Updated guidance to customer for PCI compliance on Oracle Cloud Infrastructure

Sanjay Basu

Note: My original blog series was published in ORACLE CLOUD INFRASTRUCTURE blog site. I have republished it here with permission.

Official Disclaimer: The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation.

This blog is an update and continuation of the blog published on August 20, 2018, explaining how to use underlying security controls for achieving PCI compliance for customer environments on Oracle Cloud Infrastructure (OCI). Over the past two years, we’ve added scores of security and security-focused services that customers can use to achieve PCI and other industry-specific regulatory compliance.

Recap

The high-level guidance from PCI Security Standards Council has 12 detailed requirements across the following sections:

  • Build and maintain a secure network and system.

  • Protect cardholder data.

  • Maintain a vulnerability management program.

  • Implement strong access control measures.

  • Regularly monitor and test networks.

  • Maintain an information security policy.

Through our attestation, we’ve already met other requirements for shared hosting providers. The following OCI services have the PCI DSS attestation of compliance:

  • Compute

  • Networking

  • Load Balancing

  • Block Volumes

  • Object Storage

  • Archive Storage

  • File Storage

  • Data Transfer service

  • Database

  • Exadata

  • Container Engine for Kubernetes

  • Container Registry

  • FastConnect

  • Governance

For more information, view and download compliance documents from the Oracle Cloud Console. I’ve provided a list of new services that we’ve added across all six sections, along with the services mentioned in the original blog.

Build and maintain a secure network and system

Requirement 1A: Install and maintain a firewall configuration to protect cardholder data.

You can get more protection with firewall appliance images available from Oracle Cloud Marketplace.

Requirement 1B: Don’t use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

Requirement 2A: Protect stored cardholder data.

  • Existing solution: Protects data at rest. By default, Oracle Cloud Infrastructure Block, File, and Object Storage are encrypted.

  • New solution: When you create an instance, you can encrypt data in transit from the instance to the storage enclave using TLS 1.2.

Oracle Cloud Infrastructure Security Zones enforces more than 30 security protections.

Requirement 2B: Encrypt and protect transmission of cardholder data across open, public networks.

  • Existing solution: All our control and management plane communications are protected with TLS, which is necessary for the PCI DSS attestation. We also recommend using TLS (not SSL) and front-ending the application with our load balancers, as required. We recommend using SSH, IPSec VPN, and FastConnect.

  • New solution: Oracle Cloud Infrastructure Web Application Firewall.

Maintain a vulnerability management program

Requirement 3A: Protect all systems against malware and regularly update antivirus software or programs.

  • Existing solution: Ensure that anti-virus software is deployed at the OS level using Oracle Cloud Infrastructure Native Web Application Firewall.

  • New solution: Platinum Partner solutions from McAfee and Cybereason from Oracle Cloud Marketplace

Oracle and McAfee partner on first cloud native security operation center.

Requirement 3B: Develop and maintain secure systems and applications.

  • Existing solution: To develop and maintain secure systems, have a patch management policy in place and use a managed cloud service provider.

  • New solution: Oracle and McAfee partner on first cloud native security operation center.

Implement strong access control measures

Requirement 4A: Restrict access to cardholder data by business need-to-know. Identify and authenticate access to system components.

  • Existing solution: Review documentation on Identity and Access Management (IAM) controls for compartments and policies. We also suggest using Oracle IDCS for further security controls around access policies. For Oracle Container Engine for Kubernetes, our solution is to use Kubernetes role-based access control with IAM.

  • New solution: IAM Policy Templates, Compartment Explorer, federation with Microsoft Active Directory and Azure Directory, and SSO Integration with IdPs like Ping and Okta.

Requirement 4B: Restrict physical access to cardholder data.

  • Existing solution: Covered under our physical security controls for the data center at the availability domain and region level. We have ISO 27001 certification and SOC 1, SOC 2, and SOC 3 attestations, which provide the basis for control testing relevant to our PCI DSS Attestation of Compliance.

  • New solution: On-going certifications and access to all regulatory attestation and certification documents for viewing and downloading through the Cloud Console access.

Regularly monitor and test networks

Requirement 5A: Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.

  • Existing solution: Use Oracle CASB and Audit services for monitoring. Integrate CASB and audit logs with existing SIEM solutions. Schedule regular penetration testing of environments based on OCI, using Pen Testing on OCI and Schedule Pen Test through UI.

  • New solution: Oracle Cloud VCN flow logs, enhanced Logging service, and Cloud Guard Automatic Detection and Remediation service.

“This service constantly monitors a company’s cloud configurations and activities to spot threats and security risks, such as a suspicious IP address or a login from an unusual location. IT teams can set up Oracle Cloud Guard, so that it either automatically remediates the risk—by quarantining or shutting down such activity—or alerts a person who can authorize the remediation.” Forbes.com

Maintain an information security policy

Requirement 6A: Maintain a policy that addresses information security for all personnel.

  • Existing solution: While customers are responsible for their security policies, we’re happy to help in any way we can. Most customers have existing security policies, and our team can help with cloud (IaaS, PaaS, or SaaS) specific perspectives and security policy.

  • New solution: Both included and paid services with consulting available from Oracle North America Cloud Engineering. Contact your Oracle Cloud sales representative or Oracle account manager.

Conclusion

I hope these steps simplify the road to PCI compliance for your environments on Oracle Cloud Infrastructure. Look out for more blogs, white papers and technical briefs, and infrastructure security as code (ISaC) for security and compliance on the cloud to ease your migration to Oracle Cloud.


Comments

Post a Comment

Popular posts from this blog

OCI Object Storage: Copy Objects Across Tenancies Within a Region

Image
Note : My original blog was published in ORACLE CLOUD INFRASTRUCTURE blog site on April 15th, 2019. I have republished it here with permission. Official Disclaimer : The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation. This post was developed jointly with Mohamad Charaf, Oracle Enterprise Cloud Architect. If you have two tenancies in the same region, and you want to copy data that is stored in Object Storage from one tenancy to the other without making the buckets public, this action requires some additional types of identity and access management (IAM) policies. This blog post walks you through how to create these policies. For this example, the source tenancy is named ACMEBMCS and the destination tenancy is named ACMEOCISA. In ACMEBMCS, the Object Storage buckets are in the benchmark compartment. In ACMEOCISA, the target compartment is oracleexa . The follow
Read more

The Legal Rights of an Algorithm

Image
  At first glance, you might think how it’s possible for something that doesn’t have a mind, body, or soul to have any legal entitlement. After all, algorithms don’t have physical attributes, and their existence can’t be easily tracked unless you’re a tech specialist responsible for creating them.  However, while algorithms don’t have any physical attributes, they have become smarter over time, mimicking human behaviors and traits to produce actionable results. Initially, algorithms started as simple data sets combined in several valuable ways to create patterns. They generate suggestions and solutions that help guide you, whether you’re on social media or search engines, while also providing insights within several fields, including the legal, medical, and marketing fields. Algorithms also consistently correct their mistakes without requiring human intervention.  Believe it or not, algorithms have legal rights too. While many users are skeptical about algorithms because of security an
Read more

Religious Perspectives on Artificial Intelligence: My views

Image
  I am an Atheist. Born in a Hindu family, I have experimented with Christianity and Buddhism. Jokingly, I describe my journey from Many Gods to One and then None. I followed Hinayana Buddhism for a long time. Lately, I have been studying Lokayata/Carvaka school of the Hindu Darsana (philosophy). I like to be identified as a Hindu Atheist. Why Hindu? Because my birthplace is on the east side of the River Indus.
Read more