Many cloud providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP). are committed to maintain PCI DSS compliant environment for customers who use cloud provider services for hosting Cardholder Data Environment (CDE). Organization often misinterpret this and forget that the ultimate responsibility for maintaining the PCI DSS compliant environment lies with them not with the cloud provider.
You as the data owner needs to take steps for maintaining the security in the cloud which includes strengthening the policies, regular security assessment, closure of gaps, hardening the access controls, etc. Following are some initial steps you can take to secure your environment
1. Remove vendor defaults
First step is to replace the default settings such as usernames, passwords, packages, etc. The environment may have packages which are not needed for the CDE to function and may pose risk to the security of cardholders data. We recommend to remove everything which is not needed and strip the environment to required packages only. You may also need to strip down the functionalities to ease the security of cloud environment and layer it down to number of servers such as web server, database server and application server.
2. Strengthen the access controls
You may need to validate the access policies and controls configured in cloud infrastructure for allowing access to data on need to know basis. Modern cloud providers allows you to configure network access control and security groups which can be used to limit the unauthorized access to resources deployed in cloud adding an extra security layer for CDE environment.
While using Identity Access Management (IAM) to access the environment you should remove all the test accounts from production environment. You should also limit the use of SSH, rather than use the tools provided by cloud provider such as CloudFormation (AWS), Deployment Manager (GCP) or Puppet to manage and for patching. Command lines utilities can also be used to access the environment. IAM policies should be strictly defined for accessing the resources in CDE.
3. Protect data at rest and in transit
Cloud provider such as AWS provide transparent encryption feature to encrypt the elastic block store volumes. You can also employ any commercial tool or take advantage of technologies at OS level to encrypt the data at rest . Also make sure to store minimum data which is required to operate including card details, cardholder details.
Rotate the IAM keys of users on regular intervals and store them securely on separate environment from CDE.
Make sure to use strong encryption mechanism while transmitting card holder data.
4. Security Assessment
PCI DSS requires organization those deals in PCI to maintain healthy security posture by conducting security assessment at regular intervals.
Organization may follow OWASP secure code methodologies while developing the applications and hire team of security experts such as Security Spoc ™ to conduct the vulnerability assessment and penetration testing to identify the threats and vulnerabilities.
5. Enable Logging & Monitoring
Make sure the logging of events for your CDE is enabled and being sent to centralized logging server for review. You should also consider deploying a SIEM solution for reviewing the events and incidents to act upon.
Above mentioned practices sets you on path for being compliant and stay focused to maintain the security for CDE. Security Spoc ™ team have helped many clients to stay compliant for PCI DSS by offering guidance to establish strong process and polices and by conducting technical security assessment for cloud environment. Click Here to know more.