PCI, HIPAA, and HITRUST Compliance with DuploCloud

PCI DSS Requirements v3.2.1

DuploCloud Implementation

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

1.

1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the Internal network zone

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB.

2.

1.1.5 Description of groups, roles, and responsibilities for management of network components.

DuploCloud overlays logical constructs of Tenant and infrastructure that represents an application. Within a tenant there are concepts of services. All resources within the tenant are by default labeled in the cloud with the Tenant name. Further the automation allows user to set any tag at a tenant level and that is automatically propagated to AWS/Azure artifacts. The system is always kept in sync with background threads

3.

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB.

4.

1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB.

5.

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB.

6.

1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

By default, all outbound traffic uses NAT Gateway. We can put in place additional subnet ACLs if needed. Nodes in the private subnets can only go outside only via a NAT Gateway. In Azure outbound can be blocked in the VNET

7.

1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenants having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant

8.

1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.

Use Private subnets and private R53 hosted zones/Private Azure DNS zones

9.

1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties

Usage of a rules-based approach makes the configuration error free, consistent and documented. Further documentation is to be done by the client and we also put in documentation during the blue printing process

PCI DSS Requirements v3.2.1

DuploCloud Implementation

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

1.

2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.)

DuploCloud enables user specified password or random password generation options. User access is managed in such a way that all end user access is via single sign on and password less. Even access to AWS/Azure console is done by generating a federated console URL that has a validity of less than an hour. The system enables operations with minimal user accounts as most access is JIT

2.

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

DuploCloud orchestrates K8 node selectors for this and supports non container workloads and allows labeling of VMs and achieve this. For non-container workloads are also supported and hence allows automation to meet this controls. For example, one can install Wazuh in one VM, Suricata in another and Elastic Search in another

3.

2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

By default, no traffic is allowed inside a tenant boundary unless exposed via an LB. DuploCloud allows automated configuration of desired inter-tenant access w/o users needing to manually write scripts. Further as the env changes dynamically DuploCloud keys these configs in sync. DuploCloud also reconciles any orphan resources in the system and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other resources

4.

2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.

DC gets certificates from Cert-Manager and automates SSL termination in the LB

5.

2.2.4 Configure system security parameters to prevent misuse.

IAM configuration and policies in AWS/ Managed Identities in Azure that implement separation of duties and least privilege, S3 bucket policies. Infrastructure is split into public and private subnets. Dev, stage and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenants having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant

6.

2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

DuploCloud reconciles any orphan resources in the system against the user specifications in its database and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other resources. All resources specified by the user in the database are tracked and audited every 30 seconds

7.

2.3 Encrypt all non-console administrative access using strong cryptography.

SSL LB and VPN connections are orchestrated. DuploCloud automates OpenVPN P2S VPN user management by integrating it with user's single sign on i.e., when a user’s email is revoked from DuploCloud portal, it is cleaned up automatically from the VPN server

8.

2.4 Maintain an inventory of system components that are in scope for PCI DSS.

All resources are stored in DB, tracked, and audited. The software has an inventory of resources that can be exported

PCI DSS Requirements v3.2.1

DuploCloud Implementation

Requirement 3: Protect stored cardholder data

1.

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.

Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements.

DuploCloud orchestrates AWS KMS/Azure Key Vault keys per tenant to encrypt various AWS/Azure resource in that tenant like DBs, S3, Elastic Search, REDIS etc. Access to the keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common key per deployment but allows ability to have one key per tenant

2.

3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary.

DuploCloud orchestrates AWS KMS/Azure Key Vault keys per tenant to encrypt various AWS/Azure resource in that tenant like DBs, S3, Elastic Search, REDIS etc. Access to the keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common key per deployment but allows ability to have one key per tenant

3.

3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

• Encrypted with a key-encrypting key that is at least as strong as the data encrypting key, and that is stored separately from the data-encrypting key
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry accepted method

Note: It is not required that public keys be stored in one of these forms.

