This reference architecture describes the considerations for an Azure Kubernetes Service (AKS) cluster designed to run a sensitive workload. The guidance is tied to the regulatory requirements of the Payment Card Industry Data Security Standard (PCI-DSS 3.2.1).
It's not our goal to replace your demonstration of your compliance with this series. The intent is to assist merchants get started on the architectural design by addressing the applicable DSS control objectives as a tenant on the AKS environment. The guidance covers the compliance aspects of the environment including infrastructure, interactions with the workload, operations, management, and interactions between services.
The reference architecture and implementation have not been certified by an official authority. By completing this series and deploying the code assets, you do not clear audit for PCI DSS. Acquire compliance attestations from third-party auditor.
Before you begin
Microsoft Trust Center provides specific principles for compliance-related cloud deployments. The security assurances—provided by Azure as the cloud platform and AKS as the host container—are regularly audited and attested by third-party Qualified Security Assessor (QSA) for PCI DSS compliance.
Shared responsibility with Azure
The Microsoft Compliance team ensures all documentation of Microsoft Azure regulatory compliance is publicly available to our customers. You can download the PCI DSS Attestation of Compliance for Azure under the PCI DSS section at audit reports. The responsibility matrix outlines who, between Azure and the customer, is responsible for each of the PCI requirements. For more information, see Managing compliance in the cloud.
Shared responsibility with AKS
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. AKS makes it simple to deploy a managed Kubernetes cluster on Azure. The AKS fundamental infrastructure supports large-scale applications in the cloud, and is a natural choice for running enterprise-scale applications in the cloud, including PCI workloads. Applications deployed in AKS clusters have certain complexities when deploying PCI-classified workloads.
As a workload owner, you're ultimately responsible for your own PCI DSS compliance. Have a clear understanding of your responsibilities by reading the PCI requirements to understand the intent, studying the matrix for Azure, and completing this series to understand the AKS nuances. This process will make your implementation ready for a successful assessment.
This series assumes:
- You're familiar with Kubernetes concepts and workings of an AKS cluster.
- You've read the AKS baseline reference architecture.
- You've deployed the AKS baseline reference implementation.
- You're very familiar with the official PCI DSS 3.2.1 specification.
- You've read the Azure security baseline for Azure Kubernetes Service.
In this series
This series is split into several articles. Each article outlines the high-level requirement followed by guidance about how to address the AKS-specific requirement.
|Area of responsibility
|Protect cardholder data with firewall configuration and other network controls. Remove vendor-supplied defaults.
|Encrypt all information, storage objects, containers, and physical media. Add security controls when data that is being transferred between components.
|Run antivirus software, file integrity monitoring tools, and container scanners to make sure the system as part of your vulnerability detection.
|Secure access through identity controls that deny attempts to the cluster or other components that are part of the cardholder data environment.
|Maintain the security posture through monitoring operations and regularly test your security design and implementation.
|Maintain thorough and updated documentation about your security processes and policies.
Start by understanding the regulated architecture and the design choices.