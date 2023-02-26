



Google recently added a Payment Card Industry Data Security Standard (PCI DSS) policy bundle to Anthos Config Management (ACM). With version 3.2.1, security administrators can now understand their compliance with PCI DSS requirements using the Policy Controller dashboard.

Google Cloud Product Manager Poonam Lamba and Technical Solutions Consultant Andrew Peabody wrote a blog post explaining policy bundles and controllers. A policy bundle is a collection of preconfigured constraints developed and maintained by Google. Policy Controller allows you to apply customizable policies to your cluster and enforce them effectively.

The PCI DSS bundle has a PCI DSS control number associated with each constraint that you can cross-reference to track your compliance with the PCI DSS standard. Policy bundles contain policies focused on areas such as secure networks, systems, applications, and robust access control and monitoring. As an example, in the context of robust access control and monitoring, policies have been introduced to mandate the use of Container-Optimized OS as the OS image to ensure uniform and accurate time across nodes.

To audit and share policy violations on the cluster, security administrators can leverage the Policy Controller dashboard. Provides UI for policy usage metrics and the ability to set log-based alerts.

Installing PCI DSS bundle v3.2.1 requires an Anthos cluster with Policy Controller v1.14.0 or later in the target environment. Additional guidelines for installing policy bundles are described in this blog post.

Cloud Logging automatically logs when a policy violation occurs. Security administrators can use the following filters in Log Explorer:

resource.type=”k8s_container” resource.labels.namespace_name=”gatekeeper-system” resource.labels.pod_name:”gatekeeper-audit-” jsonPayload.process: “audit” jsonPayload.event_type: “violation_audited” jsonPayload.constraint_name:* jsonPayload .constraint_namespace:*

The latest version of PCI DSS, 4.0, introduces several new controls. Organizations should implement it immediately to enhance the security of their payment systems.

Meanwhile, to meet PCI’s most stringent security, audit compliance, low latency, and high performance requirements, Microsoft recently introduced Azure Payment Hardware Security Modules (HSMs). This service is currently only available in the Azure cloud, but currently the service is available in the East US and North Europe regions.

In addition to applying policy bundles and custom policies for Kubernetes clusters, Policy Controller can also be used to analyze cluster configurations prior to deployment. Interested users can get started with policy controllers here or review policy bundling best practices here.