DuploCloud orchestrates AWS KMS/Azure KeyVault for this and that in turns provides this control that we inherit

4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:

• Only trusted keys and certificates are accepted.
• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed. Examples of open, public networks include but are not limited to:

• The Internet
• Wireless technologies, including 802.11 and Bluetooth
• Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)
• General Packet Radio Service (GPRS)
• Satellite communications

PCI DSS Requirements v3.2.1

DuploCloud Implementation

Requirement 7: Restrict access to cardholder data by business need to know

1.

7.1.1 Define access needs for each role, including:

• System components and data resources that each role needs to access for their job function
• Level of privilege required (for example, user, administrator, etc.) for accessing resources

DuploCloud tenant model has access controls built in. This allows access to various tenant based on the user roles. This access control mechanism automatically integrates into the VPN client as well i.e. each user has a static IP in the VPN and based on his tenant access his IP is added to the respective tenant's SG in AWS/NSG in Azure. Tenant access policies will automatically apply SG or IAM based policy in AWS/NSG, or Managed Identity in Azure based on the resource type.

7.2 Establish an access control system(s) for systems components that restricts access based on a user's need to know and is set to “deny all” unless specifically allowed. This access control system(s) must include the following

User access to AWS/Azure console is granted based on tenant permissions and least privilege and a Just in time federated token that expires in less than an hour. Admins have privileged access and read-only user is another role

2.

7.2.1 Coverage of all system components.

AWS resource access is controlled based on IAM role, SG and static VPN client Ips/ Azure resource access in controlled by NSG, Managed Identity and static VPN client Ips that are all implicitly orchestrated and kept up to date

3.

7.2.3 Default deny-all setting.

This is the default DuploCloud implementation of Sg and IAM roles in AWS/NSG and Managed Identity in Azure

Requirement 8: Identify and authenticate access to system components

4.

8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. From there a federated logic in done for AWS/Azure resource access

5.

8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.

This is done at infra level in DuploCloud portal using single sign on

6.

8.1.3 Immediately revoke access for any terminated users.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. The moment the email is disabled all access is revoked. Even if the user has say a private key to a VM even then he cannot connect because VPN will be deprovisioned

7.

8.1.4 Remove/disable inactive user accounts within 90 days.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. The moment the email is disabled all access is revoke. Even if the user has say a private key to a VM even then he cannot connect because VPN will be deprovisioned

8.

8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:

• Enabled only during the time period needed and disabled when not in use.
• Monitored when in use.

DuploCloud integrates by calling STS API to provide JIT token and URL

9.

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. When DuploCloud managed OpenVPN is used it is setup to lock the user out after failed attempts

10.

8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. When DuploCloud managed OpenVPN is used it is setup to lock the user out after failed attempts. In Open VPN an admin has to unlock the user

11.

8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

DuploCloud single sign on has configurable timeout. For AWS/Azure resource access we provide JIT access

12.

8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:

• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric.

DuploCloud relies on the client's single sign on / IDP. If the user secures his corporate login using these controls then by virtue of single sign on, this get implemented in the infrastructure.

13.

8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

Encryption at REST is done via AWS KMS/Azure KeyVault and in transit via SSL

14.

8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal.

15.

8.2.3 Passwords/phrases must meet the following:

• Require a minimum length of at least seven characters.
• Contain both numeric and alphabetic characters.

Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.

Enforced by AWS/Azure and should be enforced by client's IDP. DuploCloud integrates with the IDP. The control should be implemented by the organization IDP.

16.

8.2.4 Change user passwords/passphrases at least every 90 days.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal.

17.

8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.

Enforced by AWS/Azure and should be enforced by client's IDP. DuploCloud integrates with the IDP. The control should be implemented by the organization IDP.

18.

8.2.6 Set passwords/phrases for first time use and upon reset to a unique value for each user, and change immediately after the first use.

Enforced by AWS/Azure and should be enforced by client's IDP. DuploCloud integrates with the IDP. The control should be implemented by the organization IDP.

19.

8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.

Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. Open VPN has MFA enabled

20.

