Instaclustr is very pleased to announce that we have achieved PCI-DSS certification for our Managed Apache Cassandra and Managed Apache Kafka offerings running in AWS. PCI-DSS (Payment Card Industry – Data Security Standard) is a mandated standard for many financial applications and we increasingly see the PCI-DSS controls adopted as the “gold standard” in other industries where the highest standards of security are crucial. PCI-DSS certification adds to our existing SOC 2 accreditation to provide the levels of security assurance required by even the most demanding business requirements.
Overall, this certification effort was the most significant single engineering project in the history of Instaclustr, requiring several person-years of engineering effort to implement well over 100 changes touching every aspect of our systems over the course of several months. We’re very proud that, despite this level of change, impact to our customers has been absolutely minimal and we’re able to deliver another very significant piece of background infrastructure, allowing a wider range of customers to focus their efforts on building innovative business applications based on open source data technologies.
While PCI-DSS compliance may not be required by all customers and is only supported on selected Instaclustr products, most of the security enhancements we have implemented will result in improved levels of security for all our Managed Service customers, regardless of product or platform. The most significant of these changes are:
- Tightening of our admin access environment with technical controls to prevent egress of data via our admin systems.
- Improved logging and auditing infrastructure.
- Tightened operating system hardening and crypto standards.
- Addition of a WAF (Web Application Firewall) in front of our console and APIs.
- More automated scanning, and tightened resolution policies, for code dependency vulnerabilities.
- More frequent security scanning of our central management systems.
- More developer security training.
Customers wishing to achieve full PCI-DSS compliance will need to opt-in when creating a cluster as achieving PCI compliance will enforce a range of more restrictive security options (for example, password complexity in the Instaclustr console and use of Private Network Clusters) and enabling the required additional logging on the cluster incurs a performance penalty of approximately 5%. There are also a set of customer responsibilities that customers must implement for full compliance. Additional technical controls activated for PCI compliant clusters include:
- Logging of all user access to the managed applications (Cassandra, Kafka)
- Locked-down outbound firewall rules
- Second approver system for sudo access for our admins
For full details please see our support page.
Customers with existing clusters who wish to move to full PCI compliance should contact [email protected] who will arrange a plan to apply the new controls to your cluster.
We will be publishing more detail on many of these controls in the coming weeks and holding webinars to cover the Cassandra and Kafka specific implementation details which we expect will be of broad interest. In the meantime, should you have any interest in any further information please contact your Instaclustr Customer Success representative or [email protected] who will be able to arrange technical briefings.