Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

New PCI Guidance Spells Big Changes for Virtual Environments

The Payment Card Industry (PCI) Council’s Virtualization Special Interest Group has released new guidance pertaining to virtual environments. Any organization that accepts and manages credit cardholder data within a virtual environment must understand this guidance and act accordingly. It will influence how auditors assess virtual environments and whether these environments comply with PCI requirements.

The Payment Card Industry (PCI) Council’s Virtualization Special Interest Group has released new guidance pertaining to virtual environments. Any organization that accepts and manages credit cardholder data within a virtual environment must understand this guidance and act accordingly. It will influence how auditors assess virtual environments and whether these environments comply with PCI requirements.

Virtualization and PCI Compliance RequirementsTraditionally, virtualization and IT security teams have been siloed, following the organizational structure of the physical world:

• Server operations has owned servers

• Network operations has owned routers, switches, and firewalls

• Security has owned IT security systems, including intrusion detection and prevention systems

Security in virtual environments has been viewed as a “nice to have” and has not had the urgency of other security issues. Indeed, security has been more of an afterthought because the drivers for virtualization have typically been data center consolidation and cost reduction. In addition, with no detailed and specific guidance on how PCI requirements pertain to virtual systems, enterprises and auditors have wrestled with questions and have had to rely on their own subjective judgment when it comes to protecting these systems. Because of organizational inertia and no clear mandates, the organizational siloes largely remained intact. Security remained at the perimeter and virtual system administrators could stick to their own environments and limit interaction with security analysts.

Related Reading: New PCI Guidance Upends Virtualization Status Quo

With the newly released guidance that introduces more detailed and specific criteria for virtual environments, organizations need to prepare for dramatic change. One of the biggest implications is that the siloes must come down. Because of the high degree of virtualization in many cardholder data environments, virtualization teams and security teams must work together to maintain PCI DSS compliance and cardholder data security. For example, the virtualization guidance says that intrusion detection and prevention systems may be needed to monitor traffic flowing over virtual networks and/or between virtual systems.

Below are a few areas that these teams need to address together:

Advertisement. Scroll to continue reading.

1. Treating the hypervisor is an “in-scope” system. The same security controls must be applied as with other in-scope systems such as removing unnecessary functionality, drivers, and scripts; encrypting all administrative non-console traffic; documenting all services, protocols, and ports; and developing configuration standards.

2. Requirements for examining and protecting intra-VM traffic. This includes the consideration of network monitoring tools to provide visibility into virtual network segments containing cardholder data, security mechanisms such as virtual firewalls to provide segmentation between virtual networks at different trust levels, virtual intrusion detection and prevention systems to monitor intra-VM traffic, and additional security technologies for file integrity monitoring and vulnerability scanning.

3. Roles and responsibilities to enforce the segregation of duties and the concept of least privilege in virtual environments. The virtual administrator has previously had full access over the environment, including virtualized networks and storage. Now these components will need to be managed by the appropriate groups, i.e. the networking and storage groups.

4. Requirements for log review. Virtual administrators will be required to log all privileged user activity in the virtual environment and to have a plan for reviewing and archiving the logs.

5. Policies specific for virtualization. Organizations must create policies that only apply to virtual systems such as ensuring that virtual machines are only migrated to physical hosts at the same trust level, and that virtual machines must be patched even if they are offline.

Positioning your organization to successfully satisfy more explicit PCI DSS compliance guidance for virtual environments requires teams to work together across physical and virtual environments. On the organizational side, separation of duties requirements will demand that organizations identify and enforce privileged user permissions and enable previously disparate groups to work together. On the technology side, organizations should consider tools that support both physical and virtual environments and offer centralized management and control.

By beginning immediately to encourage interaction and collaboration between virtualization and security teams and identifying solutions to address these new requirements, your organization can be more confident in satisfying the more stringent and comprehensive PCI security audits of the future.

 

Related Reading: New PCI Guidance Upends Virtualization Status Quo

 

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...