Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

PCI Security Standards Council Provides Further Guidance on Virtualization and the Cloud

The wait is over. New guidance on virtualization from the PCI Council is here.

The wait is over. New guidance on virtualization from the PCI Council is here.

Guidance on Virtualization and the CloudTo help clear up some of the confusion around compliance in virtualized environments, the Council’s virtualization special interest group recently published a supplemental guide on the use of virtualization in accordance with the PCI DSS v2.0. Four basic principles stand:

1. PCI DSS security requirements apply to cardholder data, even if stored in virtualized environments.

2. Organizations have to assess the new risks associated with using virtualization technology.

3. The council wants to see detailed knowledge of each relevant virtualized environment, including all interactions with payment transaction processes and payment card data.

4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements and, therefore, specific controls and procedures will vary by environment.

The Council goes on to explain the classes of virtualization often seen in payment environments, including virtualized operating systems, hardware/platforms, and networks. It defines the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each and provides practical methods and concepts for deployment of virtualization in payment card environments. Additionally, the council suggests controls and best practices for meeting PCI DSS requirements in virtual environments, making specific recommendations for mixed-mode and cloud computing environments, as well as offering guidance for understanding and assessing the risks associated with virtual environments.

No One-Size-Fits-All Solution, but . . .

While the new guidance does remain as technology-agnostic as possible, cautioning that there is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements, it does call out the need for virtual firewalls to provide segmentation between different workloads, as well as the need for specialized intrusion detection and intrusion prevention tools to monitor traffic in virtual environments. Additionally, it recommends that companies need to separate server administration and security administration tasks in virtual environments to ensure appropriate segregation of duties in network/host controls and, even, prohibits the use of agent-based firewalls.

Advertisement. Scroll to continue reading.

Further, the document makes some recommendations for mixed-mode environments in which companies might choose to run PCI workloads alongside non-PCI data on the same virtual machine. Specifically, it states: “The level of segmentation required for in-scope and out-of-scope systems on the same host must be equivalent to a level of isolation achievable in the physical world; that is, segmentation must ensure that out-of-scope workloads or components cannot be used to access an in-scope component.”

So What about Cloud Computing Environments?

So what if you’re a business readying to deploy a private cloud, where you’ll be storing cardholder data? Or what if you’re thinking of a move to a public cloud? What can you take from the new guidance?

If a public cloud is what you are looking for, the obvious is that you’ll need to fully understand what services a cloud provider is offering and conduct the due diligence necessary to identify any potential risks with such a service. Service providers are obligated to clearly identify which PCI DSS requirements, system components, and services are covered by their PCI DSS compliance program. And moreover, they must provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.

 Read Johnnie’s Other Columns on Virtualization and Cloud Security Here

But back to you, if you choose to have your PCI workloads hosted on multi-tenant public cloud infrastructures, it’s still your ultimate responsibility to ensure that your chosen provider has all preventative measures and adequate controls in place for protecting your data. And it’s really important to realize that, because of all the challenges, not all cloud providers will be able to offer up guarantees of operating in a PCI-compliant manner. They may, however, be able to offer you an SLA for security and PCI compliance depending on what PCI enforcement and reporting mechanisms your provider has put in place.

In a private cloud, you have, of course, greater control, not to mention full responsibility for PCI compliance. You can separate your PCI workloads using physical network technologies or virtualization-specific ones. But one thing the new guidance does make crystal clear—no matter if you go the private or public route—is that security best not be an afterthought. If security comes first, so many other things follow, including passing those PCI audits time and time again.

Cloud Security Reading: The Big Shift to Cloud-based Security

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.