This newsletter is our fourth thread on the implementation of PCI DSS in Azure. With the expertise of my friend Nicolas Giraud, architect specialized in Microsoft technologies and my knowledge of PCI DSS we decrypt this still nebulous subject. For each PCI requirement we discuss the responsibilities (who is in charge of what), the implementation mechanisms at your service (your toolbox) as well as implementation guidance wherever deemed necessary.
Previous episodes
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Objective
Protect sensitive information during transmission over networks that are easily accessed by malicious individuals.
PCI DSS Controls
4.1-4.3
Responsibilities
All requirements 4.x are under the sole responsibility of Azure Customers.
4.1.x Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks
Customers must ensure that transmission channels to and between Azure components (Iaas and Saas) are encrypted and that this encryption is based on industry approved protocols and algorithms.
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
Customers must ensure that their wireless environments located on-premise outside Azure boundary use strong cryptography and secure protocols.
4.2 Never send unprotected PANs by end- user messaging technologies (for example, e- mail, instant messaging, SMS, chat, etc.)
Customers are responsible for securing PAN-transmission.
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
Customers must document their policies and procedures associated to the protection of transmissions of card data.
4.1.x Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks
Customers must ensure that transmission channels to and between Azure components (Iaas and Saas) are encrypted and that this encryption is based on industry approved protocols and algorithms.
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
Customers must ensure that their wireless environments located on-premise outside Azure boundary use strong cryptography and secure protocols.
4.2 Never send unprotected PANs by end- user messaging technologies (for example, e- mail, instant messaging, SMS, chat, etc.)
Customers are responsible for securing PAN-transmission.
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
Customers must document their policies and procedures associated to the protection of transmissions of card data.
The Azure Toolbox for Req 4
Azure App Service In PaaS scenarios, the main concern for requirement 4 is typically the HTTP protocol security level of Web applications exposed to the Internet. In Azure, those applications are hosted using an Azure App Service or an Azure Function, the server-less equivalent of an App Service and technically equivalent to an App Service. |
The “SSL Settings” menu of an App Service allows you enable server authentication and/or client authentication, using certificates and the SSL/TLS protocol.
For a long time, full PCI-DSS compliance was difficult to achieve with App Services because the TLS version was not configurable.
One workaround was to use an Azure App Service Environment to gain control over the SSL policy of the server and disable TLS 1.0 and 1.1. But this was complex and expensive. Link
Another workaround was to use an Azure Application Gateway in front of the App Service to filter HTTPS traffic and allow only TLS 1.2. This also led to an architecture more complicated than necessary. Link
But recently, Azure announced that the minimum TLS version has become configurable in App Services. TLS 1.2 is now the default for newly created App Services. This directly guarantees PCI-DSS compliance. Link1 Link2
For a long time, full PCI-DSS compliance was difficult to achieve with App Services because the TLS version was not configurable.
One workaround was to use an Azure App Service Environment to gain control over the SSL policy of the server and disable TLS 1.0 and 1.1. But this was complex and expensive. Link
Another workaround was to use an Azure Application Gateway in front of the App Service to filter HTTPS traffic and allow only TLS 1.2. This also led to an architecture more complicated than necessary. Link
But recently, Azure announced that the minimum TLS version has become configurable in App Services. TLS 1.2 is now the default for newly created App Services. This directly guarantees PCI-DSS compliance. Link1 Link2
Azure App Service Certificates
Azure App Service Certificates allows you to buy HTTPS certificates directly from Azure.
This service is integrated with Azure App Service to automatically deploy the certificate to your Web App. It is also integrated with Azure Key Vault (see below) to store the certificate securely.
App Service Certificates can also be a valuable tool to manage the lifecycle of your certificates (renew or rekey).
Azure App Service Certificates allows you to buy HTTPS certificates directly from Azure.
This service is integrated with Azure App Service to automatically deploy the certificate to your Web App. It is also integrated with Azure Key Vault (see below) to store the certificate securely.
App Service Certificates can also be a valuable tool to manage the lifecycle of your certificates (renew or rekey).
Azure Key Vault
Azure Key Vault provides a convenient and secure way to manage keys and certificates used to protect network communications. It centralizes your secrets, uses the RBAC matrix to control access to the private keys, can renew certificates automatically or alert you when one expires, can deploy certificates to virtual machines, and much more.
Azure Key Vault provides a convenient and secure way to manage keys and certificates used to protect network communications. It centralizes your secrets, uses the RBAC matrix to control access to the private keys, can renew certificates automatically or alert you when one expires, can deploy certificates to virtual machines, and much more.
Other PaaS Services
Many Azure PaaS services can be publicly exposed, and they use different security protocols to encrypt data on the network. Most of the time, interfaces based on HTTPS will support TLS 1.2 but may allow older TLS versions for compatibility reasons. It is your responsibility to ensure that you do not transmit cardholder data using non-compliant protocols. You may have to force a protocol version on the client side, using configuration or code.
Many Azure PaaS services can be publicly exposed, and they use different security protocols to encrypt data on the network. Most of the time, interfaces based on HTTPS will support TLS 1.2 but may allow older TLS versions for compatibility reasons. It is your responsibility to ensure that you do not transmit cardholder data using non-compliant protocols. You may have to force a protocol version on the client side, using configuration or code.