While PCI DSS isn’t new, how those requirements are applied in serverless deployments, is. For instance, if you have an application that leverages payment card details and using AWS Lambda, how you secure the application, needs to be re-evaluated. Whether it is how you think about application firewalls and how they are configured in accordance with requirement 1, restricting access to data under requirement 7, or IAM protocols under requirement 2, all need to be re-accessed, because, with serverless, the function’s code is everything. So how does one know if their application adheres to PCI compliance; how can they ensure that it secure?
If it has been said once, it has been said a thousand times if not more, serverless by its very nature, if configured properly, can leave organizations more secure then their other cloud counterparts. That is simply because of the micro nature of the application in hundreds of thousands of codes. But again, the right restrictions and approaches need to be applied at the code-level, which takes time if there is no automation. When done right, developers not only have a highly secure application but one that does not jeopardize their organization’s compliance posture.
Here are a few helpful pointers for those within the scope of PCI DSS with serverless deployments in regards to several requirements:
- IAM Policies: Requirement 2.2.2 is all about restricting and limiting access to the applications, and more importantly, the sensitive cardholder data within. Applying to serverless- policies should be placed based on roles around the actual functions to ensure least privilege. This can be time-consuming if done manually, and often result in over-permissioned functions, so finding an automated solution to do this based on rules and exceptions, have saved DevSecOps teams a lot of time and frustration.
- Data Encryption: Requirement 3’s rules around data encryption are the holy grail when it comes to PCI compliance, as it is the last line of defense if someone does figure out a way to access the system whether a malicious outsider or insider. In serverless deployments, organizations may apply an additional level of security via very granular protection around the function itself to keep that malicious insider or outsider at bay to support the encryption policies in place in the SQL tables or elsewhere. For instance, access to the PII is only granted based on the function level encapsulated with additional controls and policies. This ensures that sensitive information cannot be accessed by unauthorized parties and systems.
- Logging and Auditing: Leveraging the tools available by cloud providers like Amazon CloudTrail, CloudWatch, and S3, or third party vendors, provides additional levels of file integrity to ensure everything that is accessing the serverless environment, it’s applications and functions is documented. This means companies can more easily audit and monitor what is accessing the serverless applications as well as create alerts and block anomalies. These granular policies further restrict access to serverless applications whether the restriction is to the entire system, certain functions, or even based on time of day.
- High Availability and Disaster Recovery: Cloud has always been a great solution for disaster recovery and high availability in case of a sudden downtime or spike in demand (without all of the clunky and costly data centers). But those are 10-year old value propositions, what about serverless? The value with serverless is companies only pay for the services they need; when they need them. With more of a pay-as-you-go model, companies are able to leverage serverless for high availability and DR to meet compliance needs, but only pay for what they use. This sounds like a true win-win, especially for applications not needing.
The point is, organizations can take full advantage of all the benefits serverless provides without impacting their PCI DSS compliance posture- they just need to evaluate their approach.
For more information on PCI Compliance as it pertains to serverless applications, download a free copy of the compliance ebook here.