:: 5 GB | $93.74 |
| Monthly Total $473.67 | ||||
| Annual Total $5,684.04 |
Disclaimer All prices shown are in US Dollar ($). This estimate was created in April 2017
This solution used the following Azure services (details to the deployment architecture are located in DEPLOYMENT ARCHITECTURE):
- Application Gateway
- Azure Active Directory
- App Service Environment
- OMS Log Analytics
- Azure Key Vault
- Network Security Groups
- Azure SQL DB
- Azure Load Balancer
- Application Insights
- Azure Security Center
- Azure Web App
- Azure Automation
- Azure Automation Runbooks
- Azure DNS
- Azure Virtual Network
- Azure Virtual Machine
- Azure Resource Group and Policies
- Azure Blob Storage
- Azure Active Directory access control (RBAC)
The following section provides insight into the development, and implementation elements. The descriptions in this document’s deployment strategies apply to the following diagram:
- [End-to-End-SSL] (https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-end-to-end-ssl-powershell)
- [SSL Offload]DEPRECATED
- Disable TLS v1.0 and v1.1
- Web application firewall(WAF mode)
- Prevention mode with OWASP 3.0 ruleset
- Diagnostics logging
- Custom health probes
- A private virtual network with address spacing 10.0.0.0/16
Each of the network tiers have a dedicated NSG
- A DMZ network security group for firewall and Application Gateway WAF
- An NSG for management jumpbox (bastion host)
- An NSG for the app service environment
Each of the NSGs have specific ports and protocols opened for the secure and correct working of the solution.
In addition, the following configurations are enabled for each NSG
- Enabled diagnostics logs and events are stored in storage account
- Connected OMS Log Analytics to the NSGs diagnostics
- Ensure each subnet is associated with its corresponding NSG
- HTTPS traffic enabled using custom domain SSL certificate
To meet encrypted data-at-rest requirements, all Azure Storage uses the following:
A PaaS SQL Database instance was used to showcase security measures.
- AD Authentication and Authorization
- Enabled Auditing logging
- Enabled Transparent Data Encryption
- Enabled SQL DB Firewall rules(allowing for ASE worker pools and client IP management)
- Enabled Threat Detection
- Enabled Always Encrypted columns
- Enabled Dynamic Data masking(using the post-deployment PowerShell script)
Logging using OMS, and Runbook to collect logs.
- Activity Logs: Configure Azure Activity Logs to provide insight into the operations that were performed on resources in your subscription.
- Diagnostic Logs: Diagnostic Logs are all logs emitted by every resource. These logs could include Windows event system logs, Azure Blob storage, tables, and queue logs.
- Firewall Logs: The Application Gateway provides full diagnostics and access logs. Firewall logs are available for Application Gateway resources that have WAF enabled.
- Log Archiving: All diagnostics logs are configured to write to a centralized and encrypted Azure storage account for archival and a defined retention period (2 days). Logs are then connected to Azure Log Analytics (OMS) for processing, storing, and dashboarding.
Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. Stores
- Keys - SQL DB Column Encryption keys (customer managed keys)
- Secrets - Bitlocker keys for Azure Disk Encryption
-
Azure Active Directory (Azure AD) is the multi-tenant cloud-based directory and identity management service from Microsoft.
-
All users for the solution were created in Azure Active Directory, including users accessing the SQL Database.
-
Authentication to the app is done through the Azure AD application and associated service principals.
-
Also, the SQL DB Column Encryption is conducted using the AD app. Refer to this sample from the Azure SQL DB team for more details.
-
Azure [Identity Protection] (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection) provides additional safeguards that can be implemented. such as detect potential vulnerabilities affecting your organization’s identities , configure automated responses to detected suspicious actions that are related to your organization’s identities, and investigate suspicious incidents and take appropriate action to resolve them.
-Azure Role-based Access Control(RBAC) enables precisely focused access management for Azure. Specific configurations exist for:
-
Subscription access
-
Azure Key Vault access
The Web Appsfeature in Azure App Service lets developers rapidly build, deploy, and manage powerful websites and web apps. Build standards-based web apps and APIs using .NET, Node.js, PHP, Python, and Java. Deliver both web and mobile apps for employees or customers using a single back end. Securely deliver APIs that enable additional apps and devices.
With App Service, develop powerful applications for any platform or device, faster than ever before. Meet rigorous performance, scalability, security, and compliance requirements using a single back end. Additional reading about deploying ASE.
As the App Service Environment is secured and locked down, there needs to be a mechanism to allow for any DevOps releases/changes that might be necessary, such as the ability to monitor WebApp using Kudu. Virtual machine is secured behind NAT Load Balancer which allows you to connect VM on port other than tcp 3389.
A virtual machine was stood up as a Jumpbox / Bastion host with the following configurations:
-
Bitlocker Encrypted Disk using Azure Key Vault (respects Azure Government, PCI DSS, HIPAA and other requirements)
-
An AutoShutDown Policy to reduce consumption of virtual machine resources when not in use.
An App Service Environment is a Premium service plan is used for compliance reasons. Use of this plan allowed for the following controls/configurations:
- Host inside a secured Virtual Network and Network security rules
- ASE configured with Self-signed ILB certificate for HTTPS communication
- Internal Load Balancing mode (mode 3)
- Disable TLS 1.0 – a deprecated TLS protocol from PCI DSS standpoint
- Change TLS Cipher
- Control inbound traffic N/W ports
- WAF – Restrict Data
- Allow SQL DB traffic
With Azure Security Center, you get a central view of the security state of all of your Azure resources. At a glance, you can verify that the appropriate security controls are in place and configured correctly and be able to quickly identify any resources that require attention.
- Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions that can help you improve the cost effectiveness, performance, high availability, and security of your Azure resources.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.
Gain actionable insights through application performance management and instant analytics.
Log Analytics is a service in Operations Management Suite (OMS) that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
The following OMS Solutions are pre-installed with this reference solution:
- Activity Log Analytics
- Azure Networking Analytics
- Azure SQL Analytics
- Change Tracking
- Key Vault Analytics
- Service Map
- Security and Audit
- Antimalware
- Update Management
Default deployment is intended to provide for a clean chit of security center recommendations, indicating a healthy and secure configuration state of the solution. You can review additional information about Azure Security Center in the getting started guidance. Complete the instructions at this link https://docs.microsoft.com/en-us/azure/security-center/security-center-get-started to enable data collections from Azure Security Center.
Data Flow Diagram and sample threat model for Contoso webstore provided in the documents folder ./documents
June 2017
This document is for informational purposes only. MICROSOFT AND AVYAN MAKE NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. Customers reading this document bear the risk of using it. This document does not provide customers with any legal rights to any intellectual property in any Microsoft or Avyan product or solutions. Customers may copy and use this document for their internal, reference purposes. NOTE: Certain recommendations in this paper may result in increased data, network, or compute resource usage in Azure, and may increase a customer’s Azure license or subscription costs. The solution in this document is intended as a reference architecture pilot and should not be used as-is for production purposes. Achieving PCI compliance requires that customers consult with their Qualified Security Assessor.
This solution was developed cooperatively by Microsoft and Avyan consulting.
- Frank Simorjay (Microsoft)
- Gururaj Pandurangi (Avyan Consulting)