LEVERAGINGÂ CLOUD SHARED RESPONSIBILITY MODEL TO BUILD A PCI-DSS COMPLIANT INFRASTRUCTURE
April 2021
The Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 is an example of over 390 individual requirements and tests destined to provide security of sensitive data in your environment. To achieve compliance (PCI-DSS or SOC) you need to provide evidence for 3 security core pillars - Technology, People and Process.
Compliance is not just satisfying those the 300+ requirements one time. It is validating that your technology, your people in charge of your environment, and your processes to manage, investigate, and respond to incidents are organized in such a way that your environments is safe and well-managed 24 x 7, 365 days a year. This is where things tend to get complicated. Not only do you need to be the Architect, but are now responsible for your solution through the project and delivery lifecycle and beyond.
Now let's jump to the reasons you are reading this article. After going through this exercise I listed 12 recommendations that will help you achieve the compliance. We do this by bringing down the number of PCI-DSS requirements that apply to you to the minimum possible. We reduce your responsibility, your management, your process and people engagement, throughout the year. Cloud security is shared responsibility. You can’t dismiss your own responsibility and your own people and process, but you can take advantage of the Cloud’s responsibility too. This post will show you how to achieve the PCI-DSS compliance on AWS in the most optimal way, by taking advantage of this shared responsibility model. When done well you can reduce the level of effort to implement and maintain a compliant environment, and deliver the business payment capability so critical for your organizational growth, in no time.
HOW TO?
To Achieve PCI-DSS compliant infrastructure by leveraging the Cloud Shared Responsibility Model
SELECT CLOUD PROVIDER
All Cloud providers are not equal. Choose one that meets your requirements and offers the flexibility you need. I have found that in AWS.
The AWS Shared Responsibility Model can remove much of your security and compliance burden. For starters, it removes the need for all the physical infrastructure related PCI-DSS requirements. This includes things like physical access and CCTV cameras, physical server and network infrastructures. Use of managed and serverless services can remove most or all of the requirements of traditional servers - patching, vulnerability management, even logging. The Software Defined Network (SDN) nature of the Cloud also reduces the number of physical ports and devices to be configured and tested.
It is estimated that, when using serverless and managed Cloud services, more than 50% of your compliance requirements could be considered not applicable for you, and be the responsibility of the Cloud provider. Cloud providers must possess a current PCI Attestation of Compliance (AOC) for the latest PCI-DSS version for all of their services you wish to use.
AWS Services in Scope by Compliance Program
Note: Don't forget to pick a region that offers all your services
ADOPT SERVERLESS ARCHITECTURE
Addressing the Requirement 6: Develop and maintain secure systems and applications
Using Serverless Cloud Services offers the best solution for PCI-DSS compliance. Â All requirements regarding OS patching, antivirus scanning and remote access restrictions are no longer applicable. Serverless Architecture offers the highest return on investment, using the shared responsibility model you are able to move most of the security controls responsibility on the cloud provider.
This allows for a much smaller application stack, since only the specific application code and specific dependencies are needed. This greatly accelerates development and deployment cycles, and brings business value into your production environment faster.
