On 10/6 was held the Virtualization Security Podcast featuring Davi Ottenheimer in his role as a QSA. Davi holds down many roles working with companies such as VMware, yet he maintains his QSA credentials and applies his knowledge of PCI Compliance. In this podcast we ask the question, is a virtual environment always mixed-mode and what to do if your QSA does not have the knowledge required to do the job?
These are two very important questions with respect to whether or not your PCI Compliance Audit will pass or fail. While PCI Compliance is one of the most proscriptive compliance frames works current available. There is still quite a bit left up to the QSA, so your QSAs knowledge and background often comes into play when they are reviewing and judging your adherence to compliance. Davi’s approach is:
If you do not like your QSA’s level of knowledge, replace with another one.
You are not required by PCI Compliance to adhere to the same QSA if they do not have the proper level of knowledge to review your environment. In addition, your QSA should be able to work with you to improve overall compliance adherence (and hopefully security). Auditors should be your partners not your enemies. But they also need to understand the technology they are reviewing.
So what makes the virtual environment so hard to review? Mainly, the complexity of such environments with many touch points between virtual machines, virtual networks, storage, and virtual machines and hosts. Not all these touch points are easily understood, but perhaps an analogy is required? Look at each virtualization host (whether that is VMware vSphere, Citrix XenServer, Microsoft HyperV, RedHat KVM, or some other hypervisor) as a blade chassis that combines networking, storage, and compute power into a single container. There are multiple bits of hardware that can be interchanged, but all in all if you look at a Blade Chassis and not a single component, it is a hybrid device. This is the exact same way to look at a Hypervisor.
But what does this mean for PCI Compliance? First it means that a hypervisor and the VMs running with in it are nearly always in mixed-mode from a PCI Compliance perspective. Mixed-mode, as we discussed on the podcast, is a definition that applies to the types of workloads (or virtual machines) running within a given hypervisor and are unrelated to the interactions between virtual machines and the hypervisor itself. But I do not agree, I believe any hypervisor based PCI workload is always mixed mode regardless of the type of VMs.
Just the other day, George Gerchow of VMware and I were discussing this on twitter and his response to this statement was:
@georgegerchow: @Texiwill yes, agreed from a network perspective. We are talking about levels of trust between VM’s on a host.
My response was to look at the environment from a virtual machine perspective and not a networking perspective. I agree with him from that perspective as there are minimally 3 networks and perhaps more available on any given hypervisor (management, vMotion, virtual machines) and each of these networks represent different trust zones, but the virtual machines should only see one of these (the virtual machine for PCI workloads networking), but if you add into the mix VMware vShield Endpoint, vShield Edge, and vShield App with Data Security packages, you now have the possibility of the virtual machines for these tools able to touch all virtual machines on any given host regardless of trust zone. The reason for this, are these virtual machines are security constructs that offload security actions such as virtual disk inspection for viruses, malware, and personal identifiable information.
As such these virtual machines are in a different trust zone than most PCI workloads and often viewed as host-based security tools, but actually, they are separate virtual machines that make use of host-based transports to quickly gain access to data being passed to (vShield App) and data within (vShield Endpoint, vShield Data Security) your PCI workloads. So their security ends up being in scope for any audit. The best way to look at these tools are big iron IDS/IPS solutions, which will be used not only for PCI Compliance requirements but your entire environments security. These shared devices are in scope for a PCI Compliance audit as they will see PCI specific data.
* The travelogue video was produced by Lars Troen