Previous episodes
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Objective
PCI DSS Controls
Responsibilities
4.1.x Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks
Customers must ensure that transmission channels to and between Azure components (Iaas and Saas) are encrypted and that this encryption is based on industry approved protocols and algorithms.
4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.
Customers must ensure that their wireless environments located on-premise outside Azure boundary use strong cryptography and secure protocols.
4.2 Never send unprotected PANs by end- user messaging technologies (for example, e- mail, instant messaging, SMS, chat, etc.)
Customers are responsible for securing PAN-transmission.
4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.
Customers must document their policies and procedures associated to the protection of transmissions of card data.
The Azure Toolbox for Req 4
Azure App Service In PaaS scenarios, the main concern for requirement 4 is typically the HTTP protocol security level of Web applications exposed to the Internet. In Azure, those applications are hosted using an Azure App Service or an Azure Function, the server-less equivalent of an App Service and technically equivalent to an App Service. |
For a long time, full PCI-DSS compliance was difficult to achieve with App Services because the TLS version was not configurable.
One workaround was to use an Azure App Service Environment to gain control over the SSL policy of the server and disable TLS 1.0 and 1.1. But this was complex and expensive. Link
Another workaround was to use an Azure Application Gateway in front of the App Service to filter HTTPS traffic and allow only TLS 1.2. This also led to an architecture more complicated than necessary. Link
But recently, Azure announced that the minimum TLS version has become configurable in App Services. TLS 1.2 is now the default for newly created App Services. This directly guarantees PCI-DSS compliance. Link1 Link2
Azure App Service Certificates allows you to buy HTTPS certificates directly from Azure.
This service is integrated with Azure App Service to automatically deploy the certificate to your Web App. It is also integrated with Azure Key Vault (see below) to store the certificate securely.
App Service Certificates can also be a valuable tool to manage the lifecycle of your certificates (renew or rekey).
Azure Key Vault provides a convenient and secure way to manage keys and certificates used to protect network communications. It centralizes your secrets, uses the RBAC matrix to control access to the private keys, can renew certificates automatically or alert you when one expires, can deploy certificates to virtual machines, and much more.
Many Azure PaaS services can be publicly exposed, and they use different security protocols to encrypt data on the network. Most of the time, interfaces based on HTTPS will support TLS 1.2 but may allow older TLS versions for compatibility reasons. It is your responsibility to ensure that you do not transmit cardholder data using non-compliant protocols. You may have to force a protocol version on the client side, using configuration or code.