Skip to content

Instantly share code, notes, and snippets.

@desimone
Created November 15, 2024 23:18
Show Gist options
  • Save desimone/f769c2eebacdf16891a4ea74fc83105a to your computer and use it in GitHub Desktop.
Save desimone/f769c2eebacdf16891a4ea74fc83105a to your computer and use it in GitHub Desktop.
You Don't Need a VPN to comply with PCI DSS
# Admin access requiring device identity and MFA
allow:
and:
- authenticated_user: true
- device:
approved: true
type: enclave_only
- groups:
has: pci-admin
# is this a known, company managed device by cert
- client_certificate:
san_email:
ends_with: '@company.com'
deny:
or:
- invalid_client_certificate: true
- http_method:
is: DELETE
# Finance team access to cardholder data
allow:
and:
- authenticated_user: true
- groups:
has: pci-authorized-finance
- http_path:
starts_with: /cardholder-data
- device:
approved: true
type: enclave_only
deny:
or:
- invalid_client_certificate: true
# Comprehensive PCI DSS compliant policy
allow:
and:
# Identity verification
- authenticated_user: true
- domain:
is: company.com
# Role-based access
- groups:
has: pci-authorized
# Device security
- device:
approved: true
type: enclave_only
# Certificate validation
- client_certificate:
san_email:
ends_with: '@company.com'
# Time-based controls
- time_of_day:
timezone: UTC
after: 9:00:00
before: 17:00:00
- day_of_week: mon-fri
deny:
or:
# Security controls
- invalid_client_certificate: true
- http_method:
is: DELETE
# Suspicious patterns
- http_path:
contains: /admin
{
"level": "info",
"service": "authorize",
"request-id": "46747f58-a3d2-4f6b-9d7c-f3209e16c8b1",
"method": "GET",
"path": "/cardholder-data/transactions",
"host": "payment.corp.example.com",
"session-id": "46b36e11-9938-4c97-b869-b9237573f04f",
"allow": true,
"allow-why-true": ["policy-match"],
"deny": false,
"deny-why-false": [],
"user": "941b0719-89c2-40fa-a25d-c6c7039f7a8f",
"email": "finance-user@company.com",
"time": "2024-03-16T14:22:55Z",
"message": "authorize check"
}
{
"level": "info",
"service": "authorize",
"request-id": "8675309a-1234-5678-90ab-cdef12345678",
"method": "POST",
"path": "/cardholder-data/modify",
"host": "payment.corp.example.com",
"session-id": "98765432-abcd-efgh-ijkl-mnopqrstuvwx",
"allow": false,
"allow-why-false": ["group-membership-required"],
"deny": true,
"deny-why-true": ["outside-business-hours"],
"user": "72f20a3b-9876-5432-10fe-dcba09876543",
"email": "vendor@partner.com",
"time": "2024-03-16T03:15:22Z",
"message": "authorize check"
}
# Temporary vendor access with strict time controls
allow:
and:
- email:
ends_with: '@vendor-company.com'
- groups:
has: external-contractor
- authenticated_user: true
- time_of_day:
timezone: UTC
after: 9:00:00
before: 17:00:00
- day_of_week: mon-fri
- device:
type: any
- client_certificate:
san_email:
ends_with: '@vendor-company.com'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment