Objectives
PCI DSS controls
Responsibilities
Microsoft Azure is solely responsible for:
- 1.3.3 - Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
- 1.3.5 - Permit only “established” connections into the network.
Customers are solely responsible for:
- 1.1.2 - Maintaining a current diagram that identifies all networks, network devices, and system components, with all connections between the CDE and other networks.
- 1.1.3 - Diagramming all cardholder data flows across systems and networks.
- 1.1.5 - Establishing defined roles and responsibilities to oversee implementation of the information security policy across their in-scope environment.
- 1.1.6 - Documenting business justification for use of all services, protocols, and ports allowed that are configured by the customer.
- 1.1.7 - Establishing a policy and conducting a review of all firewalls and Microsoft Azure network controls that are configured by the customer at least semi-annually.
- 1.2 - Clearly identifying and segmenting data networks to isolate the CDE.
- 1.2.1 - Configuring the Microsoft Azure application firewall in order to allow only specified range of IP addresses to access Microsoft Azure services and verifying firewall and Microsoft Azure native networking controls contain a deny-all at any CDE boundary.
- 1.2.2 - Synchronizing configurations for Microsoft Azure native network controls under their management (If any)
- 1.2.3 - Configuring firewalls and Microsoft Azure network controls that are configured by the customer between any on-premise wireless environments and their IaaS instances.
- 1.3.1- Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
- Customers are responsible for implementing a DMZ network for their CDE and ensuring only authorized services, ports and protocols are accessible.
- 1.3.2 - Implementing a DMZ network for their CDE and ensuring only authorized services, ports and protocols are accessible.
- 1.3.4 - Ensuring firewall, Microsoft Azure network controls they have access to, and SQL Server firewall settings prevent unauthorized outbound traffic from the in-scope environment to the Internet.
- 1.4 - Ensuring personal firewall software has been installed on any portable devices that connect to their CDE from the Internet.
Shared responsibilities
For the below two controls, Microsoft Azure is responsible for network configurations that customers are not able to alter.
- 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations.
- 1.1.4 - Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.
- Microsoft Azure employs network-based and host-based boundary protection devices such as firewalls, load balancers, and ACLs. These devices use mechanisms such as VLAN isolation, NAT and packet filtering to separate customer traffic from Internet and management traffic.
- Customer at the time of subscription is required to configure the Azure application firewall in order to allow only specified range of IP addresses to access Microsoft Azure VMs in their CDE.
- Microsoft Azure is responsible for ensuring proper separation of customer traffic from management traffic.
- Customers are responsible for proper placement of cardholder data storage instances within their defined in-scope networks
- Microsoft Azure is responsible for ensuring proper separation of customer traffic from management traffic. Microsoft Azure uses Network Address Translation (NAT) and network segregation to separate customer traffic from management traffic. Azure devices are uniquely identified by their UUID and are authenticated using Kerberos. Azure managed network devices are identified by RFC 1918 IP addressed.
- Customers are responsible for ensuring servers containing cardholder data are placed behind proxy servers/firewalls and use of RFC1918 address space.
Segmentation
To control the cost of their certification, organizations strive to shrink as much as possible the scope of the assessment. Segmentation is the primary mechanism used for this purpose. It allows to isolate the CDE from components that don’t store, process or transmit cardholder data. In the traditional world you would use networking functions such as firewall, switches, VLAN, loadbalancer. In Azure you can use cloud analogues for all these controls. They are listed here under.
The Azure Toolbox for Req 1.
Virtual Network (VNet) Azure VNet is a service that provides the equivalent of a physical network in the cloud. It is the core component to build the backbone of a IaaS infrastructure. Using multiple VNets in an infrastructure can be useful to isolate parts of your system. Communication between VNet requires network routes that you can control. Furthermore, each VNet is associated to an IP range which can be divided into subnets. This brings an even finer granularity to your isolation logic, as you can build firewall rules based on specific subnet IPs. |
Network Security Group (NSG) Azure NSG is a free service to implement a firewall in a IaaS scenario. It implements a packet filtering mechanism that can protect either a network or a virtual machine. For each NSG in your network infrastructure, a list of inbound and outbound security rules controls IP traffic by allowing or denying packets based on their source and destination IPs, protocol and ports.The NSG rules are subjected to the semi-annual review (1.1.7) Should Azure NSG not satisfy your needs, you can opt for a full-featured firewall by using Azure Partner Network Appliances. While this service is quite expensive, it can handle advanced configurations and will be very scalable. |
ExpressRoute ExpressRoute is an Azure service that extends your on-premises network to the cloud. Your existing network is connected using a dedicated private connection that does not go over the public Internet. This provides speed and reliability and a very secure communication link. Keep in mind that implementing this kind of solution needs careful planning and depends on your ability to connect to a network provider that offers this service. |
VPN Gateway An Azure VPN Gateway is a Virtual Network Gateway that connects a VNet to another network location using a VPN tunnel. A VPN Gateway can handle both permanent connectivity (site-to-site) and on-demand connections (point-to-site). A multi-site infrastructure can benefit from Azure VPN Gateway by creating a permanent link between each site. Using site-to-site connections is like building an IPSec VPN tunnel with physical VPN appliances. In fact, it is compatible, and you can even create a VPN link between an Azure Gateway and your physical appliance. The point-to-site feature is frequently used as an entry point for the administration of a cloud platform. In such scenario, public interfaces of your systems are locked down and the only way to administer virtual machines is through a VPN. |
Load Balancer Azure Load Balancer in an important network element when designing scalable infrastructures. It distributes traffic between public or internal services, using Network Address Translation (NAT) to map IP ports. An Azure Load Balancer can contain NAT rules that redirects incoming traffic to specific IP addresses. Using a load balancer can help controlling network traffic by itself or in combination with a NSG. |
Application Gateway Azure Application Gateway is a layer 7 load balancer that can act as a Web application firewall and as a reverse proxy (offloading HTTPS encryption for example). It can be a critical element for the security of a network infrastructure, especially if you need to filter application content, inspect HTTPS traffic or add TLS on top a HTTP-only service. Note that the use of this service should be well reflected as it could induce performance bottleneck. |
SQL Database Firewall Azure SQL Database is a PaaS service that hosts your SQL Server databases in Azure in a managed way. It comes with a firewall feature that filters incoming connections based on the source IP of the SQL client of Web services By using this feature at the server level or at the database level, you can restrict public access to your databases which is compulsory to comply with 1.3.6. The rules of this firewall are subjected to the semi-annual review (1.1.7) |
App Service Environment (ASE) An ASE provides a dedicated and isolated environment to run Web-based applications. It guarantees security and performance and is recommended in large scale scenarios. An ASE is an infrastructure by itself. It is based on a VNet and integrates a Load Balancer. You should decide early if your solution must make use of ASEs because it can be a structuring factor. Using the dedicated resources of an ASEs has an interesting side-effect: it ensures that the outgoing traffic of your Web Apps always use the same IP address. This can be a critical need in a PaaS scenario where you want to filter the traffic to your databases to comply with 1.3.6 Using ASEs also has serious drawbacks, the first one being their very high cost. But it also brings technical constraints like long provisioning times and limited control on allowed SSL/TLS protocols. |
VNet Service Endpoint This newly proposed service creates a bridge between a IaaS infrastructure and PaaS services. It allows to create a direct link between a private virtual network and a public Azure service, like Azure Storage or Azure SQL Database, the only two services supporting this new feature for the time being. This ensures that the network traffic between a client and a server remains on the Microsoft Azure backbone network instead of being public. VNet Service Endpoint is a key feature to build a secure network infrastructure. It solves security concerns typically associated with public PaaS services. A frequent usage is to secure a database by removing connectivity via its public IP and allowing your client applications to reach the database only via a specific VNet." |