Back in March we published a post about how pci compliance standards are reshaping security in the cloud. The big question mark was how the Standard’s Council would define guidelines around virtualization via its special interest group, which was pondering the problem.
On June 14, they finally published an outline, which will influence security in the cloud-computing arena and specifically practices around management of payment card data.
“While virtualization may provide a number functional and operational benefits, moving to a virtual environment doesn’t alleviate the risks which existed on the physical systems, and may also introduce new and unique risks,” said one of their guidance documents.
“Consequently, there are a number of factors to be considered when implementing virtual technologies, including but not limited to those defined below.”
More than 30 participating organizations helped formulate the guidance documents, which helps merchants, service providers, processors and vendors understand how PCI DSS applies to virtual environments including:
• Explanation of the classes of virtualization often seen in payment environments including virtualized operating systems, hardware/platforms and networks
• Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each
• Practical methods and concepts for deployment of virtualization in payment card environments
• Suggested controls and best practices for meeting PCI DSS requirements in virtual environments
• Specific recommendations for mixed-mode and cloud computing environments Guidance for understanding and assessing risk in virtual environments
The body concluded that there is no single method for securing virtualized systems. Some of the general recommendations included:
• The flow and storage of cardholder data should be accurately documented as part of this risk assessment process to ensure that all risk areas are identified and appropriately mitigated.
• Designing all virtualization components, even those considered out-of-scope, to meet PCI DSS security requirements will not only provide a secure baseline for the virtual environment as a whole, it will also reduce the complexity and risk associated with managing multiple security profiles, and lower the overhead and effort required to maintain and validate compliance of the in-scope components.
• When assessing physical controls, consider the potential harm of an unauthorized or malicious individual gaining simultaneous access to all VMs, networks, security devices, applications, and hypervisors that one physical host could provide. Ensure that all unused physical interfaces are disabled, and that physical or console-level access is restricted and monitored.
• The body said all players should consider how security could be applied to protect each technical layer, including but not limited to the physical device, hypervisor, host platform, guest operating systems, VMs, perimeter network, intra-host network, application, and data layers. Physical controls, documented policies and procedures, and training of personnel should also be a part of a defense-in-depth approach to securing virtual environments.
• Preventive controls such as a network firewall should never be combined on a single logical host with the payment card data it is configured to protect. Similarly, processes controlling network segmentation and the log- aggregation function that would detect tampering of network segmentation controls should not be mixed.
• Accounts and credentials for administrative access to the hypervisor should be carefully controlled, and depending on the level of risk, the use of more restrictive hypervisor access controls is often justified.
The report went on to recommend a number of additional directives to securing a virtualized environment. One particular telling statement related to concepts around IaaS, PaaS and SaaS.
Cloud computing also encompasses several types of services, including IaaS, PaaS, and SaaS. Each type of service represents a different assignment of resource management and ownership, which will vary depending on the specific service offering.
For example, an entity subscribing to an IaaS service may retain complete control of, and therefore be responsible for, the ongoing security and maintenance of all operating systems, applications, virtual configurations (including the hypervisor and virtual security appliances), and data. In this scenario, the cloud provider would only be responsible for maintaining the underlying physical network and computing hardware. In an alternative scenario, a SaaS service offering may encompass management of all hardware and software, including virtual components and hypervisor configurations.
In this scenario, the entity may only be responsible for protecting their data, and all other security requirements would be implemented and managed by the service provider.
In its final remarks, an information supplement to the guidelines stated that the lack of virtualization industry standards has resulted in a number of vendor-specific best practices and recommendations that may or may not be applicable to a particular environment.
The report thus remains a ‘guidance’ document and still leaves a number of implementation practices up to the vendor and/or merchant.
This article was brought to you by VI.net, for dedicated server hosting, cloud servers and 24/7 support visit our site here www.vi.net