8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. Open VPN has MFA enabled

21.

8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator and including third-party access for support or maintenance) originating from outside the entity’s network.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. Open VPN has MFA enabled

22.

8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:

• All user access to, user queries of, and user actions on databases are through programmatic methods.
• Only database administrators can directly access or query databases.
• Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes)

The IAM integration with database makes SQL connections also via Instance Profile. For users, individual JIT access is granted that lasts only 15 mins

PCI DSS Requirements v3.2.1

DuploCloud Implementation

1.

1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the Internal network zone

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB.

2.

1.1.5 Description of groups, roles, and responsibilities for management of network components.

DuploCloud overlays logical constructs of Tenant and infrastructure that represents an application. Within a tenant there are concepts of services. All resources within the tenant are by default labeled in the cloud with the Tenant name. Further the automation allows user to set any tag at a tenant level and that is automatically propagated to AWS/Azure artifacts. The system is always kept in sync with background threads

3.

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

Infrastructure is split into public and private subnets. Dev, stage and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB.

4.

1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via ELB.

5.

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.

Infrastructure is split into public and private subnets. Dev, stage and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via ELB.

6.

1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

By default, all outbound traffic uses NAT Gateway. We can put in place additional subnet ACLs if needed. Nodes in the private subnets can only go outside only via a NAT Gateway. In Azure outbound can be blocked in the VNET

7.

1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenants having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant

8.

1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.

Use Private subnets and private R53 hosted zones/Private Azure DNS zones

9.

1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties

Usage of a rules-based approach makes the configuration error free, consistent and documented. Further documentation is to be done by the client and we also put in documentation during the blue printing process

10.

2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.)

DuploCloud enables user specified password or random password generation options. User access is managed in such a way that all end user access is via single sign on and password less. Even access to AWS/Azure console is done by generating a federated console URL that has a validity of less than an hour. The system enables operations with minimal user accounts as most access is JIT

11.

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

DuploCloud orchestrates K8 node selectors for this and supports non container workloads and allows labeling of VMs and achieve this. For non-container workloads are also supported and hence allows automation to meet this controls. For example, one can install Wazuh in one VM, Suricata in another and Elastic Search in another

12.

2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.

By default, no traffic is allowed inside a tenant boundary unless exposed via an LB. DuploCloud allows automated configuration of desired inter-tenant access w/o users needing to manually write scripts. Further as the env changes dynamically DuploCloud keys these configs in sync. DuploCloud also reconciles any orphan resources in the system and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other resources

13.

2.2.3 Implement additional security features for any required services, protocols, or daemons that are insecure.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.

DC gets certificates from Cert-Manager and automates SSL termination in the LB

14.

2.2.4 Configure system security parameters to prevent misuse.

IAM configuration and policies in AWS/ Managed Identities in Azure that implement separation of duties and least privilege, S3 bucket policies. Infrastructure is split into public and private subnets. Dev, stage, and production are split into different VPCs/VNETs. DuploCloud automation introduces a concept of a tenant which is a logical construct above AWS/Azure and represents an application's entire lifecycle. It is a security boundary implemented by having a unique SG, IAM Role and Instance Profile in AWS/ a Subnet, NSG and Managed Identity in Azure per tenant. By default, no access is allowed into the tenant unless specific ports are exposed via LB. The application is split into multiple tenants with each tenants having all private resources in a private subnet. An example implementation would be all data stores are in one tenant and frontend UI is in a different tenant

15.

2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

DuploCloud reconciles any orphan resources in the system against the user specifications in its database and cleans them up, this includes docker containers, VMs, LBs, keys, S3 buckets and various other resources. All resources specified by the user in the database are tracked and audited every 30 seconds

16.

2.3 Encrypt all non-console administrative access using strong cryptography.

SSL LB and VPN connections are orchestrated. DuploCloud automates OpenVPN P2S VPN user management by integrating it with user's single sign on i.e., when a user’s email is revoked from DuploCloud portal, it is cleaned up automatically from the VPN server

17.

