Payment Card Industry Data Security Standard (PCI DSS) compliance follows a set of policies and procedures designed to protect credit, debit and debit card transactions and prevent misuse of cardholder personal information. Any organizations processing or storing credit card information must comply with PCI DSS.
The Payment Card Industry Security Standards Council (PCI SSC) develops and administers PCI standards and related educational resources. PCI SSC is an open global forum run by the five founding credit card companies: American Express (News - Alert), Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
Why is PCI Compliance Different in Containerized Environments?
As applications move to the cloud, three key characteristics of containerized environments make PCI container compliance difficult. Containers are constantly started and stopped, and IP addresses constantly change, making any kind of PCI audit very difficult.
Meeting PCI-DSS requirements can be complicated in a fast-paced container environment. If a compliance violation occurs, you'll want to know which processes were created, which connections were created, which files were modified, and so on. We also need to be able to relate this system activity to user activity in order to understand who accessed what. Access to this detailed data can provide an effective audit trail for third-party auditors.
Today's software is assembled, mainly from open source components, not built from scratch. Developers extract open-source base images and leverage third-party libraries to build and extend containerized applications. However, open source requires companies to update their open source dependencies as diligently as they update their own code.
If there are vulnerabilities inherited from base images or libraries (e.g. Java JARs, Python PIPs), the risk affects the entire organization. It is difficult to prevent bugs from reaching production when there are possibly thousands of containers supporting numerous microservices. Flagging vulnerabilities is not only a step in reducing risk, but also a step in passing PCI audits.
Another risk is container configuration errors such as exposed ports, embedded access keys, or unsecure tokens. All these can lead to PCI compliance violations.
PCI DSS Compliance in Containerized Environments
Restrict Cardholder Data Access on a Need-To-Know Basis
Within your organization, access to cardholder data should be limited to those who need it to do their job. PCI DSS compliance requires organizations to have access control systems in place to enforce these restrictions. To do this, enterprises should leverage enterprise application protocols such as LDAP and Active Directory (AD), integrated with role-based access control (RBAC) provided by container platforms like Kubernetes or OpenShift. Cardholder data should never be exposed to security and DevOps teams monitoring the environment.
You can add a firewall to applications deployed on Kubernetes by using container network interface (CNI) providers that support Kubernetes network policies. Combined with a formal process for who and how can update rules, they provide adequate protection.
According to the PCI standard, payment card data must be behind a firewall, in the demilitarized zone (DMZ). Enterprises can connect their internal networks with public networks, but make sure to establish a DMZ with strict rules regarding traffic flow. Container network policies can help as they can selectively expose services based on IP ranges.
Avoiding Default Passwords and Security Parameters
Kubernetes itself is completely unaware of which applications are being deployed. Therefore, it does not protect against configuration errors such as using default passwords or other security parameters. However, the Open Policy Agent (OPA) allows you to set a policy in the configuration file that does not accept the default password. If an administrator makes a mistake, OPA catches it before the resource is allowed into the Kubernetes platform.
PCI also requires that services with different security levels may not coexist on the same server. To ensure this, you need to annotate your Kubernetes worker nodes with security levels. All pod specifications must reference required security levels. OPAs are required to make sure these annotations are present on all pods, to prevent human error.
Protect All Systems Against Malware and Regularly Update Antivirus Solutions
According to PCI, antivirus solutions should be deployed on all systems, including PCs, servers, and mobile devices. These solutions must be properly maintained, kept active, and cannot be disabled or changed without administrative rights (and only in specific and limited cases). In containerized environments, organizations can run a container firewall designed to keep systems virtually patched and up-to-date, while detecting suspicious file system activity.
Modern cloud-native environments are moving towards a zero trust, declarative approach to security, where the behavior of each application is characterized in code. This can help ensure that every containerized application is deployed with some form of antivirus protection.
Track and Monitor All Access to Network Resources and Cardholder Data
PCI requires individual user access to all system components. There must be an audit trail that makes it possible to reconstruct accurate details of each event. Additionally, these audit trails must be protected from modification, and all logs and security events must be reviewed to identify unusual or suspicious activity. Organizations should implement a container security system that maintains event logs of all user activity and actions, tracks all communication between containers, and provides compatibility with SIEM systems.
Regularly Test Security Systems and Processes
PCI compliance requires network vulnerability scans to be performed, at least quarterly, and after major network changes. Network intrusion detection and prevention technologies should be used in conjunction with traffic monitoring at cardholder data environment (CDE) perimeters and critical points. There is also a need for change detection mechanisms to notify when important files have been tampered with.
From a container environment perspective, firewalls are used to actively scan running containers for vulnerabilities and threats in and out of the environment, automatically detecting and mitigating any suspicious behaviors and intrusions.
In conclusion, achieving and maintaining PCI DSS compliance in containerized environments presents unique challenges and complexities.
To address these challenges, organizations need to implement effective security controls and measures, such as encryption, access controls, and network segregation. It is also important to conduct regular security assessments and testing, and to have effective incident response procedures in place.
By following these best practices, organizations can ensure that their containerized environments are secure and compliant with the PCI DSS.
Author Bio: Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung (News - Alert) NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.