Lola.com initially became PCI compliant about a year ago, and this fall completed a successful PCI audit. Recently Katie Paugh, Lola’s Senior DevOps Engineer, took part in a webinar with Threat Stack to discuss their experiences and share key lessons they’ve learned in how to adapt and implement PCI.
Lola is a travel company that offers a comprehensive corporate travel platform. While they don’t do any direct credit card processing, they are Level 1 PCI DSS Compliant. Considering the fact that planning, implementing, and maintaining PCI compliance can be time consuming and resource intensive, it’s interesting to delve into Lola’s experiences in translating the PCI framework into a standard that’s highly supportive of the operational, security, and business goals of their cloud-native, containerized environment.
Many organizations follow PCI DSS compliance standards. If you deal with any kind of credit card payment — or support a company that does — you need to maintain a secure environment, and be able to prove it, by adhering to this standard.
But modern cloud-native, container-focused architectures (like Lola’s) present interesting challenges since PCI was introduced before DevOps and before containers, Kubes, and microservices were created. Given this fact, there are added complexities to leveraging containers in the cloud in a cardholder data environment (CDE), and inevitably, there are going to be gaps between PCI requirements as they are written and the way an organization is actually going to implement them in a way that enables and supports its operations. As a result, implementation — and real-time demonstration to an auditor — need to be part of a rigorous, well-thought out process. But as Lola demonstrates, when PCI is well planned and implemented, it becomes a valuable framework and gives companies an opportunity to work with the PCI auditors to develop and improve security in a way that’s closely tailored to an organization’s infrastructure, operational procedures, risk profile, and business priorities.
5 Key Lessons Learned
Establishing and demonstrating PCI compliance in a container-centric public cloud environment requires much more than a checklist approach, then, but the payback is likely to be significant and therefore, it’s worth doing it right.
Lola definitely champions this view, and based on their experiences, Katie Paugh has identified five key ways that organizations can achieve their security and compliance goals and make the challenges of working with auditors more rewarding — starting with a reminder that you’re in a partnership with the auditors, not an adversarial relationship.
1. Talk to your auditors before they arrive onsite.
You and the auditors are both working toward the same goals, so have a candid conversation about what they want to see, and make sure you’re in alignment by asking for clarification on objectives before they arrive. If you’re already compliant and are up for your annual audit, bring the auditors up to date on any changes you have made. You will probably continue to work with the same auditing firm year after year (although individual auditors may change), so use this as an opportunity to incrementally build on what you have already accomplished in order to strengthen your organization’s security and operations.
2. Proactively talk to key business stakeholders within your organization.
Just as you did with the auditors, aim for alignment with stakeholders within your organization. In particular, make sure you’ve got agreement on priorities, especially as these relate to what constitutes “business crippling” issues (Sev 1 alerts) versus issues that should be identified via Sev 2 and Sev 3 alerts. Achieving this shared understanding is essential so you can define and implement effective workflows that distinguish and separate business critical issues from everything else.
3. Make sure you are logging everything, but only alerting when you need to.
To be compliant, you need to maintain a complete record of what is happening in your system. Operationally, you need the ability to surface and deal with critical issues (Sev 1 alerts) in a timely manner, without subjecting your team to alert fatigue and information overload. And remember, you need to make sure your system is behaving the way you want the auditor to see it so you can actually demonstrate that you are logging all events and have also implemented a well-defined workflow for triaging, triggering, and responding to alerts.
4. Draw on the community.
There’s a large, informed community that can help you with information on PCI compliance. Whether you’re preparing for your first audit or getting ready for an annual inspection, tap into it through Slack, GitHub, forums, and so on, for experience, expertise, and resources. Whatever you do, don’t try going it alone, and don’t be tempted to reinvent the wheel: Draw on the experiences that others have had with similar situations. Others have gone before you, and many are eager to share their knowledge.
5. Search for built custom applications.
For implementing required controls in your system such as access checks, encryption, or other functionality to allow proper routing and resource management, look to reuse what is already out there in the community vs using your own custom built solution. Using free open source libraries and frameworks or integrating with a service or SDK that your cloud provider or some third party provides for that functionality will save you time and money. Also in some cases, such as encryption, you should never roll your own solution for security reasons (and this could be a red flag for your auditor), so you will want to look to use existing SDKs or services for that.
A Few Final Words . . .
Lola’s story centers on real-world challenges and solutions to security and PCI compliance in a complex, dynamic, and ephemeral cloud-native, container-based environment. Their story, as Katie Paugh relates it, explains how they translated a generic, and somewhat outdated, compliance standard into a powerful operational framework and set of security best practices that support compliance while strengthening security, operational efficiency, and business value.
Clearly, Lola’s story demonstrates that, while attaining and maintaining PCI compliance requires an investment of organizational resources, when done right, that investment will yield important dividends down the road. The five key lessons Katie outlines are rooted in common sense and direct experience, and can go a long way towards helping you on your path to PCI compliance and the continuing strengthening of your organization’s security.
To learn more about Lola’s approach to compliance and security, listen to the recently recorded webinar (Real World Challenges for PCI Containers) and download the Lola case study (Threat Stack Secures Lola’s Kubernetes-Based Infrastructure). To learn more about how Threat Stack’s Cloud Security Platform® can help address your organization’s security and compliance needs, contact our experts for a demo. We’d be pleased to discuss your specific requirements.