DEVHIDE
Login Or Sign up

GKE & PCI DSS ASV Scans

47 Views Asked by At

For PCI DSS certification in GKE, the question is on ASV scans. Does Google already scan the load balancers or is the client responsible for scanning their own sites hosted in the GKE? Is there a list of domains that were in the GCP scope for their PCI compliance certification?

Looking for expanded guidance on ASV scans for compliance.

security google-kubernetes-engine pci-compliance pci-dss
Original Q&A
1

There are 1 best solutions below

0
On

It is a shared responsibility model. Google does scan it's load balancing infra structure, but you are still responsible for scanning your actual endpoints.

For example, this is from requirement 11.4.2 in the shared responsibility matrix:

Customers are responsible for

... all
external penetration testing of
in-scope system components,
comprising their cardholder data
environment.
(Note: External vulnerability scans
should only include the
customer-managed endpoints, and
not GCP-managed endpoints as they
are tested as part of GCP PCI DSS
compliance)

Google is responsible for

... conducting
external penetration testing on
systems and infrastructure underlying
GCP. Google is also responsible for
scanning of Google managed API
endpoints and Cloud Load Balancer IP
addresses.

Related Questions in SECURITY

Related Questions in GOOGLE-KUBERNETES-ENGINE

Related Questions in PCI-COMPLIANCE

Related Questions in PCI-DSS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.