Security State: The Invisible Condition That Impacts Your PCI

Posted on November 19, 2019 by Mike Shinn

This is part 2 of a 7-part series on PCI compliance in the cloud.

Most businesses have assets in their environments that they aren’t aware exist. For instance, if a virtual machine is de-provisioned in the cloud environment, its file system may still live on − unprotected, unaudited, and but still inside the scope of PCI.

Anything that touches anything else that touches cardholder data is part of your state, and it must be included in your security program. If you don’t know your state, you can’t ensure PCI compliance.

What is State?

Your state is the condition of your cloud computing environment. That includes things like:

What is your digital footprint in the cloud?
What systems and resources do you have in the cloud?
What data is stored and processed by your cloud systems and where is it?
What security controls do you have in place?
Are those controls working, and are they effective?

The 3 Most Common Misconceptions about State & PCI Compliance

All systems are built and deployed exactly as they were designed.
This never happens in the real world. Priorities, budgets, and technical debt will change your environment.
Only your application is in scope for PCI.
All connected systems that touch PAN are in scope.
When an autoscaled environment is torn down, all associated data is also destroyed.
Storage and other data repositories can persist, and volumes may exist with old PAN data. P.S: You’re being charged for them, too.

Your Top 2 Priorities Right Now

Use OpenSCAP to know your state

OpenSCAP is the secure content automation protocol, a PCI-validated ecosystem that provides tools that help businesses assess, measure, and enforce security baselines.

OpenSCAP will capture misconfigurations of the workload that can create vulnerabilities. It also generates reports and artifacts to demonstrate compliance with technical controls within PCI.

The PCI Security Standards Council requires that covered organizations only use tools validated by the Council. One reason we like OpenSCAP is that it’s defensible. From a hands-on perspective, OpenSCAP helps businesses verify they’ve taken the actions required by PCI DSS to remain in compliance. It is approved and recognized by other standards bodies, as well.

Test for design vulnerabilities using a tool like OpenVAS or Arachni

OpenVAS and Arachni are free software frameworks that perform vulnerability scanning and management. Use one of them to capture known vulnerabilities in the software used in the workload.

The Takeaway

If you’re not already performing continuous monitoring, start working on it now — especially if you’re in the cloud. OpenVAS and Arachni are software options that are accessible to any organization.

Relevant PCI Requirements

2.1 Change vendor-supplied defaults and remove/disable unnecessary default accounts

9.5 Store media back-ups in a secure location, preferably off-site

9.8 Ensure that management approves any and all media moved from a secured area, especially when media is distributed to individuals

9.9 Maintain strict control over the storage and accessibility of media

9.10 Destroy media when it is no longer needed for business or legal reasons.

Atomic Products For Workload Security and Compliance

Built on the open source foundation of OSSEC, Atomicorp offers comprehensive host intrusion detection, attack protection and compliance all in a single unified platform that runs anywhere.

Atomicorp protects critical workloads in the cloud, the data center and in hybrid environments.

Learn More