PCI DSS v2.0 May Accelerate Adoption of Virtualization and Virtualized Data Center Security
This past October the PCI Security Standards Council (PCI SSC) released v2.0 of the Payment Card Industry Data Security Standard (PCI DSS), and by so doing may have accelerated the adoption of virtualization and virtualized data center security.
This new version offers up a number of changes and clarifications but among the most noteworthy is the mention of virtualization and virtual machines (VMs) as the system component equivalents to servers in the physical network. For any organization that had been waiting for PCI DSS to put forward that a VM equals a server in order to proceed with a virtualization project, the light is now green. But the more difficult task of creating a PCI-DSS v2.0-compliant virtual data center lies ahead.
As is typical, the language in the standard is not prescriptive but does outline the requirements for network protection to ensure the safeguarding of cardholder data at rest and in motion. Qualified Security Assessors (QSAs) who typically help large organizations in the creation of a Record of Compliance (RoC) must educate themselves on virtualization as well as virtualization-specific security regimens and technologies in order to help their clients pass an audit. In theory, the basic goals of network architecture for PCI-compliance remain the same for the virtualized network designer. Specifically an organization needs to:
– Build and maintain a secure network
– Maintain a vulnerability management program
– Regularly monitor and test networks
– Maintain an information security policy
But the virtualized data center does create some unique challenges for PCI compliance. While this list isn’t all-inclusive here are the most prominent ones:
1. Lack of visibility – firewalls, IPSes and other types of network security aren’t in the traffic path of packets flowing between VMs so monitoring and testing the virtual network requires specialized technology
2. Separation of duties in a network without physical boundaries – in the virtualized network servers and networks are grouped logically not necessarily physically (i.e. the singular group PCI servers might consist of VMs that are physically residing in different data centers). In order to enforce separation of duties the access policies have to be tied to logical groupings not physical ones
3. Live migration – VMs unlike physical servers can move from one physical location to another in search of a host that can provide more memory, computing resources etc. This means that a VM may traverse zones of trust moving to areas where the security policy is not as restrictive as it should be for an in-scope PCI server
4. Single function to a server or VM – if a VM equals a server then for the purposes of PCI DSS section 2.2.1 compliance, it must be isolated as a physical server is so that unwarranted applications and services cannot be installed on that server
In order to help you create a PCI audit-worthy virtualized data center, your QSA will need to understand your existing and planned architecture in order to ensure that the virtualization of in-scope workloads does not negatively impact your audit results. They will be looking for ways to ensure that items 1 through 4 above are not areas of risk in your environment and provide you with guidance on how to mitigate them if they are. If you want to expedite their efforts and minimize the amount or retrofitting or re-architecting required in your virtualized environment then you’ll want to ensure that the following criteria are met:
1. Ensure you have the means to visualize and report on all inter-VM and intra-VM traffic
2. Logically isolate any individual VMs or VM groups by a security policy that limits access and restricts their function to a single application
3. Place a mechanism to inspect traffic allowed to in-scope VMs with facilities of alerting and reporting if vulnerabilities or malware are detected
4. Automatically enforce a compliance policy for in-scope VMs
5. Automatically quarantine in-scope VMs whose security posture changes to non-compliance
6. Segregate virtual network, system and security function administration in the virtualized data center by individuals and their role in the organization
7. Define and enforce security policy governing access to in-scope PCI servers and VMs consistently and as part of a singular process
The items offered here are not an exhaustive list but if you can answer yes to all seven then you have already saved yourself significant time and money in the creation of a PCI compliance virtualized environment.