Skip to main content

Posts

Showing posts from October, 2022

Part 3 - In-scope workload / The landing zone of a PCI-DSS compliant application inside Microsoft Azure

The last article was about shared responsibility between the three parties that are involved Microsoft Azure, Kubernetes (AKS) and the customer. In today's post, we tackle Azure Kubernetes Services and where the workload would need to run. Azure Kubernetes Services (AKS) runs all the payloads where card data are decrypted and processed. It is required to run in a private cluster with no direct access to the internet. All the traffic must be limited to the private network, without direct access to and from the internet. It applies for workloads that process card data (in-scope) A dedicated node pool with a subnet is used for in-scope components (services handling card data). The payload runs in isolated node pools, isolated from the rest of the system. Additional node pools can be created for workloads that are not out-of-scope of PCI-DSS. Using such a topology, we can move the services from out-of-scope to in-scope seamless without significant changes in the architecture of the inf

Part 2 - Shared responsibility / The landing zone of a PCI-DSS compliant application inside Microsoft Azure

In the previous article, we talked about the core concepts of PCI-DSS and the impact of storing, processing and transmitting credit card data.  This article focus on the shared responsibility concept and the importance of having all the parties at the same table. I promise that starting with the next article of this series, we will go on the technical side, but for now, we need to have a clear understanding of who the players are and what the responsibility level of each of them is. The solution we plan to build is built around Microsoft Azure, Azure Kubernetes Services (AKS), Azure SQL and Azure CosmosDB. Considering these services, there are 3 main parties at the table: Microsoft Azure Kubernetes (AKS) The solution owner (the customer) Depending on the solution, a shared responsibility exists between all of them, covering five main aspects: Infrastructure, Access control, Network Security, Data protection, Malware detection. The combination of these five main aspects and the three pa

Part 1 - What, Why and How / The landing zone of a PCI-DSS compliant application inside Microsoft Azure

This is the first article from a series of them about how to build a PCI-DSS-compliant application on top of Microsoft Azure and Kubernetes. Together we cover the journey of building a PCI-DSS compliant application. The final output is a blueprint that can be used as a starting point to build an application. What is PCI-DSS? Payment Card Industry Data Security Standard is a regulatory requirement that aims to secure credit and debit card transactions against data theft and fraud. The compliance is divided into 4 levels depending on the number of transactions. Level 1 starts at 6M transactions per year compared to Level 4, with less than 20k transactions per year.  Each level involves different levels of audit, as we can see below: Level 4: yearly SAQ assessment + quarterly PCI scan (may be required) Level 3: yearly SAQ assessment + quarterly PCI scan (may be required) Level 2: yearly SAQ assessment + quarterly PCI scan (may be required) Level 1: yearly an internal audit by an authoriz

[Post Event] Microsoft Ignite 2022 - Highlights

Time flies fast when you enjoy what you do and the people around you. Here I am, in Munich airport, returning home from Microsoft Ignite . In this post, I would like to share the highlights and a summary of this great conference. This week I had the fantastic opportunity to be part of Microsoft Ignite. The in-person event took place in Seattle and was the first in-person edition after 2020. The format of Microsoft Ignite shifted from a conference focused on technical sessions and Microsoft technologies to an event- riven by partners and community, where networking becomes the first class citizen. In total, there were more than 200.000 that joined the event virtually and 7500 in-person. Microsoft Ignite is a great place to connect and discover how Microsoft technologies are used by partners and companies to shape the world where we live. During the conference, I led 3 sessions focused on Infrastructure-as-a-Service, Microsoft Cloud for Financial Services and application modernization us

[Post Event] InfoShare 2022, Gdansk

 At the beginning of this month, I had the fantastic opportunity to be part of InfoShare 2022 . The two days conference gathers people from all over Poland that share a common passion - technology. Gathering more than 6500 people in the in-person event, InfoShare is the largest IT Conference from CEE. I was invited to deliver a session about cloud security and the tools we need to be aware of to secure our cloud systems. Below you can find more information about my session.  Title : Secure Application Development Description : This session aims to identify the tools that help us build secure applications and environments for Azure during the development journey. The focus is on the developers and the tools we can use to ensure that our code is secure and aligned with all the available best practices and recommendations. Deck :