Containers & Kubernetes

Swipe right for a new guide to PCI on GKE

GCP_GKE.jpg

Developers love containers. They’re portable, helping to speed up development. They’re easy to inspect and debug, and they’re elastic, making it easy to scale up and down. But if you’re in a highly-regulated industry like financial services, you have complex and challenging regulatory IT requirements to deal with that can make it hard to adopt new technologies like containers and Kubernetes.

In particular, if you handle payment card data, you must secure it using the Payment Card Industry Data Security Standard, or PCI-DSS. This standard was created to reduce the risk of debit and credit card data loss around the world, and is used by anyone that handles payment card data, whether it’s on-premises or in the cloud. 

Google Kubernetes Engine (GKE) is covered by Google Cloud’s PCI DSS certification, but when you build your own application on top of GKE, it’s your responsibility to ensure that your application itself meets PCI compliance requirements. And while the PCI Security Standards Council includes a section on containers in its Cloud Computing Guidelines, this area is still fairly new and there isn’t a lot of published guidance to help. 

To help you ease the transition to PCI-compliant workloads on Kubernetes, we’ve released a PCI Compliance on GKE solution guide. This guide is intended to help you address concerns unique to GKE applications in PCI regulated environments.

In this guide, you’ll learn how to limit and properly segment the cardholder data environment from the rest of your environment using logical, network, and service-level segmentations. On GKE, for example, you might group all projects that are in PCI scope within a folder to isolate them at the folder level. However you ultimately architect your PCI environment, we recommend that you keep your in-scope and out-of-scope workloads in different projects.

Once you’ve determined the scope of your cardholder data environment, the guide shows you how other cloud-native tools can help you meet your compliance requirements. For example, you can use Istio to help meet requirements for encrypting cardholder data in transmission (requirement 4 of PCI), while Binary Authorization and Container Registry vulnerability scanning can help you develop and maintain secure applications (requirement 6 of PCI). Compliance requirements don’t change just because you’re in the cloud, but how you address them does.

To complement the PCI on GKE solution guide, we also have an open-source PCI starter project and demo application as well as general information on PCI DSS compliance on Google Cloud Platform (GCP). The repository contains a set of Terraform configurations and scripts to help demonstrate how to bootstrap a PCI environment in GCP. Where appropriate, we also showcase GCP services, tools, or projects we think might be useful to start your own GCP PCI environment, plus a simple demo e-commerce application, the Hipster Store

"Being able to rely on a PCI-certified managed solution has saved us a ton of time. GKE was a game changer and allowed us to focus on our core business." -Daniela Binatti, Founder and CTO, Pismo

Migrating PCI environments from VMs on-prem to VMs in the cloud can be challenging enough, but migrating PCI environments from VMs to Kubernetes can feel overwhelming. We constantly hear from customers that they want to move to the cloud, but don’t know how to translate the compliance requirements that were written before containers existed. With this guide, we hope to provide some clarity on how to achieve PCI compliance using GKE. To get started, check out the, PCI Compliance on GKE solution guide and visit the GitHub repository.

Ian Maddox, Google Security Solutions Architect, contributed to this blog post.