PCI already addresses Virtualization
December 9th, 2008 by admin Posted in PCI DSSI’ve written about how PCI already addresses virtualization here, here, and here. A recent article discusses how PCI needs to address this technology. My question is why? Does PCI also need to clearly outline how you should use HSMs, IDS, FIM, user authentication, and firewalls? Where do we stop?
Some people often complain about how specific the PCI DSS standard is and that it should be more generic to enable flexibility. But when it comes to technologies they wish to promote, suddenly it is not specific enough. Why are the current requirements not enough? I did a podcast on PCI compliance for cloud computing environments and outlined the current rules that already address virtualization. Instead of pushing for more information around one technology, which will surely change over time, how about simply clarifying the current requirements, such as 2.2.1 the infamous and misused “only one primary function per device”.
I like less complexity and not more. If the PCI Council did start a SIG on virtualization then there would be another 10-20 page information supplement. Ok. Now that document gets added to the pile that needs to be updated with every new version of the standard and as technologies change. Instead, I would like to see the vendors themselves leading the way and publishing their own “virtualization best practices”. Let the industry lead the way instead of demanding that someone else read the tea leaves for them.
The basic premise of the PCI DSS is to protect cardholder data. If you can accomplish this, you are doing the right thing. Let’s all just do the right thing.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “PCI already addresses Virtualization”
By DAG on Dec 9, 2008
Good post Mike!
I might go a bit further and say that the council could solicit and promote white-briefs on the general issues of a class of new technologies rather than a list of specific settings for the XYZ company solution. (Hey wouldn’t this be a good way to get CPE credits).
The vendors need to establish and maintain the detailed documents. By way of example, I believe Cisco built a model store using their gear and paid to have it certified. The result was a 500+ page document similar to an IBM Redbook.
It’s far too easy for people to look at a requirement that talks about a familiar class of solution by function and make a wrong conclusion based on what’s in the market today. The question isn’t, is this an ABC solution, but rather how does the solution accomplish ABC.
Virtualization also isn’t that new. Solutions in this space have existed for at least 20+ years. What is new is that virtualization is now more widely available across more widely deployed platforms. It’s just new in most peoples experience.
By Michael Dahn on Dec 9, 2008
I like to think that industry will always move faster than standards bodies, which is not a bad thing. History has shown that standards are often times written and updated to reflect what the market has demanded and adopted.
By Kim Singletary, Solidcore on Dec 9, 2008
I agree the standards for PCI are already too heavy in the prescriptive controls let’s not add virtualization to the mix. Look for operational tools that deliver the intent of the standard. Already the intent of PCI 5 for protecting against current and emerging malware is not adequately covered with the prescribed control of implement anti-virus solutions. I would hate to think what the wording would say around virtualization. Get control of the environment by detecting and preventing change, even within virutalized environments with dynamic whitelisting and application control.
By Ben d'Anvers on Jan 6, 2009
While the PCI DSS does cover most of the technical controls that should be addressed within a virtualised environment it does not provide guidance with scoping said environments.
An example would be a VMWare host system that hosts multiple VM’s. Some VM’s on said host will store, process or transmit cardholder data and some won’t. Those that don’t would otherwise be out of scope of compliance (assume adequate segmentation exists etc). Merchants/SP’s will always argue that VM’s that don’t store, process or transmit CC data should be out of scope, however some QSA’s will argue that if any one VM is in scope on a virtualised environment, then they all are, as they share physical resources, and in some cases there are known vulnerabilities with the virtualising software that may allow traversal of VM’s.
The problem here is not around the technical issues that I have mentioned above, it is one of a lack of guidance from the
industry. A lack of guidance that is open enough that it allows for many arguments to be made for and against a position taken on scoping VM’s and host systems. What this creates is an issue that a merchant or SP may or may not actually have to make significant technology and process investment purely based on the QSA that they choose (because of that QSA’s own position of virtualisation scoping), rather than on what the standard does/doesn’t require. This kind of issue should not exist in the governance of the PCI DSS, at least not for technology that is now very mainstream and where these decisions can have such a significant impact on an organisations compliance roadmap.
The general response from the SSC when queried regarding this topic is “as a QSA you are empowered to make your own decisions about…”. While this position should certainly apply in many cases to do with the DSS (QSA’s are the experts after all), it would be great to see some clarification released by the SSC that facilitated QSA’s taking a more consistent position in their approach to virtualisation.
By Sherman Hand on Jan 8, 2009
I agree that “the basic premise of the PCI DSS is to protect cardholder data.” If you can accomplish this, you are doing the right thing and in the end that is what we all should be doing.
The industry will in most cases move faster then the standards bodies can keep up, and with the continued addition of more and more things that time will even be longer in trying to keep up.
I know that I have seen a lot of companies (mostly smaller, but some large) that have had real issues with getting the PCI compliance under control. Many still are working on it.
Although what I am about to say is putting it a little to simple, I have to say that in most cases it is really just about doing the right thing from the beginning. The issues I have seen where because security was mostly second seat to other things, which most security folks can tell you has always been a battle.
So I guess my final thought here is just the plain and simple, if we are doing the right thing most other things will fall into line. Simple? Yes and no.