The Payment Card Industry (PCI) Council’s Virtualization Special Interest Group has released new guidance pertaining to virtual environments. Any organization that accepts and manages credit cardholder data within a virtual environment must understand this guidance and act accordingly. It will influence how auditors assess virtual environments and whether these environments comply with PCI requirements.
Traditionally, virtualization and IT security teams have been siloed, following the organizational structure of the physical world:
• Server operations has owned servers
• Network operations has owned routers, switches, and firewalls
• Security has owned IT security systems, including intrusion detection and prevention systems
Security in virtual environments has been viewed as a “nice to have” and has not had the urgency of other security issues. Indeed, security has been more of an afterthought because the drivers for virtualization have typically been data center consolidation and cost reduction. In addition, with no detailed and specific guidance on how PCI requirements pertain to virtual systems, enterprises and auditors have wrestled with questions and have had to rely on their own subjective judgment when it comes to protecting these systems. Because of organizational inertia and no clear mandates, the organizational siloes largely remained intact. Security remained at the perimeter and virtual system administrators could stick to their own environments and limit interaction with security analysts.
Related Reading: New PCI Guidance Upends Virtualization Status Quo
With the newly released guidance that introduces more detailed and specific criteria for virtual environments, organizations need to prepare for dramatic change. One of the biggest implications is that the siloes must come down. Because of the high degree of virtualization in many cardholder data environments, virtualization teams and security teams must work together to maintain PCI DSS compliance and cardholder data security. For example, the virtualization guidance says that intrusion detection and prevention systems may be needed to monitor traffic flowing over virtual networks and/or between virtual systems.
Below are a few areas that these teams need to address together:
1. Treating the hypervisor is an “in-scope” system. The same security controls must be applied as with other in-scope systems such as removing unnecessary functionality, drivers, and scripts; encrypting all administrative non-console traffic; documenting all services, protocols, and ports; and developing configuration standards.
2. Requirements for examining and protecting intra-VM traffic. This includes the consideration of network monitoring tools to provide visibility into virtual network segments containing cardholder data, security mechanisms such as virtual firewalls to provide segmentation between virtual networks at different trust levels, virtual intrusion detection and prevention systems to monitor intra-VM traffic, and additional security technologies for file integrity monitoring and vulnerability scanning.
3. Roles and responsibilities to enforce the segregation of duties and the concept of least privilege in virtual environments. The virtual administrator has previously had full access over the environment, including virtualized networks and storage. Now these components will need to be managed by the appropriate groups, i.e. the networking and storage groups.
4. Requirements for log review. Virtual administrators will be required to log all privileged user activity in the virtual environment and to have a plan for reviewing and archiving the logs.
5. Policies specific for virtualization. Organizations must create policies that only apply to virtual systems such as ensuring that virtual machines are only migrated to physical hosts at the same trust level, and that virtual machines must be patched even if they are offline.
Positioning your organization to successfully satisfy more explicit PCI DSS compliance guidance for virtual environments requires teams to work together across physical and virtual environments. On the organizational side, separation of duties requirements will demand that organizations identify and enforce privileged user permissions and enable previously disparate groups to work together. On the technology side, organizations should consider tools that support both physical and virtual environments and offer centralized management and control.
By beginning immediately to encourage interaction and collaboration between virtualization and security teams and identifying solutions to address these new requirements, your organization can be more confident in satisfying the more stringent and comprehensive PCI security audits of the future.
Related Reading: New PCI Guidance Upends Virtualization Status Quo