2.4 Maintain an inventory of system components that are in scope for PCI DSS.

All resources are stored in DB, tracked, and audited. The software has an inventory of resources that can be exported

Requirement 3: Protect stored cardholder data

18.

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.

Note: This requirement applies in addition to all other PCI DSS encryption and key-management requirements.

DuploCloud orchestrates AWS KMS/Azure Key Vault keys per tenant to encrypt various AWS/Azure resource in that tenant like DBs, S3, Elastic Search, REDIS etc. Access to the keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common key per deployment but allows ability to have one key per tenant

19.

3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary.

DuploCloud orchestrates AWS KMS/Azure Key Vault keys per tenant to encrypt various AWS/Azure resource in that tenant like DBs, S3, Elastic Search, REDIS etc. Access to the keys is granted only to the instance profile w/o any user accounts or keys. By default, DuploCloud creates a common key per deployment but allows ability to have one key per tenant

20.

3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

• Encrypted with a key-encrypting key that is at least as strong as the data encrypting key, and that is stored separately from the data-encrypting key
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry accepted method

Note: It is not required that public keys be stored in one of these forms.

DuploCloud orchestrates AWS KMS/Azure Key Vault for this and that in turns provides this control that we inherit

Requirement 4: Encrypt transmission of cardholder data across open, public networks

21.

4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:

• Only trusted keys and certificates are accepted.
• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use.

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed. Examples of open, public networks include but are not limited to:

• The Internet
• Wireless technologies, including 802.11 and Bluetooth
• Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)
• General Packet Radio Service (GPRS)
• Satellite communications

In the secure infrastructure blueprint we adopt Application Load Balancers with HTTPS listeners. HTTP listeners forwarded to HTTPS. The latest cipher is used in the LB automatically by the DuploCloud software

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

22.

5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

DuploCloud enables ClamAV deployment via agent modules and alerts are collected in Wazuh

23.

5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm

whether such systems continue to not require anti-virus software.

DuploCloud agent modules can be enabled

24.

5.2  Ensure that all anti-virus mechanisms are maintained as follows:

• Are kept current,
• Perform periodic scans
• Generate audit logs which are retained per PCI DSS Requirement 10.7

DuploCloud enables ClamAV deployment via agent modules and alerts are collected in Wazuh.

25

5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

DuploCloud agent modules do thousand raise an alert if a service is not running

Requirement 6: Develop and maintain secure systems and applications

26.

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.

DuploCloud installs by default Wazuh agent and AWS Inspector and any other Agent modules in all VMs and keeps them active. In case any node is failing the auto install DC raises an alarm. In Wazuh the alerts are configured and generated. We rely on customer’s SOC team to act on the alerts. DuploCloud team is the second line of defense if the issue cannot be addressed by client team

27.

6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.

Patch management is done as part of DuploCloud SOC offering

28.

6.3.2 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following:

• Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices.
• Code reviews ensure code is developed according to secure coding guidelines
• Appropriate corrections are implemented prior to release.
• Code-review results are reviewed and approved by management prior to release

Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.

DuploCloud's CI/CD offering provides an out-of-box integration with SonarQube that can be integrated into the pipeline to scan the code.

Requirement 7: Restrict access to cardholder data by business need to know

29.

7.1.1 Define access needs for each role, including:

• System components and data resources that each role needs to access for their job function
• Level of privilege required (for example, user, administrator, etc.) for accessing resources

DuploCloud tenant model has access controls built in. This allows access to various tenant based on the user roles. This access control mechanism automatically integrates into the VPN client as well i.e. each user has a static IP in the VPN and based on his tenant access his IP is added to the respective tenant's SG in AWS/NSG in Azure. Tenant access policies will automatically apply SG or IAM based policy in AWS/NSG, or Managed Identity in Azure based on the resource type.

7.2 Establish an access control system(s) for systems components that restricts access based on a user's need to know and is set to “deny all” unless specifically allowed. This access control system(s) must include the following

User access to AWS/Azure console is granted based on tenant permissions and least privilege and a Just in time federated token that expires in less than an hour. Admins have privileged access and read-only user is another role

30.

