Google has recently added Payment Card Industry Data Security Standard (PCI DSS) Policy bundle to Anthos Config Management (ACM). In its version 3.2.1, security administrators can now understand compliance with PCI DSS requirements using the Policy Controller Dashboard.
Poonam Lamba, product manager, and Andrew Peabody, technical solutions consultant at Google Cloud, wrote a blog post explaining the policy bundle and controller. A policy bundle is a pre-configured collection of constraints developed and maintained by Google. With Policy Controller, it is possible to apply customizable policies to your clusters and enforce them effectively.
The PCI DSS Bundle has the PCI DSS Control Number associated with each constraint, which can be cross-referenced to track compliance with PCI DSS Standards. The policies in the policy bundle center around secure networks, systems, applications, and robust access control and monitoring. For example, in the context of robust access control and monitoring — to ensure uniform and accurate time across nodes, policies are in place that mandates the utilization of Container-Optimized OS as the OS image.
Security administrators can utilize the Policy Controller Dashboard to audit and share any policy violations on the cluster. It provides a UI, including policy usage metrics and an ability to set up log-based alerts.
To install PCI DSS Bundle v3.2.1, the target environment requires Anthos Cluster(s) with Policy Controller v1.14.0 or higher. Further guidelines to install the policy bundle are described in this blog post.
Whenever there is a policy violation, Cloud Logging automatically logs it, and security administrators can utilize filters like the ones mentioned below in the Logs explorer:
resource.type="k8s_container"
resource.labels.namespace_name="gatekeeper-system"
resource.labels.pod_name:"gatekeeper-audit-"
jsonPayload.process: "audit"
jsonPayload.event_type: "violation_audited"
jsonPayload.constraint_name:*
jsonPayload.constraint_namespace:*
Several new controls have been introduced by PCI DSS in its latest version 4.0, which organizations must implement right away to fortify the security of their payment systems.
As a side, to meet PCI’s most stringent security, audit compliance, low latency, and high-performance requirements, Microsoft recently introduced Azure Payment Hardware Security Modules (HSM). Currently available only in the Azure Cloud, the service is available in East US and North Europe regions.
In addition to enforcing policy bundles and custom policies for the Kubernetes cluster, Policy Controller can also analyze the cluster configuration before deployment. Interested users can start with the policy controller or check out the best practices with policy bundles in the Google Cloud documentation.