Scribd Logo
Upload

Welcome to Scribd!

  • Cloud - Security Controls

    Uploaded by

    santanujoshi
    21 views9 pages
    The document outlines 6 microservices/interfaces for a payment application and identifies potential security threats for each according to the STRIDE methodology. It then provides a table listing security controls that should be implemented to mitigate the risks, assigning each control a severity level. The controls include measures around network access control, encryption, authentication, authorization, logging/auditing, code testing, and availability.

    Original Description:

    Original Title

    Cloud_Security Controls_

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines 6 microservices/interfaces for a payment application and identifies potential security threats for each according to the STRIDE methodology. It then provides a table listing security controls that should be implemented to mitigate the risks, assigning each control a severity level. The controls include measures around network access control, encryption, authentication, authorization, logging/auditing, code testing, and availability.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    21 views9 pages

    Cloud - Security Controls

    Uploaded by

    santanujoshi
    The document outlines 6 microservices/interfaces for a payment application and identifies potential security threats for each according to the STRIDE methodology. It then provides a table listing security controls that should be implemented to mitigate the risks, assigning each control a severity level. The controls include measures around network access control, encryption, authentication, authorization, logging/auditing, code testing, and availability.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    of 9

    Application/Microservice

    S.N. Interface STRIDE Threat


    Name

    Spoofing

    Tampering

    1. CenPos and Cybersource connector to


    CenPos connector, CyberSource TMS via NextGen PCI Proxy
    1 CyberSource connector and 2.CenPos and Cybersource connector to
    NextGen PCI Proxy Payment Processor (Payment gateway)
    via NextGen PCI Proxy Repudiation

    Denial of Service

    Elevation of Privilege

    Spoofing

    Tampering
    Payment Compability layer, 1. Interface Between Payment
    CBTS existing applications Compability layer to CBTS Enviornment
    2 (( MAUI, OREx2.0,Order applications ( MAUI, OREx2.0,Order
    Service, Classic Payment Service, Classic Payment Interface, Repudiation
    Interface, Transit Service) Transit Service)
    Payment Compability layer, 1. Interface Between Payment
    CBTS existing applications Compability layer to CBTS Enviornment
    2 (( MAUI, OREx2.0,Order applications ( MAUI, OREx2.0,Order
    Service, Classic Payment Service, Classic Payment Interface, Repudiation
    Interface, Transit Service) Transit Service)

    Denial of Service

    Elevation of Privilege

    Tampering

    Repudiation

    1. Interface between Payment


    Microservice with Cart , 2.Interface
    Payment Microservice, Cart,
    between PCL Payment Microservice and
    3 Payment Configuration
    3. Payment Microservice to connectors
    Service 4. payment Microservice to Payment Denial of Service
    Configuration service

    Elevation of Privilege

    Tampering

    Elevation of Privilege
    4 PubSub and Data API 1. Payment Microservice to Utilities (Data
    API, Pub Sub)

    Information
    Disclosure

    Spoofing

    1. Pub Sub to Data Sync Listener Tampering


    Data Sync Listener and
    5 2. Data Sync Listener to ODATA Service
    ODATA Service
    3. ODATA Service to Existing Data Base
    1. Pub Sub to Data Sync Listener
    Data Sync Listener and
    5 ODATA Service 2. Data Sync Listener to ODATA Service
    3. ODATA Service to Existing Data Base
    Elevation of Privilege

    Information
    Disclosure

    Information
    Disclosure
    1. Pub Sub to Data Lake Listener
    6 Data Lake Listener 2. Data Lake Listener to Payment
    Transaction data reporting

    Tampering
    Required Security Controls Severity
    Network Access controlE2:H32 required like firewall ,WAF, High
    IDS/IPS as connecting to external system
    Required Service to service authentication and authorization High
    for API call between Cenpos/Cybersource connectors to
    CyberSource TMS
    SAST Code Testing and closure of any Vulnerabilities (Ankit to High
    report if any critical vulnerabilities)