USE ONLY PCI-DSS COMPLIANT COMPONENTS
Addressing Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Choose PCI-DSS certified components in your architecture and have it reviewed by a cloud-savvy Qualified Security Assessor. This means the underlying cloud platform has been assessed, and can be trusted by your assessor. Save time and money on penetration testing and evidence gathering for cloud components by using Cloud Provider PCI-DSS certified components. The Cloud provider's AOC will cover those selected components from an evidence, testability, and security standpoint. Your architecture will use cloud components such as load balancers, computing services and others. Make sure to not use any component that is not certified PCI-DSS. See AWS Services in Scope by Compliance Program ​
AVOID SHARED SERVICES
Addressing the Requirement 8: Identify and authenticate access to system components
Avoid Using Shared Services ​Monitoring Tools, Anti-virus and patch management, Active Directories (LDAP/AD). AWS Landing Zone Offers the proper architecture to build several cloud accounts for purpose of Monitoring, Security (Access & Permission, WAF, Firewall, Guard Duty etc) to be self-contained and not connected to your data center
Use Cloud Native Services & Leverage Cloud Root Account Segregation for connected-to systems
DON'T STORE PAYMENT INFORMATION
Addressing Requirement 3: Protect stored cardholder data
Storing Credit Card defeats the purpose of minimal PCI architecture & responsibility. Protect stored cardholder data by using 3rd party tokenization services and thus never store clear credit card info. This is highly important decision
USE API GATEWAY
Addressing Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Cloud Services are all API based, what better component to use to ensure segregation between incoming flows and environments than API Gateway. With built-in firewall type of segregation with granular permissions and flow authentication it offers the best segmentation between your CDE and connected-to environment. Data is encrypted using built-in encryption services
AUTOMATION
Addressing the Requirement 6: Develop and maintain secure systems and applications
Automation are key security controls to protect Web content from being altered by script injection. For instance, you don't want your payment form to be sniffing and capturing payment information and sending it to third party. Thus, no manual deployment is accepted without automatic specific permissions and passing the security vulnerability scan
CONNECTED-TO & SCOPING
Addressing the Requirement 4: Encrypt transmission of cardholder data across open, public networks
Use PCI-DSS compliant proxy and components to ensure completed segregation between connected-to and out of scope environments. Cloud leverage software defined network which replaces traditional network boundary by virtual access and application permissions. Use security segmentation for each layer (network, application, session layer). Security Groups, Load balancer, Gateways etc
CODE PIPELINE & SCANNING
Addressing the Requirement 6: Develop and maintain secure systems and applications
Implementing Code Pipeline and CIDC continuous integration/continuous deployment is mandatory for passing the PCI-DSS , code scanning for vulnerability codes will ensure robust and secure code release
CHANGE & DRIFT DETECTION
Addressing 11.5 Requirement Deploy a change-detection mechanism (for example, file-integrity monitoring tools)
Use Built-In Cloud Drift Detection Services to keep monitoring any unplanned or unscheduled change to your PCI-DSS compliant infrastructure
LOGS & MONITORING
Addressing the Requirement 10: Track and monitor all access to network resources and cardholder data
Externalize the logs to a secure log only account following AWS Landing Zone Architecture
DOCUMENTATION & AUDIT REPORT
Gathering Evidences, Documentation for your 3rd Party Auditor. Note: your cloud provider are not qualified to issue an AOC for you. Engage 3rd party auditor company
Use Cloud Provider PCI-DSS Security Controls Checklist, this will speed up your audit documentation and evidence gathering, since a good portion of requirements will be pre-populated using the cloud shared responsibility model and covered by your cloud provider AOC. Out of 399 requirements you will benefit from rapid audit documentation preparation
DRIVERS FOR PCI-DSS COMPLIANCE
Business Drivers For Achieving Compliance
NEW PARTNERSHIPS & GROWTH
When your organization seeks new partnerships and clients it needs to provide proof of trustworthiness and reliability. Passing PCI-DSS compliance process is your passport to expand the list of your partners and customer
BUILDING A BRAND
Nothing is more damaging to your brand like a data breach causing harm to your customers and partners. The financial penalties are substantial, and your brand may never recover from it. Thus, it’s important to perform all security measures provided to you by the card industry standards or other security standards like SOC
FROM STAR-UP TO A CORPORATION
Startups thrive with technology and innovation but may experience challenges to establish a rigorous process imposed by different standards and regulations (SOC, PCI-DSS). When previous granted but access start to be taken away from employees and even founders of the Startups due to compliant with the new security standards, things get bumpy at the office. The security compliance process brings maturity, awareness and drive the change needed for growth
BUDGET FOR CLOUD PCI EXPERT
Must Include in your budget
Hire a a cloud PCI expert to help you review your solution, avoid damaging assumptions and working within the limit of your cloud environment and services. Never take assumption without validating with an expert.
Budget Spent on PCI Cloud expert might seem high at first but its indispensable if you will deliver in time and avoid any bad surprises. This investment will allow your 3rd party QSA "Qualifies Security Assessor" auditor to find ready to consume documentation instead of billing you extra $$ hours to document all from scratch.. think about it. Deliver robust and solid foundation from the get-go :) instead of damage control and bolt-on fix after fact
Hire a Cloud QSA
Budget
PITFALLS
What to watch for
STATICÂ IP'S
When using public cloud services you don't benefit from static IP out of the box. If your partners. Plan to use private services and deploy private network connections with your downstream systems such like your data center connectivity (e.g. Azure Express Route, AWS Direct Connect)
