The wait is over. New guidance on virtualization from the PCI Council is here.
To help clear up some of the confusion around compliance in virtualized environments, the Council’s virtualization special interest group recently published a supplemental guide on the use of virtualization in accordance with the PCI DSS v2.0. Four basic principles stand:
1. PCI DSS security requirements apply to cardholder data, even if stored in virtualized environments.
2. Organizations have to assess the new risks associated with using virtualization technology.
3. The council wants to see detailed knowledge of each relevant virtualized environment, including all interactions with payment transaction processes and payment card data.
4. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements and, therefore, specific controls and procedures will vary by environment.
The Council goes on to explain the classes of virtualization often seen in payment environments, including virtualized operating systems, hardware/platforms, and networks. It defines the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each and provides practical methods and concepts for deployment of virtualization in payment card environments. Additionally, the council suggests controls and best practices for meeting PCI DSS requirements in virtual environments, making specific recommendations for mixed-mode and cloud computing environments, as well as offering guidance for understanding and assessing the risks associated with virtual environments.
No One-Size-Fits-All Solution, but . . .
While the new guidance does remain as technology-agnostic as possible, cautioning that there is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements, it does call out the need for virtual firewalls to provide segmentation between different workloads, as well as the need for specialized intrusion detection and intrusion prevention tools to monitor traffic in virtual environments. Additionally, it recommends that companies need to separate server administration and security administration tasks in virtual environments to ensure appropriate segregation of duties in network/host controls and, even, prohibits the use of agent-based firewalls.
Further, the document makes some recommendations for mixed-mode environments in which companies might choose to run PCI workloads alongside non-PCI data on the same virtual machine. Specifically, it states: “The level of segmentation required for in-scope and out-of-scope systems on the same host must be equivalent to a level of isolation achievable in the physical world; that is, segmentation must ensure that out-of-scope workloads or components cannot be used to access an in-scope component.”
So What about Cloud Computing Environments?
So what if you’re a business readying to deploy a private cloud, where you’ll be storing cardholder data? Or what if you’re thinking of a move to a public cloud? What can you take from the new guidance?
If a public cloud is what you are looking for, the obvious is that you’ll need to fully understand what services a cloud provider is offering and conduct the due diligence necessary to identify any potential risks with such a service. Service providers are obligated to clearly identify which PCI DSS requirements, system components, and services are covered by their PCI DSS compliance program. And moreover, they must provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant.
| Read Johnnie’s Other Columns on Virtualization and Cloud Security Here
But back to you, if you choose to have your PCI workloads hosted on multi-tenant public cloud infrastructures, it’s still your ultimate responsibility to ensure that your chosen provider has all preventative measures and adequate controls in place for protecting your data. And it’s really important to realize that, because of all the challenges, not all cloud providers will be able to offer up guarantees of operating in a PCI-compliant manner. They may, however, be able to offer you an SLA for security and PCI compliance depending on what PCI enforcement and reporting mechanisms your provider has put in place.
In a private cloud, you have, of course, greater control, not to mention full responsibility for PCI compliance. You can separate your PCI workloads using physical network technologies or virtualization-specific ones. But one thing the new guidance does make crystal clear—no matter if you go the private or public route—is that security best not be an afterthought. If security comes first, so many other things follow, including passing those PCI audits time and time again.
Cloud Security Reading: The Big Shift to Cloud-based Security