PCI, CASB, CNAPP, and Other Letters

Authors: Carla Brinker and Kyle Koppe

Cloud computing is incredibly popular, yet on an organizational level can still be mysterious. It is so easy to stand up a new presence “in the cloud” that it’s difficult for an organization to know everything they have in the cloud, let alone secure it. Two technologies that assist with security are Cloud Access Security Brokers (CASBs) and Cloud-Native Application Protection Platforms (CNAPPs).

CASBs are security tools that sit between cloud service users and cloud service providers. The CASB enforces security, compliance, and governance policies. The CASB provides visibility into cloud usage and allows for the enforcement of security controls. For PCI, a CASB is useful to monitor and control access to sensitive data stored in the cloud. A CASB can also encrypt data in transit and at rest and provide insight into user activities to detect and respond to potential threats. Think of it as a firewall for clouds.

As the adoption of cloud services has fundamentally transformed the way organizations deploy and manage their IT infrastructure towards a more software-defined and automated landscape, the methodologies for securing this infrastructure have also evolved to address new challenges and complexities inherent in cloud environments. This shift has necessitated a move from traditional, perimeter-based security models to more integrated and holistic solutions that can provide comprehensive visibility and control across diverse cloud services such as AWS, Azure, GCP, and OCI. Enter Cloud-Native Application Protection Platforms (CNAPPs), which emerge as a direct response to these evolving needs.

CNAPPs offer a holistic approach to security by providing a graph-based platform that allows security teams to gain deep insights into their IT assets. CNAPPs allow teams to understand what software (and that software’s associated vulnerabilities) is running in their cloud-based compute environments whether that compute is virtualized, containerized, or serverless. This in-depth visibility is crucial for organizations aiming to achieve and maintain compliance with standards like the Payment Card Industry Data Security Standard (PCI DSS), as it ensures that all software components comply with stringent security requirements.

Moreover, CNAPPs can map which human and machine identities have access to which cloud resources, highlighting cloud identities that may pose a risk to your organization. This capability is particularly relevant for meeting PCI DSS requirements, which mandate strict access controls and monitoring of user access to cardholder data. By providing clear insights into access patterns and permissions, CNAPPs help organizations ensure that only authorized personnel can access sensitive data, thus strengthening their compliance posture.

Lastly, CNAPPs identify insecure configurations throughout the lifecycle of your cloud resources. By integrating into the development lifecycle of cloud-based applications, providing container, infrastructure-as-code, and secrets scanning, CNAPPs play a pivotal role in ensuring compliance with PCI DSS. This standard requires secure configurations for all system components, and by shifting focus upstream into the development process, CNAPPs enable organizations to highlight potential misconfigurations and deviations from PCI DSS standards faster and earlier, oftentimes before the technology is even deployed to a live environment. This proactive approach not only aids in achieving compliance but also maintains it by ensuring ongoing adherence to security best practices in the cloud.

These two technologies assist with many PCI requirements. At a high level:

• Requirement 1 for firewalls
• Requirement 2 for password policies
• Requirement 3 and 4 for encrypted data at rest and in transit
• Requirement 5 for malware
• Requirement 6 for the security of cloud applications
• Requirement 7 and 8 for access control
• Requirement 10 for logging
• Requirement 11 for vulnerability assessment and penetration testing
• Requirement 12 for detecting events of interest in support of incident response

CASBs secure cloud service and enforce security policies. CNAPPs secure cloud-based environments and add visibility throughout your IT infrastructure. The choice between the two depends on the specific security requirements and needs of an organization. For assistance in knowing which technology is best for your environment, contact us to reach a GuidePoint Security expert.