7.2.1 Coverage of all system components.

AWS resource access is controlled based on IAM role, SG and static VPN client Ips/ Azure resource access in controlled by NSG, Managed Identity and static VPN client Ips that are all implicitly orchestrated and kept up to date

31.

7.2.3 Default deny-all setting.

This is the default DuploCloud implementation of Sg and IAM roles in AWS/NSG and Managed Identity in Azure

Requirement 8: Identify and authenticate access to system components

32.

8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. From there a federated logic in done for AWS/Azure resource access

33.

8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.

This is done at infra level in DuploCloud portal using single sign on

34.

8.1.3 Immediately revoke access for any terminated users.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. The moment the email is disabled all access is revoked. Even if the user has say a private key to a VM even then he cannot connect because VPN will be deprovisioned

35.

8.1.4 Remove/disable inactive user accounts within 90 days.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. The moment the email is disabled all access is revoke. Even if the user has say a private key to a VM even then he cannot connect because VPN will be deprovisioned

36.

8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:

• Enabled only during the time period needed and disabled when not in use.
• Monitored when in use.

DuploCloud integrates by calling STS API to provide JIT token and URL

37.

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. When DuploCloud managed OpenVPN is used it is setup to lock the user out after failed attempts

38.

8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. When DuploCloud managed OpenVPN is used it is setup to lock the user out after failed attempts. In Open VPN an admin must unlock the user

39.

8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

DuploCloud single sign on has configurable timeout. For AWS/Azure resource access we provide JIT access

40.

8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:

• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric.

DuploCloud relies on the client's single sign on / IDP. If the user secures his corporate login using these controls, then by virtue of single sign on, this get implemented in the infrastructure.

41.

8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.

Encryption at REST is done via AWS KMS/Azure KeyVault and in transit via SSL

42.

8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal.

43.

8.2.3 Passwords/phrases must meet the following:

• Require a minimum length of at least seven characters.
• Contain both numeric and alphabetic characters.

Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.

Enforced by AWS/Azure and should be enforced by client's IDP. DuploCloud integrates with the IDP. The control should be implemented by the organization IDP.

44.

8.2.4 Change user passwords/passphrases at least every 90 days.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal.

45.

8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.

Enforced by AWS/Azure and should be enforced by client's IDP. DuploCloud integrates with the IDP. The control should be implemented by the organization IDP.

46.

8.2.6 Set passwords/phrases for first time use and upon reset to a unique value for each user and change immediately after the first use.

Enforced by AWS/Azure and should be enforced by client's IDP. DuploCloud integrates with the IDP. The control should be implemented by the organization IDP,

47.

8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.

Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. Open VPN has MFA enabled

48.

8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. Open VPN has MFA enabled

49.

8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator and including third-party access for support or maintenance) originating from outside the entity’s network.

DuploCloud integrates with client's IDP like G Suite and O365 for access to the portal. Open VPN has MFA enabled

50.

8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:

• All user access to, user queries of, and user actions on databases are through programmatic methods.
• Only database administrators have the ability to directly access or query databases.
• Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes)

The IAM integration with database makes SQL connections also via Instance Profile. For users, individual JIT access is granted that lasts only 15 mins

Requirement 10: Track and monitor all access to network resources and cardholder data

51.

10.1 Implement audit trails to link all access to system components to each individual user.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

52.

10.2.1 All individual user accesses to cardholder data.

Infrastructure updates are audited and stored in ELK. Access to DB is through JIT access. SSH access to VMs are done via Wazuh syslog collection

52.

10.2.2 All actions taken by any individual with root or administrative privileges.

Infrastructure updates are audited and stored in ELK. Access to DB is through JIT access. SSh access to VMs are done via Wazuh syslog collection

53.

10.2.3 Access to all audit trails.

Infrastructure updates are audited and stored in ELK. Access to DB is through JIT access. SSh access to VMs are done via Wazuh syslog collection

54.

