PCI-DSS has made it possible for organizations to virtualize their infrastructure. But moving the PCI-DSS related products and processes to the public cloud is not yet an easy task…
One of the challenges that cloud computing has faced is the age-old challenge of compliance. How does an organization achieve compliance if it is unable to use virtualization and on that note, the cloud? Well, it looks like our friends at the PCI council have finally recognized that they, specifically, were holding up the virtualization and cloud process. PCI-DSS is huge. Any company that accepts credit card payments is subject to PCI-DSS. And with PCI DSS 2.0 the council has defined some rules around credit-card-handling with server virtualization.
This document, refers to PCI Compliance in Virtualized environments and identifies the challenges of the virtualization of devices bound by PCI regulations and advises organizations on how to stay compliant with virtualization yet still stay within the data security standards.
Now for the nitty gritty.
Harden Your Hypervisor! Three key components:
1. There needs to be separate administrative functions so that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs. This is critical for forensic investigation.
2. Sending hypervisor logs to physically separate, secured storage as close to real-time as possible. This will ensure that the logs are immutable and admissible in court. You want that in your audit trail.
3. Lastly, the audit logs have to be monitored and reviewed in order to identify activities that could indicate a breach in the integrity of segmentation, security controls, or communication channels between workloads.
As part of Requirement 5.2, you must ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. Antivirus should be on the hunt anyway, however, as virtualization becomes more popular, so too are the new vectors for hackers to compromise. Protecting the hypervisor is of utmost importance.
Quick! Hide your PAN!
Requirement 3.4 says you must render PAN unreadable anywhere it is stored, which includes portable digital media, backups and in logs. You can do so using a number of means, such as one-way hashes based on strong cryptography. Bear in mind that the hash must be of the entire PAN. Not partial. Another option is truncation of the PAN (hashing cannot be used to replace the truncated segment of PAN, however.) You could index tokens and pads (pads must be securely stored). And as a final measure – strong cryptography with associated key-management processes and procedures can be used.
I heart logs!
Logging of activities unique to virtualized environments may be needed to reconstruct the events required by PCI DSS Requirement 10.2. For example, logs from specialized APIs that are used to view virtual process, memory, or offline storage may be needed to identify individual access to cardholder data. What this means is that the specific system functions and objects to be logged may differ according to the specific virtualization technology in use. VMware might have a very different logging medium than Microsoft HyperV. Make sure logging is enabled and those logs are being collected. Very few of the SIEM vendors can collect all logs using native APIs. Do some research!
Every instance of attempted infrastructure access (including whether it was granted or denied) should be tracked for security management. As part of PCI Requirement 10, as well as parts of section 3.4 and 5.2 logging is important. And the council acknowledged that logging is even more important but much more difficult in virtualized environments.
One of the main staples of security is least privilege. Network admins, for example, should only have control of the network, specifically. The bad news is, most Virtualization folks are used to working on all aspects of the virtual infrastructure, so separation and segregation of duties may cause troubleshooting to be a more of a pain. There are now multiple layers, and multiple teams, to go through.
That said, audit trails contained within virtual machines should only be available to those where relevant. This is a step forward for Cloud. Lastly, and probably most importantly, do not locate audit logs on the same host or hypervisor as the components generating the audit logs.
PCI = Security?
If you’ve followed my rants and raves, you’ll know that I’m of the opinion that security is first priority, and compliance is the result. PCI-DSS has done an excellent job of defining the lowest common denominator of security, and then building on that standardization. “Secure” is a relative word. But PCI has helped make budget, mind share and human resources available for securing the data of their customers. So in that way, we’ve all won since retailers have reduced the risk of being hacked. Where virtualization adoption faltered was due to compliance concerns. Now that the council has given a thumbs up, organizations can now move much of the PCI infrastructure to virtual environments. This will lower costs, in some ways define better security, and also help with infrastructure uptime and faster recovery.
Does this mean we can be PCI compliant in the cloud?
The new PCI virtualization guidelines are a step in the right direction, but we’re still not there. Because the network layer is still shared between organizations, so organizations are still dependent on the cloud service provider. So for now, stick with private cloud. Public Cloud isn’t there yet since we still don’t have full control over the infrastructure. In Summary: PCI-DSS has made it possible for organizations to now virtualize their infrastructure and begin saving money with consolidation. This will help organizations build out their private cloud. But moving the PCI-DSS related products and processes to the public cloud is just not yet an easy task. The PCI council is on the right track, and together, with the cloud vendors we can get there. It’s just a matter of time.
Read More in SecurityWeek’s Cloud and Virtualization Security Section