The following is a guest post by Tony Bradley, Senior Manager of Content Marketing for Alert Logic.
In a traditional network environment, retail organizations can find that achieving and maintaining compliance with the Payment Card Industry Data Security Standard (PCI-DSS) is challenging enough. However, retailers that have adopted cloud computing and use Microsoft Azure or a hybrid cloud environment face more complexity and a dramatically more dynamic environment. You need the right skills, tools and processes to keep up with the pace of PCI compliance in a modern IT cloud infrastructure.
PCI compliance is crucial for most retailers. If you process, transmit, or store payment card data, you fall under PCI-DSS. Failure to maintain compliance with the PCI-DSS requirements could result in fines and penalties, or possibly having your merchant status revoked entirely. Yet, according to the 2017 Payment Security Report from Verizon, 45 percent of the companies they examined were not fully compliant.
Sustaining PCI-DSS Compliance
To be clear, PCI compliance is not one-and-done for any retailer. Achieving compliance for a moment in time – long enough to pass a quarterly audit – is relatively simple. The goal of compliance, however, is not passing an audit. The goal of compliance is to sustain continuous protection and avoid costly data breaches at the hands of motivated cyber criminals and skilled adversaries. That takes significantly more effort and vigilance than just passing an audit.
Microsoft Azure has multiple attestations for compliance frameworks including the Attestation of Compliance and Report on Compliance for PCI-DSS. Along with other resources from Microsoft, this checklist can help you understand how using Microsoft Azure can help you meet your requirements and scope your regulated workload to the cloud. Additionally, you may want to view this informative round table discussion about the key considerations for staying compliant and secure in the Microsoft Azure cloud and hybrid environments. Experts on this Azure compliance webinar from Microsoft and Microsoft partners Avyan Consulting and Alert Logic comment on and discuss the benefits of using the Azure cloud for regulated workloads.
When you deal with PCI compliance in an Azure cloud or hybrid environment, it expands the scope and complexity of the compliance effort. While Microsoft Azure addresses PCI-DSS compliance requirements such as restricting physical access to the hardware, or ensuring the underlying operating system is patched and up to date, ultimately, you are responsible for achieving and sustaining PCI compliance and protecting the cardholder data you've been entrusted with.
Effective PCI Compliance in the Azure Cloud
There are a number of things retailers need to do in order to effectively attain and sustain PCI DSS compliance in an Azure cloud environment:
- Perform vulnerability scans of new web applications and workloads as they're deployed
- Monitor and investigate configuration changes to assess risk
- Ensure web applications are automatically protected as they scale to meet demand
- Centralize and aggregate data for efficient log analysis and archiving
Automation is a key element of keeping up with PCI compliance in the Azure environment. Virtual servers and containers can be spawned or removed in the blink of an eye to meet demand in a scalable cloud environment. For all practical purposes, there is simply no way for human security analysts to execute fast enough to perform all of the tasks and functions necessary to maintain compliance in such a dynamic environment.
Alert Logic is a Microsoft Azure partner that provides cloud security and PCI compliance solutions for the Azure cloud. To learn more about meeting the pace of PCI compliance, download our PCI DSS eBook.