Feature Releases Technical — Elasticsearch Friday 4th June 2021

Instaclustr Announces PCI-DSS Certification for Elasticsearch

By Instaclustr

Instaclustr is pleased to announce the addition of Managed Elasticsearch to our PCI-DSS certified offerings running in AWS. Our service is based on Open Distro for Elasticsearch which will soon be updated to OpenSearch. Managed Elasticsearch joins our PCI-DSS certified Apache Cassandra and Apache Kafka offerings. 

PCI-DSS (Payment Card Industry – Data Security Standard) is a mandated standard for many financial applications and we increasingly see the PCI-DSS controls adopted as the “gold standard” in other industries where the highest standards of security are crucial. PCI-DSS certification and SOC 2 accreditation combine to provide the levels of security assurance required by even the most demanding business requirements. 

Customers wishing to achieve full PCI-DSS compliance will need to opt-in when creating an Elasticsearch cluster, as achieving PCI compliance will enforce a range of more restrictive security options (for example, password complexity in the Instaclustr console). Enabling the required additional logging on the cluster does incur a performance penalty. Customers wishing to extend their PCI Elasticsearch cluster to include Kibana will be required to use an Open Identity Connect (OIDC) SSO provider for Kibana authentication. There are additional customer responsibilities involved to achieve full compliance. For more detailed information, please see our support page.

With the recertification of our existing Apache Cassandra and Apache Kafka offerings, the following enhancements have also been made:

  • Private Network Clusters are now optional
  • Console SSO is supported
  • Requirements for the encryption of cardholder data have been revised to now only require encryption of the Primary Account Number (PAN). This is significant for Elasticsearch as it allows additional flexibility for customers, for example to search by customer name in Kibana.

In addition to meeting PCI-DSS compliance for customers who require it, the security enhancements we’ve implemented will result in improved levels of security for all our managed service customers, regardless of product or platform. When looking specifically at Kibana, Instaclustr supports connecting your Instaclustr-provisioned Kibana instance to an Open Identity Connect (OIDC) SSO provider, which provides an enhanced user experience. 

Customers with existing clusters who wish to move to full PCI-DSS compliance should contact support@instaclustr.com to apply the new controls to your cluster.

Should you have any interest in any further information, please contact your Instaclustr Customer Success representative or sales@instaclustr.com to arrange technical briefings.