This blog is an update and continuation of the blog published on August 20, 2018, explaining how to use underlying security controls for achieving PCI compliance for customer environments on Oracle Cloud Infrastructure (OCI). Over the past two years, we’ve added scores of security and security-focused services that customers can use to achieve PCI and other industry-specific regulatory compliance.
The high-level guidance from PCI Security Standards Council has 12 detailed requirements across the following sections:
Build and maintain a secure network and system.
Protect cardholder data.
Maintain a vulnerability management program.
Implement strong access control measures.
Regularly monitor and test networks.
Maintain an information security policy.
Through our attestation, we’ve already met other requirements for shared hosting providers. The following OCI services have the PCI DSS attestation of compliance:
Data Transfer service
Container Engine for Kubernetes
For more information, view and download compliance documents from the Oracle Cloud Console. I’ve provided a list of new services that we’ve added across all six sections, along with the services mentioned in the original blog.
Requirement 1A: Install and maintain a firewall configuration to protect cardholder data.
Existing solution: Use OCI security lists.
New solution: Use network security groups for instance-level protection
You can get more protection with firewall appliance images available from Oracle Cloud Marketplace.
Requirement 1B: Don’t use vendor-supplied defaults for system passwords and other security parameters.
Existing solution: Review the guidance in the PCI document.
New solution: We’ve updated documentation on how to manage user credentials on Oracle Cloud Infrastructure
Requirement 2A: Protect stored cardholder data.
New solution: When you create an instance, you can encrypt data in transit from the instance to the storage enclave using TLS 1.2.
Oracle Cloud Infrastructure Security Zones enforces more than 30 security protections.
Requirement 2B: Encrypt and protect transmission of cardholder data across open, public networks.
Existing solution: All our control and management plane communications are protected with TLS, which is necessary for the PCI DSS attestation. We also recommend using TLS (not SSL) and front-ending the application with our load balancers, as required. We recommend using SSH, IPSec VPN, and FastConnect.
New solution: Oracle Cloud Infrastructure Web Application Firewall.
Requirement 3A: Protect all systems against malware and regularly update antivirus software or programs.
Existing solution: Ensure that anti-virus software is deployed at the OS level using Oracle Cloud Infrastructure Native Web Application Firewall.
New solution: Platinum Partner solutions from McAfee and Cybereason from Oracle Cloud Marketplace
Oracle and McAfee partner on first cloud native security operation center.
Requirement 3B: Develop and maintain secure systems and applications.
Existing solution: To develop and maintain secure systems, have a patch management policy in place and use a managed cloud service provider.
New solution: Oracle and McAfee partner on first cloud native security operation center.
Requirement 4A: Restrict access to cardholder data by business need-to-know. Identify and authenticate access to system components.
Existing solution: Review documentation on Identity and Access Management (IAM) controls for compartments and policies. We also suggest using Oracle IDCS for further security controls around access policies. For Oracle Container Engine for Kubernetes, our solution is to use Kubernetes role-based access control with IAM.
Requirement 4B: Restrict physical access to cardholder data.
Existing solution: Covered under our physical security controls for the data center at the availability domain and region level. We have ISO 27001 certification and SOC 1, SOC 2, and SOC 3 attestations, which provide the basis for control testing relevant to our PCI DSS Attestation of Compliance.
New solution: On-going certifications and access to all regulatory attestation and certification documents for viewing and downloading through the Cloud Console access.
Requirement 5A: Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes.
Existing solution: Use Oracle CASB and Audit services for monitoring. Integrate CASB and audit logs with existing SIEM solutions. Schedule regular penetration testing of environments based on OCI, using Pen Testing on OCI and Schedule Pen Test through UI.
New solution: Oracle Cloud VCN flow logs, enhanced Logging service, and Cloud Guard Automatic Detection and Remediation service.
“This service constantly monitors a company’s cloud configurations and activities to spot threats and security risks, such as a suspicious IP address or a login from an unusual location. IT teams can set up Oracle Cloud Guard, so that it either automatically remediates the risk—by quarantining or shutting down such activity—or alerts a person who can authorize the remediation.” Forbes.com
Requirement 6A: Maintain a policy that addresses information security for all personnel.
Existing solution: While customers are responsible for their security policies, we’re happy to help in any way we can. Most customers have existing security policies, and our team can help with cloud (IaaS, PaaS, or SaaS) specific perspectives and security policy.
New solution: Both included and paid services with consulting available from Oracle North America Cloud Engineering. Contact your Oracle Cloud sales representative or Oracle account manager.
I hope these steps simplify the road to PCI compliance for your environments on Oracle Cloud Infrastructure. Look out for more blogs, white papers and technical briefs, and infrastructure security as code (ISaC) for security and compliance on the cloud to ease your migration to Oracle Cloud.