Who provides security to security providers?

Our kreuzwerker experts designed and implemented the AWS infrastructure for secure, Internet payment processing for and together with Deutsche Payment.

Deutsche Payment offers a wide range of experience in payment processing and uses the most modern and secure technology for business payment solutions. The Company is primarily involved with the development of industry and provider solutions, with additional services included in the company’s diverse solution portfolio.

The Project

Our team of cloud experts have been already involved in the design and implementation of the Deutsche Payment infrastructure in AWS. Using Terraform (Infrastructure as Code) was set to be our baseline. Preparing the AWS cloud environment for further automation and PCI/DSS re-certification of the customers service landscape was our mission. To do so the creation of hardened Amazon Machine Images (AMI) as well as providing a mechanism for verified code check-ins became necessary.

The Problem

By using AWS’ auto-scaling and self-healing infrastructure to host applications, the foundations are prepared for golden AMI usage. The target machines must follow Center for Internet Security (CIS) guidelines and have to contain the verified software for fast start-up times.

The Solution

A multi-stage build process was implemented by using AWS CodeCommit, CodeBuild and CodePipeline. The first stages check that commits are signed by a permitted author, only then the build continues. By using HashiCorps packer and modern Amazon Linux 2, CIS rules are applied to the AMI before baking in the actual software and encrypting the volume. As an additional management tool, AWS Inspector is added to permanently monitor running instances on compliance.

Our Contribution

kreuzwerker designed the process together with the Deutsche Payment and described the infrastructure in Terraform. We also provided tools to update running applications in-place with new AMI as well as housekeeping functionality.

The Benefit

By setting up an automated build process, the resulting environment is always benefitting from updated and AWS managed security patches and threat knowledge, while putting the applications under full compliance monitoring using AWS Inspector.

The Upshot

Hardening the used infrastructure from the very beginning and permanently monitoring it on compliance using the full AWS feature set enables the Deutsche Payment to further develop their offerings, while running it fully scalable and secure on fully managed AWS IaaS.