PCI Compliance and Virtualization
May 21st, 2008 Posted in Card Associations, Compliance, PCI DSS, Uncategorized
People have asked if Virtual Servers can be used in a PCI DSS compliant environment or if they violate requirement 2.2.1 which says, “Implement only one primary function per server”. The answer is that virtual servers, virtual clusters, and even cloud computing are perfectly acceptable within the confines of PCI DSS compliance as long as they are properly configured. The operative question when discussing the use of any technology within a PCI DSS compliant environment is always “Yes, but is it properly configured to prevent abuse?”
Hoff and Siebert both posted this question here and here. People may think that <insert latest technology here> will somehow prevent a company from being PCI DSS compliant, when in reality the compliance program is built around protecting cardholder data. That technology you want to implement is probably fine as long as it doesn’t put cardholder data at risk. But people focus in on that one requirement and then everything falls apart.
PCI DSS Requirement 2.2.1 is like the ‘force’ in Star Wars - it can be used for good or for evil. Unfortunately, it is the single most abused requirement in the standard. Some people, using it for evil, go as far as to say that DNS and WINS cannot reside on the same server. This requirement is meant for situations when companies try to pile every service imaginable onto one computer, causing a situation that actually puts cardholder data at risk. For example, if a retail store manager uses the back office PC that aggregates their credit card transactions as their personal workstation for browsing the Internet. This is a unsafe practice and violates several PCI DSS requirements.
Virtualization is an emerging technology that enables companies to securely leverage one physical server to run multiple virtual systems. This is beneficial in areas with limited physical space. If a company can run four virtual systems and only use the physical space of one server they can reduce the cost of housing and maintaining excessive hardware.
Additionally, virtualization provides a number of administrative benefits such as centralized data storage and security, centralized configuration and patch management, and a number of other processes. Companies can benefit from using virtualized systems but they must also consider how these systems segment access from one to the next.
Just as with PCI DSS Requirement 2.4 (shared hosting environment) and the question of what defines “adequate segmentation” one must examine the security systems that separate one virtual system from another. Any form of segmentation, virtualization, or shared hosting environment is acceptable under PCI DSS as long as it prevents one set of systems or people from negatively impacting the security of other systems or people. The delineation point for what defines “adequate” virtualization is any system that can properly prevent one virtual system from negatively impacting the security of cardholder data on another virtual system. It is the responsibility of the implementor to verify that such controls are in place.
Virtualization will continue to grow in popularity and, properly configured, can be used to adhere to PCI DSS compliance. The technology itself is not often the culprit of non-compliance, instead it is how the technology is implemented or installed that can cause both security and regulatory compliance mishaps.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
2 Responses to “PCI Compliance and Virtualization”
By Michael Berman on May 22, 2008
Virtualization presents us with the opportunity to improve compliance and efficiency at the same time.
My recipe is to deploy a virtual security appliance that can:
- Monitor and control inter-VM and intra-vSwitch network traffic
- Monitor and enforce change controls for the Hypervisor and Virtual Infrastructure (VI)
- Detect and quarantine non-compliant virtual machines
- Reduce the risk of breaches due to misconfiguration of the VI
- Reduce the risk from abuse of privilege or a malicious insider
Many of my customers have struggled with issues regarding data protection/segmentation, primary access controls and validation of secondary controls. Within the IT community there has been a slow realization that existing controls did not migrate to virtual, when they p2v’d their servers.
Data center engineers must plan ahead to preserve zones of trust when virtualizing and consolidating servers and desktops. Fortunately, all of the platforms support several methods for segmenting data and ensuring that cardholder data remains within a trusted path at all times. It is therefore incumbent on the system engineers to deploy a solution that will enforce access control and validate secondary controls for their trust zones. The key requirement is to select vendor technology that provides visibility and is capable of enforcing separation of duties, dual controls and zones of trust.
Virtualization has allowed us to develop virtual security appliances that provide unprecedented visibility and control for sensitive data and systems within the virtual infrastructure. It is now the job of responsible virtualization engineers to deploy and realize these benefits, reduce operations costs and complexity, and make the virtual more secure than the physical.
By Davi Ottenheimer on May 30, 2008
Well said. I agree, but the problem I have run into is that some environments go virtual without taking into account the lack of controls in a virtualized environment. They assume the vendor will provide security rather than use the same defense-in-depth technology outside th virtual environment (e.g. firewalls, nba, ids, etc.)