Creating a healthy security posture is one of the key factors in achieving PCI DSS certification, especially for enterprises. Truly, when it comes to security, even the smallest of details are important and can cause huge troubles. As a result, in this post we'll talk about how to achieve better security outcomes with help of version control and automation and how this can help you with your PCI DSS certification.
The PCI Environment
As you most likely already know, PCI DSS is a set of security standards. And as you know, anyone handling credit card data and transactions must satisfy PCI requirements. Depending on your merchant level, requirements can be quite strict. For example, while Level 4 merchants can conduct a self-assessment in order to achieve certification, Level 1 merchants must hire and have on site an independent auditor to thoroughly assess the merchant’s security.Regardless of where your organization sits in the merchant level spectrum, the key take away I’d like to emphasize here is that you are ultimately responsible for securing the environment where credit card data traffic flows and/or is stored. This can be everything from servers at your datacenter, to computers at the office and even the persons who use those systems. Service providers like AWS have offerings that are validated PCI DSS compliant by independent assessors. However, as AWS is only a service provider, it is not directly responsible for your security, nor your PCI certification. Said another way, while AWS provides a secure environment, your organization is responsible for securing it and achieving PCI certification.
To give you an example, AWS is responsible for securing its data center buildings against unauthorized access or for patching database server software; they are not responsible for your database password or how you choose to store it.
Working from a secure foundation , and knowing that ultimate ownership for PCI certification belongs to your organization, our DevOps consultants have found that it is extremely helpful to take a DevOps approach to creating a PCI-ready infrastructure. DevOps best practices provide great mechanisms for ensuring and auditing actions. Two aspects that stand out for us in particular are automation and the ability to effectively manage version control for automation.
Version ControlLet’s start with version control as it is one of the base components of any DevOps operation. Most organizations already keep their code, builds, configs etc. under version control. So, why not your security?
Imagine that you have dozens of teams and developers and you'd like to control their access to your environment. Security best practices dictate that you would need to set permissions as granular as possible to avoid any incidences. Yet, the overhead of following all those rules without any control mechanism could very well end up in disaster. The simplest solution to improve visibility of your rules is to put them under a version control system such as git (excepting sensitive information of course).
This way you can easily follow up, modify and/or remove rules while gaining better collaborative input. Not only are permissions important for security but your configurations are as well. In our many experiences using DevOps best practices for enhanced and sustained security, we have found that version control will help you immensely by adding greater visibility and flexibility.
AutomationThe second important DevOps element is automation. When you provision a resource in your environment, you must be sure that it will have the correct permissions and security patches. In our experience, doing this manually is a really large headache -- especially when your organization has lots of resources. Instead, you can prevent many problems ahead of time with automation and version control. For instance, when you add a new server to your fleet or when you want to remove a user's access to certain components, with automation and version control you can be confident no security holes are overlooked.
Specifically, with automation you can easily control nearly every component of your environment -- such as operating system patches, firewall rules, user permissions, and more. While at first it may seem like a burden to automate all these components, once you're done, your security and security management will level up. In the end, when your assessor warns you about a weakness, you can fix it easily and have confidence that the same issue won’t re-appear. In addition to easing management, automation is your best friend when it comes to human errors. Security should have a zero tolerance policy for omitting even a single component as it opens the organization to risk. While we all forget things from time-to-time, make fat-finger and other innocent mistakes, with proper automation in place, you only need to remember to start your automated process and the rest executes error-free.
While there are many applications of DevOps concepts in security, automation and version control are two great places to start. Importantly, DevOps best practices can help build a secure environment from the ground up, a more fruitful approach than bolting security on as an afterthought. I’ll leave you with this analogy: would you rather drive a race car whose roll cage was included in the initial design and built in during construction or one whose roll cage was added after the car was built?
To learn how Flux7 helped RentACenter implement PCI controls in AWS, please check out their presentation at AWS Summit. And in the meantime, if you’d like to talk about building security in using DevOps best practices, please reach out to us today.