Back to blog

Achieving PCI-DSS Compliance With Isovalent, Cilium, and Zero Trust

Roland Wolters
Roland Wolters
Published: Updated: Isovalent
Schuberg Philis main building

Schuberg Philis was tasked with helping a customer migrate their PCI-DSS compliant workloads from on-prem to cloud infrastructure. With the help of Isovalent and Cilium, they were able to migrate successfully and maintain a strong focus on PCI-DSS, zero-trust, and multi-tenancy. Listen to Stephen Hoekstra and Marcel Bezemer share their journey at KubeCon, or read the summary of the Cilium below.

Running PCI-DSS Certified Kubernetes Workloads in the Public Cloud

KubeCon recording of PCI-DSS migration talk by Stephen Hoekstra and Marcel Bezemer.

Tune in to their video

Company & Customer Profile

Schuberg Philis (SBP) is a Dutch IT company that provides mission-critical IT services for vital industries, such as financial services, retail, and energy. SBP only has 1 KPI and that is 100% customer satisfaction. Their self-steering teams with experts in the lead are responsible for the whole plan, build and run.  

Schuberg Philis contacted the Cilium experts at Isovalent to help with one of SBP’s customers in the financial services industry. The customer needed to migrate from on-prem to a cloud native solution while maintaining compliance. The customer is a payment processor for different industries (retail, parking, petrol, travel, and entertainment) and they process millions of transactions daily. As such, they are highly regulated by the De Nederlandsche Bank, the Dutch central bank. One of their core requirements was to comply with the “Payment Card Industry Data Security Standard”, PCI-DSS.

With Isovalent Enterprise for Cilium, SBP was able to support a cloud-based PCI-DSS turnkey solution for their mission-critical client.

Challenge: PCI-DSS 

Mission-Critical engineers at Schuberg Philis were supporting the migration of a customer’s PCI-DSS environment from on-prem to the cloud. The challenge was ensuring a cloud environment that would require only minimal operational effort to become and stay PCI-DSS compliant.

Key requirements were:

  • Zero-trust networking: An essential piece for PCI-DSS compliance, enabling SBP to secure their Kubernetes environment by locking down the cluster.
  • Multi-tenancy: Allows multiple application owners independent access to cluster resources and prevents the cluster operation team from becoming bottlenecks.
  • (bonus) Easy to run: Simple to set up and run both from a platform operator and application user perspective. SBP team did not want to become “firewall administrators”.

Solution: Cilium and Zero Trust

Isovalent Enterprise for Cilium was seamlessly integrated into the AWS environment, providing a powerful and user-friendly interface that facilitated network security and observability. Isovalent Enterprise for Cilium’s notable features included:

  • Default Deny Policies: Ensured strict control over network traffic, allowing only necessary protocols and preventing unauthorized access.
  • Multi-Tenancy Support: Enabled application developers to create secure network policies independently, promoting a culture of critical assessment and tailored policy crafting.
  • Enhanced Observability with Hubble and Hubble Timescape: Provided real-time visibility into data flows and the ability to export them to a SIEM, crucial for auditability and traceability, key components of PCI-DSS compliance.
  • Traffic Engineering: Leveraged Cilium’s egress gateway to route specific traffic based on labels, addressing the challenge of securely accessing on-prem services without exposing the entire subnet.

For SBP’s platform team, Cilium had an immediate impact on the visibility of their cluster. There is an anecdote the team likes to share. When they installed their cluster with Cilium, a colleague was running a stress-testing application that was, by accident, starting to have a detrimental effect on their environment. Even though this was a unique situation for the team with little experience of Cilium at that time, it only took them 15 minutes to:

  • See the process that was causing the traffic.
  • Identify the pod generating the traffic.
  • Find the Kubernetes role.
  • Figure out who had logged in with that role.
  • And track down the actual colleague.

For the team, this impressive performance, without any practice in such situations, was proof of the unique potential of Cilium.

Benefits for the customer 

“The business value that we get from Cilium Enterprise […] is the Zero Trust Policy, the default deny, really making sure the applications are only talking to what they need to talk to.” – Stephen Hoekstra, Mission Critical Engineer

The implementation of Cilium brought about significant improvements.

  • Enhanced Security: Default deny policies and transparent encryption (node-to-node and pod-to-pod) significantly bolstered security measures.
  • Improved Visibility: Hubble’s UI and metrics provided comprehensive insights into network flows, aiding in swiftly identifying and mitigating threats.
  • Efficient Policy Management: Developers could efficiently manage and troubleshoot network policies using Hubble, reducing the operational burden on the Schuberg Philis’ cluster platform team.

In short, Isovalent Enterprise for Cilium enabled SBP to run a PCI-DSS compliant container platform with a focus on Zero Trust. The core components of PCI-DSS are traceability and the ability to be audited. With Cilium, stakeholders could see data flows in real-time, export them, and demonstrate this to an auditor.

Partnership with Isovalent

After a successful initial deployment of Cilium, thanks to its straightforward setup process, partnering with Isovalent was the logical next step. Their invaluable guidance and ongoing support have been instrumental in achieving our business goals. Key aspects of this partnership included:

  • Expert Consultation: On default deny policies and security postures.
  • Comprehensive Support: Facilitated the smooth onboarding and integration of Cilium into Schuberg Philis’ infrastructure.
  • Continuous Improvement: Ensured that Schuberg Philis stayed ahead of the curve with the latest in Cilium and Kubernetes security features.

In addition, during on-site workshops hands-on experience was conveyed focusing on general usage as well as special features planned to be used in the future.

Learn more

Schuberg Philis’ successful journey to PCI-DSS compliance showcases the critical role of Cilium, it’s Zero Trust capabilities, and the strategic partnership with Isovalent. By leveraging Cilium’s advanced security and observability features, Schuberg Philis meets stringent compliance requirements. This significantly enhancing their operational efficiency and security posture. The results underscore the value of robust, scalable solutions in achieving and maintaining compliance in highly regulated environments.

Roland Wolters
AuthorRoland WoltersHead of Technical Marketing, Isovalent

Roland Wolters is Head of Technical Marketing at Isovalent where he and his team are responsible for communicating the technical value of eBPF, Cilium, and Isovalent Cilium Enterprise to customers, prospects, and partners. His areas of expertise include security, automation, and open source. He is a keen driver of agile processes and would be lost without his Kanban boards. Outside of work, he is usually most remembered for trying to frantically keep up with his rambunctious young triplets.

Share on social media

Related

Industry insights you won’t delete. Delivered to your inbox weekly.