PCI Compliance in the Public Cloud

Compliance frameworks provide a structure for how enterprises organize and secure their content and resources. Because they are created and governed for the purposes of protection and interoperability, they provide necessary safeguards that help organizations structure their security posture. They can also be onerous and burdensome which can lead to security and compliance teams falling behind in their compliance management. Once that happens, these teams wind up in a never-ending game of catch-up just to ensure their configurations are compliant. Yet while they pursue that chase, their environments exist in a vulnerable state, and that increases their exposure to threats.

For security and compliance teams, the issue is a mathematical one. Every configuration change, added user, API call, file download, and any of millions of potential actions can have hidden implications. Users must be added and removed from ACLs, exceptions must be managed for sensitive data repositories, and security tools must be updated and maintained. Even a minor oversight can render an organization non-compliant. That can get them into hot water with auditors, but more importantly, it can leave holes in their infrastructure.

Payment Card Industry Data Security Standard (PCI DSS) is an important industry standard developed for the protection of credit, debit, and cash card owners against theft of their personally identifiable information (PII). It has been designed to equip companies with security and best practice guidelines to ensure the security of credit card and cardholder data in their payment processes and supporting IT systems. Originally established as a collaborative effort by American Express, Discover, MasterCard, Visa, and JCB, the original intent was to promote credit card activity for e-commerce.

The right tools to ensure PCI compliance

For users, PCI is supposed to protect the information they provide in order to enact a transaction – personal information, credit card number, bank routing info, and a host of other items that enable their purchasing power. But buying things and obtaining credit becomes easier (think of one-click purchases), and with apps that promise easy-to-use money transfer (Venmo, PayPal, Apple Wallet, etc), there are more endpoints that PII and financial data touch. At the same time, more financial organizations are moving critical workloads to the cloud, which means they’re housing much of that data in very agile environments.

At issue for financial institutions is the safety and security of that data. Many turn to open source tools to give them PCI monitoring. These tools are intended to provide high-level file integrity monitoring (FIM), but they are only a surface layer. Data transacting inside the cloud environment, and activity moving outside of it can be targeted by hackers because these tools don’t target inconsistencies with configurations, and they’re not able to scale the demands of cloud workloads. Their focus is the network and they aren’t equipped to look at anything else in the cloud stack. Yet, without insight at a level where one can identify and evaluate every cloud action, there really can be no true understanding of what is at risk, to what degree the organization is out of compliance, and there’s no ability to pinpoint where the problem is so it can be fixed.

Security teams are often eager to use a pieced-together set of FIM tools along with legacy security tools like SIEMs and network-based detection systems. The problem with that approach is that these tools aren’t integrated and they’re managed as separate pieces. Without a unifying platform that can detect threats at a deep level, vulnerabilities will be missed. And as we know, a hacker doesn’t need much of a hole to get in and start wreaking havoc.

The evolution of all aspects of data and infrastructures includes an important set of contrasts; while our ability to utilize more data and use it more efficiently, it comes at the cost of more endpoints, and more endpoints create more potential vulnerabilities. Back to our mathematical problem, it’s easy to see how the growth of these endpoints starts to go in an exponential direction. No manual system can ensure compliance for systems that never stop, and that grow almost organically.

Monitoring and analyzing activity at every layer of the cloud stack, and identifying threats deep within the infrastructure is necessary for today’s workloads and IT environments. Intrusion detection monitoring certainly is still necessary at the network layer, but it’s what’s happening with cardholder data as it travels through to different apps and repositories that can be complicated and hard to identify. Using a host-based system for monitoring network traffic throughout the infrastructure of the organization is mandatory because it is functioning at the depth of configuration, access, and asset change levels.

The impact of non-compliance

Being PCI-compliant is a necessity for any organization that facilitates ecommerce transactions with credit or debit cards. If ever there was a growth industry, it is online shopping. In 2017, ecommerce represented just 13% of all total retail sales, but 49% of all retail growth. Consumers made $454 billion worth of online purchases last year, and online sales grew 16% from the previous year. The consequences, therefore, of being out of compliance are huge – at best, fines and remediation will get you back in business. But if you really don’t have control over the activity within your cloud, you are liable to attacks and compliance issues that could eradicate customer trust, or altogether put you out of business.

To be effective at validating PCI compliance, it’s best to use an approach that analyzes cloud activity against normalized behavior to identify the status of all PCI controls. Awareness of every event, every endpoint, and automatic identification of anomalies is critical to ensuring you are prepared with an effective PCI compliance framework.