The Payment Card Industry (PCI) Security Standards Council administers the Payment Card Industry Security Data Security Standard (PCI DSS). It’s a standard that any organization that stores, processes or transmits cardholder data, must comply with. It’s not new, it’s well understood, and there are a multitude of companies that have sought and achieved compliance over the many years since its introduction.
But, the changing landscape of technology frequently throws up new obstacles that require us to revisit our carefully planned strategies for maintaining compliance with standards like PCI DSS. Cloud Native computing is just such a technology. In this article we’ll take a look at PCI DSS compliance in a Cloud Native world, but first let’s briefly explain what Cloud Native is.
Achieving PCI in Cloud Native World
If you’re a software developer, it’s highly likely that you’re already au fait with the concepts of microservices and the Cloud Native approach. It’s an architectural approach to developing software applications, that promises to bring many benefits, which all go to serve the corporate cause. Correctly done, it allows teams of software engineers to develop discrete application components in isolation, giving them autonomy and independence. The myriad of benefits helps organizations to release new software features more frequently and more reliably, thereby enabling them to be more competitive in the markets in which they operate.
Developing software in the microservices pattern, however, has a causal effect when it comes to the delivery of those services in a production setting. For DevOps teams that are responsible for running these applications in production, the explosion of ephemeral, containerized services that arises from scaling applications developed in this way, increases the complexity of delivery. Fortunately, Kubernetes was developed just for this purpose. It provides DevOps teams with an orchestration capability for managing the multitude of deployed services, with in-built automation, resilience, load balancing, and much much more. It’s perfect for reliable delivery of Cloud Native applications.
When it comes to security, both DevOps and SecOps teams can benefit from the inherent security features that Kubernetes provides, including; a strong stance on authentication and authorization, the ability to harden application workloads, and Role-Based Access Control (RBAC) to Kubernetes API objects. But, the security features that Kubernetes provides, are general purpose in nature, and aren’t ‘domain aware’. In this sense, Kubernetes is just a (very good) hosting platform for Cloud Native applications. When it comes to achieving PCI DSS compliance for these hosted workloads, it’s necessary to augment the platform with additional security features. These features must speak to the issues that PCI DSS seeks to address, and be relevant and of utility in Cloud Native environments.
Software tools that provide security features to aid the acquisition of PCI DSS compliance have existed for as long as the standard itself. They’ve served merchants and service providers well over the years.
But these security tools were built for an era where Cardholder Data Environments (CDE) were implemented in Datacenters and private networks. The Cloud Native era has turned this on its head, with workloads running on public cloud infrastructure, and data being sent (hopefully, encrypted) across public networks, including the Internet.
When we add in the ephemeral, transient nature of Cloud Native workloads, the problem of using traditional tools to firewall a CDE from unsolicited traffic, for example, gets significantly more difficult. How is it possible to dynamically secure an asset, or monitor its behavior, when you don’t even know where it’s running? How can you get a holistic view of a CDE when there are so many different layers in the stack, which are provided by different infrastructure components?
In spite of these difficult challenges, the PCI DSS remains undiminished in its requirements. Just because a new paradigm introduces some additional complexity, it doesn’t mean the PCI Security Standards Council ought to lower the bar to compliance. Instead, it’s incumbent upon security software vendors to meet the new challenge that Cloud Native presents, and to innovate accordingly.
Here at Alcide, we’re proud of the security capabilities that we’ve engineered to secure Cloud Native applications running on Kubernetes platforms in hybrid and multi-cloud settings. Configured appropriately, our technologies are a considerable aid to DevOps and SecOps teams in those organizations seeking PCI DSS compliance.
Alcide to the Rescue!
To help organizations understand how to meet the requirements imposed by the PCI DSS, we’ve published a useful eBook. It describes the general nature and specific purpose of each PCI DSS requirement, as well as outlining how Alcide’s Kubernetes Security Platform can be configured to meet the requirement. Whether it’s the detection of anomalous activities, unauthorized access attempts to the CDE, or scanning for known vulnerabilities in workloads, Alcide has a solution.
Alcide’s SaaS platform was built with the knowledge that security needs to be configured in, from development, through continuous integration and delivery, and ultimately to workload deployment. But, it also factors in the need to address the security of every layer in the stack, and to cater for the need to segment workloads by firewalling microservices. If you’re curious to find out how, download our eBook for free.