Why Container Security Matters for PCI Compliant Organizations
The PCI Data Security Standard is no news. Any entity that collects, holds or processes credit card information is obliged by this standard. What is new is the adoption of containers for production applications that may directly impact PCI compliance. With a 40% increase in Docker adoption in one year, containers introduce a new way of developing and delivering applications which affect organizations that need to be PCI compliant.
In this post we will go through some of the PCI requirements and show how container technology can affect the PCI-DSS standard. We will end by showing how Aqua Container Security Platform helps organizations meet the PCI requirements.
How Do Containers Impact PCI-DSS
PCI-DSS specifies key requirements that should be used as security guidelines for any environment. These principles have yet to specifically relate to container environments (the technology is too new), but containers do impact several areas from development to production that may affect PCI compliance. Here are a few key areas to look at:
- Maintain a vulnerability management program - containers that use open-source images may contain vulnerabilities. These images should be monitored for security vulnerability information and mitigated before being used in production.
- Keep your network secured - one of the benefits of using containers is their performance on massive scale, which in turn introduced challenges in tracking where containers are running and the network interactions they have. Therefore, all network connections between the different containers should be identified, at any given time, to prevent network traversal and intrusion.
- Maintain an Information security policy - one of the pillars of any given containerized environment is its policy-based security rules that can maintain an automated checks for an ongoing monitoring and prevention of malicious activity.
- Storage of sensitive data - All the information inside a container should be accessible to specific users only, preventing from unauthorized users to access data they are not allowed to view.
- Implement access control and separation of duties - Each container should be accessible only to specific individuals, with specific job-related needs.
- Audit Trail - All access to PCI-sensitive data and systems must be logged and audited. In addition, access to these files must be restricted and a backed-up on a regular basis. Existing collection methods may not have sufficient granularity to track this data in containers.
How Aqua Helps Address PCI-DSS Requirements
- Vulnerability Scanning - Aqua provides in-depth vulnerability assessment for container images, preventing vulnerabilities from getting into applications before they’re deployed. By default, Aqua scans images daily to find CVEs. Each image is being scanned for vulnerabilities both in its OS packages and development language files. With the image assurance policies, admins can determine which image is allowed or disallowed meaning that only approved images will be allowed to run.
- Network nano-segmentation - In order to monitor and secure all network connections, Aqua provides a network firewall that prevents unauthorized network connections, and nano-segment the network to observe the relationship between groups of containers.
- Policy-based security - Aqua admin can also assign labels to images and create security policy that specifies which of the images are allowed to enter production. Any specific activity that does not comply with the policy will be stopped.
- Secrets Management - Aqua provides central management and secure distribution of secrets and cryptographic keys into running containers. When a secret is used, its value will be automatically injected into the container, and will disappear once the container stops running. The secret is never visible outside the container.
- Separation of Duties and Access Control - In a containerized environment, the development team should have limited access to production. Aqua’s access control model ensures that only specific users are allowed to view or access specific containers along the pipeline.
- Full Event Logging- Aqua provides a granular audit trail for container events such as start/stop, access and attempted access events, and activities that contravene the security policy. Integration with 3rd party tools such as Splunk and a variety of SIEM tools allows events to be centrally collected and analyzed, as well as protected from deletion.