    Data on transit should be encrypted with HTTPS TLS1.2 High


    (Chaitali and Santanu will help on SSL Certificate and Sameer
    will confirm on TLS1.2)
    Hashing /Digital signature or message authentication codes High
    in transit to ensure data Integrity and HMAC Hashing for
    payment data transaction as additional controls (Santanu to
    confirm on free or paid hashing)

    Required logging and auditing control by ensuring all logs are High
    captured at CenPos and CyberSource Connector
    Required Service to service authentication and authorization High
    for API call between Cenpos/Cybersource connectors to
    CyberSource TMS
    HMAC Hashing for payment data transaction as additional High
    controls
    High Availability design of CenPos and CybeSource connector High

    Data on transit should be encrypted with TLS1.2 to avoid High


    external agent interrupts data flow
    Network Access and Authorization Control High

    Network Access Control and Role based access with least High
    privilage principles
    SAST Code Testing and closure of any Vulnerabilities High
    Input data validation at Cenpos and CyberSource connector High
    side
    Hardening of Cloud Infrastruture High
    Connection between CBTS enviornment to AWS should be High
    private VPN or IPSec tunnel with WAF
    Authentication and Autherization required between AWS Medium
    and CBTS services call
    Required all new AWS Microservices SAST Code Testing and High
    closure of Vulnerabilities
    Data on transit should be encrypted with TLS1.2 Medium
    Hashing /Digital signature or message authentication codes Medium
    in transit to ensure data Integrity
    Required logging and auditing control by ensuring all logs are Medium
    captured of Payment Compability layer
    Required Service to service authentication and authorization Medium
    for API call between payment compability layer and CBTS
    Applications
    High Availability design for payment compability layer High
    Network Access and Authorization Control High
    Network Access Control and Role based access with least High
    privilage principles
    SAST Code Testing and closure of Vulnerabilities High
    Input data validation High
    Hardening of Cloud Infrastruture High
    Data on transit should be encrypted with TLS1.2 Low
    Hashing /Digital signature or message authentication codes Low
    in transit to ensure data Integrity
    Required logging and auditing control by ensuring all logs are Medium
    captured of Cart, Payment Microservice and Payment
    Configuration service
    Required Service to service authentication and authorization Medium
    for API call between microservices
    High Availability design for Cart, Payment Microservice and High
    Payment Configuration service
    Network Access and Authorization Control High

    Network Access Control and Role based access with least Medium
    privilage principles

    SAST Code Testing and closure of Vulnerabilities High


    Input data validation Medium
    Data on transit should be encrypted with TLS1.2 High
    Hashing /Digital signature or message authentication codes Medium
    in transit to ensure data Integrity
    Network Access Control and Role based access with least Medium
    privilage principles
    Data on transit should be encrypted with TLS1.2 and data High
    should be store with Client BYOK encryption/AWS KMS
    encryption
    Role based access for PubSUB and Data API based on least High
    privilege Principles
    Connection between CBTS enviornment (Odata Service) to High
    AWS ( data Sync Listener)should be private VPN or IPSec
    tunnel
    Authentication and authorization of API calls High
    Data on transit should be encrypted with TLS1.2 High
    Hashing /Digital signature or message authentication codes High
    in transit to ensure data Integrity
    Network Access Control and Role based access with least Medium
    privilage principles
    Data on transit should be encrypted with TLS1.2 and data High
    should be store with Client BYOK encryption/AWS KMS
    encryption
    Role based access for Data Sync Listener and Odata Service Medium
    PII data and Card data should be masked while storing and High
    reporting
    Role based access for Data Lake based on least privilege Medium
    Principles
    Data on transit should be encrypted with TLS1.2 and data High
    should be store with Client BYOK encryption
    Data on transit should be encrypted with TLS1.2 High
    Data stored at Data lake should be encrypted with Client High
    BYOK encryption/AWS KMS encryption
    Action owner ETA Status Evidence/Remarks

    You might also like