Google has recently added Payment Card Industry Data Security Standard (PCI DSS) Policy bundle to Anthos Config Management (ACM). In its version 3.2.1, security administrators can now understand compliance with PCI DSS requirements using the Policy Controller Dashboard.
Poonam Lamba, Product Manager, and Andrew Peabody, Technical Solutions Consultant at Google Cloud wrote a blog post explaining the policy bundle and controller. A policy bundle is a pre-configured collection of constraints that are developed and maintained by Google. With Policy Controller, it is possible to apply customizable policies to your clusters and enforce them effectively.
The PCI DSS Bundle has the PCI DSS Control Number associated with each constraint, which can be cross-referenced to track compliance with PCI DSS Standards. The policies included in the policy bundle center around areas like secure networks, systems, applications, and robust access control and monitoring. As an example, in the context of robust access control and monitoring — to ensure uniform and accurate time across nodes, policies are in place that mandate the utilization of Container-Optimized OS as the OS image.
For auditing and sharing any policy violations on the cluster, the security administrators can utilize the Policy Controller Dashboard. It provides a UI, including policy usage metrics and an ability to set up log-based alerts.
To install PCI DSS Bundle v3.2.1, the target environment requires Anthos Cluster(s) with Policy Controller v1.14.0 or higher. Further guidelines to install the policy bundle are described in this blog post.
Whenever there is a policy violation, Cloud Logging automatically logs it, and security administrators can utilize filters like the ones mentioned below in the Logs explorer:
resource.type="k8s_container"
resource.labels.namespace_name="gatekeeper-system"
resource.labels.pod_name:"gatekeeper-audit-"
jsonPayload.process: "audit"
jsonPayload.event_type: "violation_audited"
jsonPayload.constraint_name:*
jsonPayload.constraint_namespace:*
Several new controls have been introduced by PCI DSS in its latest version 4.0, which organizations must implement right away to fortify the security of their payment systems.
As a side, to meet PCI’s most stringent security, audit compliance, low latency, and high-performance requirements Microsoft recently introduced Azure Payment Hardware Security Modules (HSM). Currently available only in the Azure Cloud, the service is currently available in East US and North Europe regions.
In addition to enforcement of policy bundles and custom policies for the Kubernetes cluster, Policy Controller can also be used to analyze the cluster configuration before deployment. Interested users can get started with the policy controller here or check out the best practices with policy bundles here.
