PCI Compliance in the Cloud: File Integrity Monitoring and Workload Auditing - Atomicorp - Unified Security Built on OSSEC

PCI Compliance in the Cloud: File Integrity Monitoring and Workload Auditing

This is part 3 of a 7-part series about PCI DSS compliance in the cloud.

How to Support Continuous PCI Compliance with Workload Auditing and SIM/FIM 


PCI requires organizations to conduct “continuous compliance” on all systems touching cardholder data, rather than just annual PCI audits. 

SIM and FIM technologies detect changes to the workload, servers, files and their associated attributes. A FIM in particular monitors more than just the data stores and files containing sensitive data. It also monitors files, configuration information and software native to the operating system, like registries, binary files, and libraries, as well as infrastructure components like the configuration of network and cloud devices, web servers, and firewalls. The output is an easily-read report that reveals current vulnerabilities. 

Why SIM and FIM Matter to PCI Compliance

A common tactic employed by malicious actors is the fileless attack, in which changes are made to the operating system or within critical applications. The use of SIM and FIM technologies exposes unauthorized changes to the workload, to files and the configuration of the environment, so attackers can be prevented from turning the system against itself in order to hijack cardholder data. This was one of the methods used to steal at least 45 million payment cards from TJ Maxx. That number may actually be as high as 94 million, but no one knows for sure because the company lacked the log data needed to perform a complete forensic analysis. More on logging later…

Top File Integrity Monitoring FIM Don’ts and Do’s


1. Only Scan Periodically — Periodic scanning for file changes is insufficient.  FIM must be performed in real-time to ensure both security and continuous compliance.

2.  Tolerate Poor Visibility Into Change — Knowing something changed is not enough. You must know in real-time what the change was, who made it, and when it happened.

3.  Implement an On-Prem Solution in the Cloud  — SIM/FIM designed for on-premise implementations will not work optimally in a cloud environment.  The software must be optimized for dynamic scaling, and also must be small enough not to increase cloud consumption costs.


1.Implement Comprehensive Cloud Coverage — You must have SIM and FIM for all existing cloud systems.

2. Deploy Strategically for Scale  — You must set up your deployment process to ensure SIM and FIM technologies are always deployed and will scale out as needed.

3. Demand Real-Time Reporting — You must have real-time reports with sufficient detail about changes provided by your SIM/FIM.  Otherwise, you may miss critical file changes or attacks.

The Takeaway

A SIM/FIM is required to satisfy PCI requirements. Be sure you have a FIM on all cloud workloads that you expect to every process or store PAN data.  

A FIM is also a key tool from an incident response perspective.

But be aware, a FIM does not protect you from attacks.  It’s a rearview mirror. Look at for comprehensive cloud workload protection technologies to ensure your workloads are protected and continuously compliant.


Relevant PCI DSS Requirements

10.2 Implement automated audit trails for all system components to reconstruct events

10.5 Secure audit trails so they cannot be altered.

10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter

10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)


Learn more about how to achieve PCI compliance in the cloud. Download the Atomicorp Guide to PCI Compliance to understand state, shared responsibility, web-application firewalls, log aggregation, vulnerability management programs, and storage.