PCI Compliance for Cloud Environments: Tackle FIM and Other Requirements with a Host-Based Approach
By Patrick Flanders, Director of Marketing, Lacework
Compliance frameworks and security standards are necessary, but they can be a burden on IT and security teams. They provide structure, process, and management guidelines that enable businesses to serve customers and interoperate with other organizations, all according to accepted guidelines that facilitate a better experience for end users.
Yet, when their IT environment is the cloud there is the additional challenge of trying to maintain the fairly static state of compliance in an environment where change is continuous. Every configuration change, addition of a new users, or transaction between data sources, even seemingly minor changes, can have hidden implications that when discovered, can render the organization non-compliant.
Payment Card Industry Data Security Standard (PCI DSS) is an industry standard intended to protect credit, debit, and cash card owners against theft of their personally identifiable information (PII), and to equip companies with best practices guidelines to secure payment processes and supporting IT systems. Originally established as a collaborative effort by American Express, Discover, MasterCard, Visa, and JCB, the original intent was to promote credit card activity for e-commerce.
Play it safe with PCI
PCI is intended to keep all those transactions safe, but with more money exchanging digital hands, there are more endpoints that PII and financial data touch. At the same time, more financial organizations are moving critical workloads to the cloud, which means they’re managing more change in the name of agility.
Many turn to open source tools to give them PCI monitoring. These tools are intended to provide high level file integrity monitoring, but they are only a surface layer. Data transacting inside the cloud environment, and activity moving outside of it can be targeted by hackers because these tools don’t target inconsistencies with configurations, and they’re not able to scale the demands of cloud workloads. Their focus is the network and they aren’t equipped to look at anything else in the cloud stack. Yet, without insight at a level where one can identify and evaluate every cloud action, there really can be no true understanding of what is at risk, to what degree the organization is out of compliance, and there’s not ability to pinpoint where the problem is so it can be fixed.
Many IT groups piece together open source FIM tools along with legacy security tools like SIEMs and network-based detection systems. In an earlier era when there were fewer endpoints and control governance could be extended to the firewall, this was adequate. But financial organizations are now extending payment options through mobile apps and even IoT devices; the number of endpoints and potential holes in the system can grow exponentially.
This concept of monitoring and analyzing activity at every layer of the cloud stack maps to what’s necessary for today’s workloads and IT environments. Intrusion detection monitoring certainly is still necessary at the network layer, but it’s what’s happening with cardholder data as it travels through to different apps and repositories that can be complicated and hard to identify. Using a host-based system for monitoring network traffic throughout the infrastructure of the organization is mandatory because it’s functioning at the depth of configuration, access, and asset change levels.
Out of compliance, out of business
Being PCI-compliant is a necessity for any organization that facilitates ecommerce transactions with credit or debit cards. If ever there was a growth industry, it is online shopping. In 2017, ecommerce represented just 13% of all total retail sales, but 49% of all retail growth. Consumers made $454 billion worth of online purchases last year, and online sales grew 16% from the previous year. The consequences, therefore, of being out of compliance are huge – at best, fines and remediation will get you back in business. But if you really don’t have control over the activity within your cloud, you are liable to attacks and compliance issues that could eradicate customer trust, or altogether put you out of business.
To be effective at validating PCI compliance, it’s best to use an approach that analyzes cloud activity against normalized behavior to identify status of all PCI controls. Awareness of every event, every endpoint, and automatic identification of anomalies is critical to ensuring you are prepared with an effective PCI compliance framework.