Simplifying compliance for public cloud applications that deal with cardholder data
Meeting compliance standards is often seen as a major challenge due to the comprehensive nature of requirements, need for continuous documentation of evidence, and perception that compliance is about “checklist” security, i.e. meet the bare minimum. This is a particular challenge in public clouds which are extremely dynamic, operate at scale across multiple VPCs, regions, and clouds, use a large number of cloud services, and require adaptation or interpretation of compliance requirements in relation to cloud.
Valtix has been validated by ControlCase and found to be in compliance with requirements of Payment Card Industry Data Security Standard (PCI DSS) Version 3.2.1 as per Report on Compliance issued on October 14, 2021. ControlCase is a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council.
Valtix is now simplifying this. The goal is not simply to meet the rigorous requirements of PCI DSS, but to provide truly robust security in protecting public cloud applications that deal with cardholder data (CHD). Valtix is built with a unique architecture:
- Valtix Controller runs as a service, managed and secured by Valtix – provides the management interface via the web portal or the Terraform provider for Valtix
- Valtix Gateways run in the customer’s cloud environment (AWS, Azure, GCP) – enforce customer configured context-aware network security policies.
Valtix is SOC2 Type 2 compliant to ensure that our internal controls safeguard customer data and how well those controls are operating. The PCI DSS compliance for Valtix Controller as a service provider now ensures that the management plane meets the strict compliance requirements of the PCI Security Standards Council. Valtix will also be listed as a service provider in the Visa and Mastercard Registry of Service Providers.
To help customers with PCI DSS compliance Valtix provides (available upon request):
- PCI responsibilities matrix to help customers secure their cardholder data environment (CDE) in public clouds using Valtix Gateways.
- PCI DSS Attestation of Compliance (AOC) for Valtix Controller.
- Implementation guidance from our solution architects.
What is Unique About the Valtix Approach:
Continuous Discovery Drives Dynamic, Context-aware, Policies
Traditional firewalls allow you to create security policies using IP addresses. These are static and are not well suited for public clouds where workloads are created, modified or destroyed with automation (scripts, templates, auto-scaling). Valtix uses its continuous cloud asset discovery to power our dynamic, context-aware, security policies.
For example: PCI requirement 1.2.1 states that “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.”
To limit outbound traffic to that which is necessary with an allow/deny list of IP addresses is very cumbersome and not practical in public clouds. Here’s how Valtix simplifies it, define policies based on workload context:
- “dev” workloads can connect to all the sites (FQDNs, URLs) needed by development teams, for example: *.github.com and canonical.com for Linux updates.
- “prod” and “pci” workloads can only connect to the exact destinations (FQDNs, URLs) required for production, for example: payment-processor.com, github.com/myOrgRepo, my-org-private-s3-bucket.amazonaws.com, third-party-api.com.
Works At Scale with a Consistent Network Security Architecture
Valtix supports deployment of auto-scaling Valtix Gateways with a consistent architecture across all your VPCs, regions and multiple clouds. Valtix Controller orchestrates this from the web portal or using the Terraform provider for Valtix to provide security infrastructure as code (IaC). This includes the ability to create cloud-independent policies using the dynamic security policies described above. Below is an architecture for a single VPC design in AWS.
A hub-and-spoke architecture using AWS Transit Gateways can also be deployed by the Valtix Controller with auto-scaling Valtix Gateways in a security hub VPC to protect applications in spoke VPCs.
Robust Defense in Depth Security
Valtix Gateways provide a layered set of inspection profiles for encrypted and unencrypted traffic for ingress, egress, and east-west flows. Inspection of east-west flows include traffic between subnets, VPCs, to cloud services (aka PaaS), and on-premises. The traffic inspection features include: WAF, IDS/IPS, antivirus/antimalware, FQDN, and URL filtering (including categories powered by BrightCloud), data loss prevention (DLP), geo-IP and malicious IP. This consolidates a number of network security controls required for protecting your workloads and helps meet PCI DSS requirements.