PCI DSS and release deployment automation

Question

One of the PCI DSS rules is:

"The PCI DSS applies to all system components included in or connected to the cardholder data environment"

How would you go about handling an SCM/release automation server? There has to be a port open from some server in dev network segment making it's way to some server in prod network setgment.

Developers produce code, following by build manager producing release artifacts. Release artifacts must make their way to production. How do release artifacts make their way from dev to production – how do they make their way from “not in scope” dev box to “in scope” production box?

Answer 1

I've done a lot of research on this, and what we ended up doing is splitting up our SCM server into dvscm and pdscm.

dvscm:

• All the developers commit code to this server
• Build generation process stores release artifacts here
• Dev Automated testing gets deployment artifacts from here

pdscm:

• This server syncs the deployment artifacts from dvscm. Existing deployment artifacts are not updated, this is an add-only type of sync.
• QA and PROD environments get deployment artifacts from there, using PSK-based connection via SSH with custom restrictive shell

This way there's a level of separation between DEV and QA/PROD. pdscm is locked down - developers don't have access to it, all firewall rules are DENY by default.

The only outgoing connection from pdscm is port 22 to dvscm, for the sync. The only incoming connections to pdscm are on port 22, connected to a user that has only premissions to read deployment artifacts, using a custom restricted shell.