PCI Compliance for Kubernetes

What is PCI Compliance?

Payment Card Industry (PCI) compliance is a standard enforced by credit card companies to ensure the security of credit card transactions in the payment industry. It is a set of technical and operational standards companies follow to secure credit card data, whether provided by cardholders or transmitted through card processing transactions. The PCI Security Standards Council (SSC) develops and maintains PCI compliance standards.

The Federal Trade Commission (FTC) oversees credit card processing due to consumer protection and oversight needs. PCI compliance is not necessarily a regulatory requirement but might be taken into account by regulators through legal precedent.

PCI compliance is typically a key component of credit card company security protocols. It is usually required by the credit card company and is a part of credit card provider agreements.

The PCI Standards Committee is responsible for developing standards that comply with PCI standards. These standards apply to merchant processing and outline requirements such as methods for encrypting Internet transactions. Other important organizations involved in developing standards for the credit card industry include the Network of Card Associations and the National Automated Clearing House (NACHA).

Why is PCI Compliance Different in Containers and Kubernetes?

As applications move to the cloud, several key characteristics of containerized environments make PCI container compliance difficult:

• In the past, virtual machine (VM) sprawl was considered a challenge in PCI compliance. Today’s containerized environments worsen things, with thousands or even millions of containers in large-scale environments.
• Containers are ephemeral, with IP addresses constantly changing, making them difficult to track and monitor.
• Developers extract open-source base images and leverage third-party libraries to build and extend containerized applications. These third-party components create a range of security risks.
• Containers raise software quality concerns because of the difficulty of managing software development pipelines in a containerized environment.
• PCI requires addressing known and newly discovered vulnerabilities, which can be challenging in a containerized environment, given the sheer number of components and moving parts.

PCI DSS Compliance in Kubernetes-Based Platforms: 7 Best Practices

Firewall Configuration

You can add a firewall to applications deployed on Kubernetes by using container network interface (CNI) providers that support Kubernetes network policies. Combined with a formal process for who can update rules and how they provide adequate protection.

Payment card data must be on the internal network. Enterprises can connect their internal networks with public networks, but a demilitarized zone (DMZ) must be established between them, with strict traffic flow rules. Network policies can help as they can selectively expose services based on IP ranges.

Restrict Cardholder Data Access on a Need-To-Know Basis

Within your organization, access to cardholder data should be limited to those who need it to do their job. PCI DSS compliance requires access control systems in place to enforce these restrictions. Organizations should use the following:

• Secure application protocols such as LDAP and Active Directory (AD).
• Security systems integrated with role-based access control (RBAC) provided by Kubernetes, OpenShift, and others.
• Avoid exposing real cardholder data to security and DevOps teams monitoring the environment.

Avoiding Default Passwords and Security Parameters

Kubernetes is completely unaware of which applications are being deployed. Therefore, it does not protect against configuration errors such as using default passwords or other security parameters. However, the Open Policy Agent (OPA) allows you to set a policy in a configuration file that can, for example, not allow the use of a default password. If an administrator makes a mistake, OPA catches it before the resource is created in the Kubernetes platform. The bug does not find its way to production, and the reason is documented.

This requirement also states that services with different security levels must not coexist on the same server. To ensure this, you need to annotate your Kubernetes worker nodes with security levels. All pod specifications must reference required security levels. This should be specified automatically via OPAs to prevent human error.

Protect All Systems Against Malware and Regularly Update Antivirus Solutions

PCI requires that antivirus solutions are deployed on all systems commonly affected by malware, such as PCs and servers. These solutions must be properly maintained and kept active and not be disabled or modified without administrative authority (and if so, only on a specific and limited basis).

Organizations can use orchestration tools to ensure secure containers are always running antivirus software. This can also be achieved by running a container firewall, which keeps systems virtually patched and up-to-date while still detecting suspicious file systems or network activity.

Develop/Maintain Secure Systems and Applications

PCI DSS requires organizations to pay close attention to systems and applications from development to production. This means proactively addressing security updates and newly discovered vulnerabilities, and following established rules for change control processes and procedures.

If you have a container environment, this means adopting a container security strategy that secures your application throughout its build, ship, and run cycle. Integrating container security into your CI/CD environment is ideal for meeting these requirements.

Track and Monitor All Access to Network Resources and Cardholder Data

PCI DSS requires managing individual user access to all system components (without shared accounts), and the implementation of an audit trail to reconstruct accurate details of each event. These audit trails must be protected from modification, and all logs and security events must be reviewed to identify unusual or suspicious activity.

Organizations that use containers must implement a security system that maintains event logs of all user activity and actions, tracks all communication between containers for event reconstruction, and is compatible with SIEM systems.

Regularly Test Security Systems and Processes

PCI DSS compliance requires network vulnerability scans, at least on a quarterly basis, and after major network changes. Network intrusion detection and/or prevention technologies should be used in conjunction with traffic monitoring at CDE perimeters and critical points.

You also need a change detection mechanism to alert you if sensitive files have been tampered with. From a container environment perspective, it is important to have a firewall that actively scans running containers for vulnerabilities and threats inside and outside the environment, and automatically detects and mitigates suspicious behavior.

Conclusion

In this article, I explained the basics of PCI DSS and how to comply with it in Kubernetes:

• Firewall configuration—You can add a firewall to applications deployed on Kubernetes by using CNI providers that support Kubernetes network policies.
• Restrict cardholder data access on a need-to-know basis—Organizations should use the following LDAP and RBAC to enforce access control.
• Avoiding default passwords and security parameters—The OPA allows you to set a policy in a configuration file that can, for example, not allow the use of a default password.
• Protect all systems against malware and regularly update antivirus solutions—Organizations can use orchestration tools to ensure secure containers are always running antivirus software.
• Develop/Maintain secure systems and applications—Adopt a container security strategy that secures your application throughout its build, ship, and run cycle.
• Track and monitor all access to network resources and cardholder data—Implement a security system that maintains event logs of all user activity and actions, tracks all communication between containers for event reconstruction, and is compatible with SIEM systems.
• Regularly test security systems and processes—Network intrusion detection and/or prevention technologies should be used in conjunction with traffic monitoring at CDE perimeters and critical points.

I hope this will be useful as you make Kubernetes comply with the PCI DSS. To learn more about PCI-compliant hosting with Atlantic.Net, contact the sales team at [email protected] today.