Cloud-Native Applications and PCI-DSS Compliance
Securing access to payment cardholder data, as required by PCI-DSS, can pose a significant challenge when organizations deploy applications across multiple environments, with no permanence of location or traditional network segmentation.
As such, compliance must meet requirements from the infrastructure to the operating system and then to the network level. Cloud architectures add complexity. They require changes in how organizations govern, monitor, and audit access, privileges, and networking.
Traditional security tools cannot track changes and provide context in such environments. They will not ensure the same levels of compliance as they have in those infrastructures.
Cloud-native technology introduces dramatic changes to application development. It sometimes involves open-source components, potentially introducing new vulnerabilities, and evading security processes based on existing version and configuration management. It also accelerates the software development timeline, which puts pressure on established security practices.
Cloud-native environments impact PCI compliance in a few key areas:
Containerized and serverless applications introduce challenges in tracking where your workloads are running. The network connections between the different workloads should be identified to prevent intrusion.
Cloud-native applications that use open-source components may contain vulnerabilities. These applications should be monitored for security vulnerability information, and mitigated before being used in production.
Workloads should be accessible only to individuals with specific job-related needs.
Threat Analysis and Mitigation
One of the pillars of any given cloud-native environment is its policy-based security rules that can maintain an automated check for ongoing monitoring and prevention of malicious activity.
Data Protection, Real-time Visibility, and Event Auditing
Access to PCI-sensitive data and systems must be logged and audited. Access to these files must be restricted and backed up regularly. When working with containers, existing audit methods may not have sufficient functionality to track this kind of data in a cloud-native environment.
Stronger Authentication Requirements
Identity and access management (IAM) plays a crucial role in safeguarding cardholder data, and the new version of the standard recognizes that.
As the payments industry has gradually moved towards cloud infrastructures, stronger authentication standards for payment and control access logins are necessary. PCI-DSS 4.0 considers the following key points:
- Multifactor authentication (MFA) usage for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment
- Passwords for accounts used by applications and systems must be changed at least every twelve months and upon suspicion of compromise
- Strong passwords for accounts used by applications and systems, must contain at least fifteen alpha-numeric characters. PCI-DSS requires that the prospective passwords be compared against the list of known bad passwords
- Access privileges must be reviewed at least once every six months
- Vendor or third-party accounts may be enabled only as needed and monitored when in use
The PCI-DSS 4.0 standard is built with a zero-trust mindset, permitting organizations to build their own unique, pluggable authentication solutions to meet the data security regulatory requirements. At the same time, authentication methods can scale to fit the company’s transaction objectives and risk environment.
Ensure Compliance with Multi-Factor Authentication
Multi-factor authentication has become vital in ensuring secure access to systems and other valuable resources. It provides superior safety measures when attempting to access systems and financial applications, and is also an important requirement to comply with regulations such as PCI-DSS 4.0 and GDPR. MFA prevents access to phishing websites or spoofing applications, the added security layers provided by MFA help to keep you from falling for these types of traps.
Modern authentication methods represent a more robust security structure than simple passwords. They also provide a better user experience when logging into applications. MFA makes it easier for auditors to get answers to critical compliance questions.
MFA provides valuable information, such as which users are granted access to which system and how the access policy is enforced. Additionally, some of the modern MFA applications available today also include reporting capabilities. That ensures that compliance standards, such as PCI-DSS, are met.
CSP Authenticator+® provides multi-factor authentication for NonStop servers and supports various authentication methods. It can be used as a Safeguard SEEP or with Pathway and non-Pathway applications. Almost any application, including TACL, can now easily support multi-factor authentication.
The new CSP Authenticator + cloud-native application was developed using a modern cloud-based framework. This redesign focuses on providing security, flexibility, and scalability.
Multiple authentication methods such as RADIUS, Active Directory, RSA, and Open LDAP are supported. Additional authentication methods include Email, Text Messages, and Google Authenticator.
- New cloud-based framework – A new cloud-native application built using modern technologies
- Support for Kubernetes Helm deployments – easy to deploy in cloud environments using Kubernetes framework
- Support for High Availability environments – Create highly available Kubernetes clusters for resiliency
- No differentiation between Primary and Secondary authentication – users can choose any mix of available authentication methods, and even choose more than 2 authentication methods
- Application-based authentication methods are now supported, and more authentication methods are being added. Authentication methods currently supported include RSA, LDAP, Active Directory, RADIUS, Google and Microsoft authenticator, OTP via Email, and OTP via SMS
- Set different authentication methods for different user groups and privileged groups
- Redesigned user interface makes it more intuitive and user friendly
- Maintain a matrix of authentication profiles, policies (authentication methods), and users
- Support for various databases, including Amazon S3, Atlas Cloud service, MongoDB, etc.
- Protect valuable resources and data
- Add layers of authentication for secure access to systems and critical applications
- Address PCI compliance requirement 8.3 which requires multi-factor authentication for all personnel with remote access, and non-console administrative access to the cardholder data environment
- Integrate with centralized ID management systems to effectively manage users
CSP Authenticator+ Key Features:
- Support for multiple authentication factors including RSA, RADIUS, Active Directory, and LDAP, Microsoft, Google, OTP
- Create various profiles and policies for different set of users, and applications
- Ability to use more than two authentication methods
- Provides standardized authentication across platforms
- Configure for all or only selected/privileged users
- Fully encrypted communications with cloud native application
- Supports various databases
- Support for new authentications methods
- Supports TACL, Pathway and Non-Pathway applications
For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com
We Built the Wiki for NonStop Security ®
+1(905) 568 –8900