Application containers impacting the PCI compliance status

The Payment Card Industry (PCI) Security Standard Council (SSC) kept us waiting for five years before releasing version 3 of the Cloud Computing Guidelines. The guidelines provide an enhanced and ever interesting document which will be widely mentioned in articles about PCI.

With an improved content structure, 31 additional pages, 22 more referenced documents and a whole new section on cloud technologies (Appendix E), PCI SSC Cloud Computing Guidelines expands and clarifies how cloud technologies influence the PCI Data Security Standard (PCI DSS) compliance status.

Not only scoping, but also segmentation, service level agreements, data storage, breach notification, incident response, disaster recovery planning and audit trails are all included in a non-comprehensive list of topics.  

While it’s easy to find consensus regarding the upward trend of opting for cloud solutions for PCI services, not many know that service providers and merchants are now pointing their interests towards containerization. Several resources are available online which explain what containers are and what the differences are with Virtual Machines (VMs).

An acceptable one-line definition would describe “application containers” as isolated application instances running on the same host computer, all sharing the same operating system which ensures isolation between them.

Why not opt for VMs then? As a general rule, VMs and containers have pros and cons going in different directions and the adoption of one solution over the other mainly depends on the type of service the company provides. A shared operating system like the one used for containers can pose concerns in terms of security and isolation whereas VMs often suffer from the lack of application portability which is not seen with containers.

How application containers can be PCI compliant

Before April 2018 when the Cloud Computing Guidelines released version 3, there was no document published by PCI SSC which dealt with containers. VMs instead were contemplated in several requirements of the PCI DSS and their presence in the CDE has been explicitly taken into consideration from security and audit perspectives.

However, containers can deliver better performance compared to a similar virtual environment deployment when there is the need of running multiple instances of the same application. It is easy now to see why service providers look with great interest at container technologies as they get more mature month after month; it is even easier to see the need for PCI SSC to provide recommendations for when application container solutions are adopted considering the debatable security that can be applied together with standardized configuration set up.

Since containers are deployed lightly due to their dynamic nature, the Security Standard Council focuses the attention on image templates and container orchestration platforms. Recommendations are given regarding access control; network, administration and kernel isolation.

Companies validating the isolation strength of the internal container solution, for instance, can find the task very challenging when the container technology is built in-house, unlike a trusted off-the-shelf solution with a strong security track record over time.

“Process isolation” covers a key role for reaching the compliance status. Any container orchestration technology in use in a PCI environment must include kernel permission checks on privileged processes and should also have the ability to produce audit logs of access management information (e.g. approvals) in such a way that it is possible to demonstrate access limitations to the minimum number of personnel.

In regard to firewall systems, a container-specific system-call firewall with a default deny rule provides a solid method for meeting the related PCI requirements. Alternatively, kernel security features such as AppArmor, SELinux, RSEC and Seccomp can be used to enable and filter only known and safe system calls at OS level.

When containers are created, executed and retired within days or even hours, the lifecycle is then reasonably short and it becomes difficult to address requirements such as 6.4.5 or 11.5 related to Change Management. The recommendation for such cases is to consider to sample running instances across all in-scope container images.

Luckily, the major container security vendors Twistlock and Aqua published step-by-step guides to help their customers in maintaining their PCI DSS compliance status, definitively the way to go for keeping their customers happy.