【Azure AKS】为PCI-DSS

语言 Chinese, Simplified

SEO Title

Introduction of an AKS regulated cluster for PCI-DSS 3.2.1 (Part 1 of 9)

开始之前

Microsoft信任中心为与合规性相关的云部署提供了具体原则。由Azure作为云平台和AKS作为主机容器提供的安全保证由第三方合格安全评估员（QSA）定期审核和认证，以确保PCI DSS合规性。

共同责任模式示意图。

与Azure共同承担责任

Microsoft合规团队确保我们的客户可以公开获得Microsoft Azure合规性的所有文档。您可以从服务信任门户的PCI DSS部分下载适用于Azure的PCI DSS合规性证明。责任矩阵概述了Azure和客户之间谁负责每个PCI要求。有关更多信息，请参阅管理云中的合规性。

与AKS共同承担责任

Kubernetes是一个开源系统，用于自动化容器化应用程序的部署、扩展和管理。AKS使在Azure上部署托管Kubernetes集群变得简单。AKS基础架构支持云中的大规模应用程序，是在云中运行企业级应用程序（包括PCI工作负载）的自然选择。部署在AKS集群中的应用程序在部署PCI分类工作负载时具有一定的复杂性。

你的责任

作为工作负载所有者，您最终要对自己的PCI DSS合规性负责。通过阅读PCI要求以了解意图，研究Azure的矩阵，并完成本系列以了解AKS的细微差别，从而清楚地了解您的职责。此过程将使您的实施为成功评估做好准备。

推荐文章

本系列假设：

You're familiar with Kubernetes concepts and workings of an AKS cluster.
You've read the AKS baseline reference architecture.
You've deployed the AKS baseline reference implementation.
You're very familiar with the official PCI DSS 3.2.1 specification.
You've read the Azure security baseline for Azure Kubernetes Service.

在这个系列中

本系列分为几篇文章。每篇文章都概述了高级需求，并提供了如何满足AKS特定需求的指导。

Area of responsibility	Description
Network segmentation	Protect cardholder data with firewall configuration and other network controls. Remove vendor-supplied defaults.
Data protection	Encrypt all information, storage objects, containers, and physical media. Add security controls when data that is being transferred between components.
Vulnerability management	Run antivirus software, file integrity monitoring tools, and container scanners to make sure the system as part of your vulnerability detection.
Access controls	Secure access through identity controls that deny attempts to the cluster or other components that are part of the cardholder data environment.
Monitoring operations	Maintain the security posture through monitoring operations and regularly test your security design and implementation.
Policy management	Maintain thorough and updated documentation about your security processes and policies.