Creating PCI-Compliant SaaS Applications for the Cloud

Executive Summary

NetBrain NetBrain is the market leader for network automation. Its adaptive network automation platform provides engineers with dynamic visibility across their hybrid networks and automation for key tasks across their IT workflows.

Today, more than 2,000 of the world’s largest enterprises and managed service providers use NetBrain to automate network documentation, accelerate troubleshooting, and strengthen network security — while integrating with a rich ecosystem of partners. NetBrain is headquartered near Boston, Massachusetts with offices worldwide.

The Challenge

NetBrain was building a multi-region Payment Card Industry (PCI) DSS and HIPAA-compliant application, consisting of multiple services across Windows and Linux. The company wanted to offer a Software-as-a-Services (SaaS) version of this application for their software stack and host it in the cloud.

Their plan was to create two separate architecture designs for the two compliance groups: one for PCI DSS/HIPAA, the other for GDPR/Cyber Essentials Plus. Then, they needed to review and develop the automation necessary to deploy a production environment for the first compliance group.

For help in building its SaaS offering, NetBrain turned to ClearScale, an AWS Premier Consulting Partner.

The ClearScale Solution

The ClearScale team conducted a thorough review of NetBrain’s current architecture, gathering requirements for all of NetBrain's use cases and application capabilities. Then, they chose to build NetBrain’s SaaS offering by using Kubernetes, an open-source system that automates the deployment, scaling, and management of containerized applications. The Rancher management tool was used to deliver Kubernetes-as-a-Service. With Kubernetes and Rancher, NetBrain gained the ability to run multiple services and tenants on the same machine.

The highly available Kubernetes cluster was deployed across the different Availability Zones. Terraform, an open-source tool for creating, changing, and improving infrastructure, provided infrastructure as code. After reviewing the current automation, ClearScale used Jenkins, the leading open-source automation tool, to develop automation for the infrastructure and containers, as well as for deploying each individual application.

All hosts, pods, and connectivity within the Kubernetes cluster were managed with the Rancher orchestration tool, which also connected the Windows and Linux hosts on Amazon Virtual Machines. All Kubernetes images were managed by using HELM charts, collections of files that describe a related set of Kubernetes resources, enabling ClearScale to dynamically configure each pod.

To support logging, an ELK stack was deployed with the help of a managed Amazon Elasticsearch/Kibana stack. Elasticsearch is a popular analytics and search engine that’s tightly integrated with Kibana, making it an easy choice for visualizing data stored in Elasticsearch. Prometheus, an open-source monitoring solution for Kubernetes, was used for collecting and exporting container logs to Logstash, which would then be stored in Elasticsearch. ClearScale collected tags from each individual tenant and service running within each tenant to gain full coverage of the application.

Throughout the designing and building of this system, ClearScale gave security top priority. All connections are made over TLS/SSL authentication and data encryption protocols configured on all individual services. Additionally, all access is controlled and restricted using Kubernetes namespaces plus Role-Based Access Control (RBAC), providing separation between tenants. Additional security is achieved through a host-based intrusion detection OSSEC, with agents installed on all individual Docker images.

Finally, ClearScale loaded the test production environment to identify areas for cost optimization, then made the necessary updates to reduce costs.

Architecture Overview Diagram

The Benefits

Thanks to ClearScale, NetBrain now has the foundation which will lead to a SaaS offering that will provide the advantages of containers, while keeping all tenants separate using Kubernetes.