10.2.4 Invalid logical access attempts.

Cloud trails and syslog hold this information which is stored in the centralized SIEM (Wazuh)

55.

10.2 5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.

Infrastructure updates are audited and stored in ELK. Access to DB is through JIT access. SSh access to VMs are done via Wazuh syslog collection

56.

10.2.6 Initialization, stopping, or pausing of the audit logs

AWS IAM policies prevent start/stop of AWS CloudTrail, S3 bucket policies protect access to log data, alerts are sent if AWS CloudTrail is disabled, AWS Config rule provides monitoring of AWS CloudTrail enabled

57.

10.2.7 Creation and deletion of system level objects

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

10.3 Record at least the following audit trail entries for all system components for each event:

58

10.3.1 User identification.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

59.

10.3.2 Type of event.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

60.

10.3.3 Date and time.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

61.

10.3.4 Success or failure indication.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

62.

10.3.5 Origination of event.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

63.

10.3.6 Identity or name of affected data, system component, or resource.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

64.

10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

Note: One example of time synchronization technology is Network Time Protocol (NTP).

All instances launched in VPC are synced with NTP. User data is injected for time sync

65.

10.4.1 Critical systems have the correct and consistent time.

All instances launched in VPC are synced with NTP using user data that is implicitly added. All log data has timestamp provided by NTP

66.

10.4.3 Time settings are received from industry-accepted time sources.

All instances launched in VPC are synced with AWS NTP servers which in turn obtain time from NTP.org

67.

10.5.1 Limit viewing of audit trails to those with a job-related need.

Audit trails views access are part of the DuploCloud Access controls

68.

10.5.2 Protect audit trail files from unauthorized modifications.

Cloud trails policies are set in place. Wazuh and ELK access is limited to admins

69.

10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

This is done automatically by DuploCloud

70.

10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.

DuploCloud maintains trails in 2 places in addition to cloud trail. It logs all write events about infrastructure change in an ELK cluster. Further, Wazuh agent tracks all activities at the host level. All 3 - Cloud trail, audit and Wazuh agent events are brought together in the Wazuh dashboard

71.

10.5.5 Use file integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

We stored Cloud trail data in a separate AWS account. Wazuh has FIM

72.

10.6.1 Review the following at least daily:

• All security events
• Logs of all system components that store, process, or transmit CHD and/or SAD
• Logs of all critical system components
• Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).

Done by DuploCloud SOC Team

73.

10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

DuploCloud automatically snapshots the SIEM after the indexes grow beyond a certain size (minimum 3 months) and deletes the index in the running system. Any old index can be brought back in a few clicks. The indexes are per day which makes it straight forward to meet compliance guidelines like 3 months in this case

Requirement 11: Regularly test security systems and processes

74.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.

For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.

Offered as part of DuploCloud SOC

75.

11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.

Offered as part of DuploCloud SOC

76.

11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.

DuploCloud enables WAF rules to mitigate many of these vulnerabilities if the application change is less viable

77.

11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.

Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.

DuploCloud orchestrates AWS Traffic mirroring to send a copy of the traffic at all critical points (tenants) to a Suricata VM. From there the alerts are fetched by Wazuh and displayed in the central dashboard. This provides IDS but if prevention is desired then the Suricata software is enabled in each critical VM preferably in the AMI (Image) itself. The alerts are then fetched by the Wazuh agent and updated in Wazuh SIEM

78.

11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come preconfigured with critical files for the related

operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider)

DuploCloud orchestrates installation and update of Wazuh agent is all servers that are launched. Wazuh agent then performs FIM and raises alerts. The alerts will first be triaged by the client SOC team

79.

11.5.1 Implement a process to respond to any alerts generated by the change detection solution.

DuploCloud SOC team will receive the email and operate as per the defined and approved Incident management solution

02 Endpoint Protection

03 Portable Media Security

06 Configuration Management

07 Vulnerability Management

08 Network Protection

10 Password Management

11 Access Control

12 Audit Logging & Monitoring

18 Physical & Environmental Security

19 Data Protection & Privacy