Alcide PCI DSS Compliance in Kubernetes Deployments
As FinTech companies revolutionize the way we deal with our finances, the cloud native architectures used to deliver these innovative services, make adherence to PCI DSS harder to achieve. PCI DSS necessitates securing access to payment cardholder data, which becomes a non-trivial problem when applications are transient in nature, and distributed across multiple infrastructure platforms and networks.
The adaptation of PCI DSS requirements and controls to Kubernetes based applications is challenging, specifically, establishing network based isolation boundaries for cardholder data (CHD). Achieving PCI DSS compliance is directly affected by the application architecture and where the CHD is stored, as well as where CHD processing workloads are running.
The Payment Card Industry Data Security Standard (PCI DSS) is concerned with protecting the data associated with payment cardholders. It provides a set of guidelines for securing cardholder data when it’s processed, stored or transmitted in and across data networks. For organizations needing to comply with PCI DSS, the distributed, ephemeral nature of cloud native application architectures presents a problem. How do you know what to secure when it’s not clear what constitutes the application environment, or which component communicates with which?
Alcide Kubernetes Advisor enables PCI DSS application owners to automate and ensure continuously that PCI DSS requirements and controls are maintained at all times, across production, stage and test environments.With Alcide Application-Aware Microservices Firewall, and Alcide’s patent pending Behavioral based anomaly detection AI engine, companies can achieve PCI DSS compliance for every architecture of their choice.
Applying policy using Alcide’s unified dashboard, segmentation of traffic (to the microservice level) can be applied to the deployed services under the platform’s control. This allows PCI DSS compliant services to be firewalled from those that have no warranted purpose for accessing payment card data or processes.
Using its in-built detection engine, Alcide protects against threats and anomalous behavior that ordinarily circumvents the protection provided by infrastructure providers. From layer 2 through 7 of the network stack, Alcide uses machine learning to detect threats like data exfiltration through DNS tunnelling, or network reconnaissance through port scanning, amongst others. Quarantine response actions can be automated to isolate compromised components from other PCI DSS compliant components in the environment.
Through its discovery mechanism, Alcide can abstract and present the complex relationships that exist between infrastructure and application service components. It allows security administrators to observe the interactions that components involved in handling payment card data, have with other components in the network, and beyond.
All access to Card Holder Data including internal controls to make sure the incident response plan takes into account system breach by internal compromised or malicious users.