The last Virtualization Security Podcast covered PCI, Kurt Roemer and Jeff Elliot who were guests represented PCI. PCI as you hopefully know is working on compliance guidance for payment systems running within virtual machines and the cloud. This early discussion is a plea for people to get involved in reviewing the currently developing white-paper. While they could NOT give any actual guidance during the podcast discussion, they did discuss what was covered.
The most important item that was covered was that there is an unreleased white paper and that this white paper has many sections but does not cover every aspect of virtualization or cloud computing.
The discussion ranged from applying standard PCI items to virtualization through how to think of PCI within the virtual environment. In essence, all payment card data and systems should be segregated from everything else using some existing and well known methodologies. PCI is concerned about:
- Payment Card Data being intercepted
- Payment Card Data being placed within a virtualization host that is NOT just for Payment Card Data
- Payment Card Data being placed within a cloud environment that is NOT just for Payment Card Data
- Payment Card Data travel over the wires safely
- and many other items
We can surmise from this, that for PCI we are looking at setting up virtualization hosts and clusters specifically for Payment Card Data in a silo approach or perhaps using some security network overlay that protects against interception as described in a previous article. However to use a security network overlay, you must also be PCI compliant using appropriate encryption, etc. The silo approach to PCI is the current best guidance that works for all current hypervisor’s, while some hypervisors such as VMware vSphere have built in introspection and therefore security capabilities, PCI needs to be vendor neutral. Their guidance needs to work with everyone. There may be specific use cases, but that is left to the auditor. This may affect SMBs more than Enterprise customers as the silo approach to virtualization security can add significant additional costs.
The auditor will need to be ‘up to speed’ on virtualization in order to make the necessary adjustments. The early guidance white paper currently being worked on, will be key in providing auditors with the necessary information. Hopefully, this whitepaper will mention the books and resources on virtualization and virtualization security that exist. The auditors MUST know more about virtualization and virtualization security peculiarities than they perhaps know now.
Note, that compliance does not always mean secure and secure does not always mean compliant, but PCI is trying to do the best for everyone by building into their compliance guidance some sound security as well. This is a benefit to everyone.
While PCI pertains to Payment Card Data, it could also apply to any sensitive bits of data. I would recommend continuing to watch PCI going forward with their guidance. When the whitepaper is made available, The Virtualization Practice will provide a link to it, but for now to get involved; contact PCI or once you are involved send your input on to them! This white paper is the start of some very important Guidance regarding virtualization and cloud security and is based on existing works.