Meeting PCI DSS Compliance with Styra DAS + Kubernetes

DevOps and platform teams are more strained than ever, and as a result, need better tools than ever. These teams are required to develop, provide access to, and secure a number of resources — while remaining good stewards to application developers. Beyond that, they are often tasked with overseeing their organization’s shift to the cloud. And as that shift takes place, DevOps teams will need to shift their compliance standards to the cloud.

While compliance is a critical requirement, it can also be a barrier to successful operations. With legacy stacks and systems, updates happened when they needed to, and in unison. Now, thousands of microservices are routinely updated on a tight schedule. If the wrong service brakes, it can be all-hands-on-deck to find a solution. A system falling out of compliance can be a primary reason for stoppages. And, for enterprises in highly regulated industries like finance, compliance is core to operations. Therefore, every DevOps and platform team needs a way to ensure compliance at scale.

DevOps and platform teams can leverage policy as code to automatically solve for a number of key compliance challenges, such as the Payment Card Industry Data Security Standard (PCI DSS) v3.2. The 12 high-level requirements are delegated into individual testing procedures, along with a few appendices, which can help organizations implement the proper policies for handling internal and user data.

Styra maps to requirements 1, 2, 3, 4, 5, 6, 7, and 10, along with 40 sub-requirements, and is supported by over 150 pre-built policies to help organizations establish and maintain compliance regarding access control and authorization. It is important to note that the requirements that Styra Declarative Authorization Service (DAS) does not map to, such as 8 and 9, are still critical to organizations and can be found in solutions that span different areas of focus.

Styra enables organizations to accelerate their business processes by ensuring that teams can quickly and efficiently validate compliance, maintain clear logs for audit, test policies before production and provide a unified control plane for cross-team collaboration.

As organizations scale with cloud technologies, DevOps and platform teams don’t have the time to read 130+ pages of compliance standards, distill that information into real measures their organization can take, and then also do the mapping exercise so they can prove compliance to auditors. Styra has set out to make the process easier and more efficient for organizations overburdened by other responsibilities. With Styra DAS, you can dynamically run your policies through a mapped library of PCI requirements, and make sure you’re ready for the day an auditor walks through your door.

For example, according to PCI DSS requirement 2.2.1, an organization must implement only one primary function per virtual system component. As a result, Styra DAS requires labels for function with respect to system components that are in scope for PCI DSS, such as ClusterRole, Service and Ingress. You can check your Kubernetes infrastructure, and have Styra DAS do the heavy lifting, creating actionable audit reports.

Auditing is a critical task for any organization and it does help to have a non-biased set of eyes on your infrastructure, but it really does throw a wrench in an organization’s day-to-day operations. As any developer will tell you, spending hours allocating resources to assist in the collection, understanding and assessment of the policies that impact credit card data is no fun at all. Styra DAS drastically reduces the amount of resources needed to assist the auditor via automated compliance reporting for running clusters. It also provides an ongoing audit log of compliance decisions, so you don’t have to walk auditors through policy as code line by line.

With the addition of compliance to most development lifecycles, the number of team members that are contributing to an application or applications is rapidly increasing. Organizations can’t be losing time trying to organize all of the moving pieces. They need to maintain continuity of desired outcome and establish comprehensive functions for success. We saw this as a great way to help organizations, so we designed out-of-the-box, easy to configure policies that some of the largest Kubernetes deployments use today.

While Kubernetes is one of the biggest game-changers of the last few years, it has also introduced the need for multiple teams to be a part of the build process. And with that comes non-coders and coders that need to be able to understand and collaborate in making policies and their outcomes. We have made a way for them to collaborate and communicate about the state of security and compliance in Kubernetes.If you’d like to try out Styra DAS, click here! It’s free, and is available alongside several other resources like the Styra Academy, where you can learn all about making sure your policy is up to scratch.