Read the rest of this post »

The long awaited guidance on virtualization technologies was recently released by the PCI SCC. Having read it over I did not find any big surprises, but a few thing did stand out for me.

This is guidance only and does not supersede the PCI DSS. It doesn’t really add anything new that wasn’t included in the PCI DSS already. Basically just because you use virtualization doesn’t mean all the PCI DSS doesn’t apply. Furthermore when adding virtualization you are adding another layer of complexity; technical, administrative, and architectural. However I think it tips the Council’s hand in what we might see in an updated DSS in October 2013.

They include in virtualization, not just VMs, but virtual storage, virtual networking (think virtual switch, not vlan), virtual desktops, and or course the hypervisor. They also throw in the cloud for good measure. I wish they wouldn’t have done that, because that’s a whole other kettle of fish.

Here is my top 3 from the guidance.

1. Mixed-mode: They use the term mixed-mode when mixing VMs of different trust levels or those in-scope and out-of-scope for PCI on the same hypervisor/hardware. They strongly recommend that all VMs in such a scenario should be in-scope. The reasoning is that the lower security VMs represent a potential avenue of attack. I see their point: A guest VM could be popped and then chained with a vuln. to escape to the hypervisor (or host OS) at which point it essentially game over. I see their point, but other controls in the PCI DSS are supposed to be in place to mitigate this.

   They also point out that it may not be possible to achieve appropriate levels of isolation between in-scope and out-of-scope guests with a particular virtualization technology. True, but in that case all the guest VMs would be in-scope due to inadequate segmentation.

   All in I think this is a very strong statement. I suspect that merchants and service providers will protest strongly. As a QSA if you can demonstrate that your virtualization solution provides for adequate isolation, you’ve configured it properly, and have the processes in place to keep the isolation in place, you should be OK for now. But you might want to start planning for this to be added in PCI DSS version 2.x in October 2013.

2. VM Images: This one made me do a head slap (figuratively). VMs of course aren’t really hardware, they are just a bunch of bits in a VM image. This image contains the memory contents, disk contents, swap files, etc. So what about when a VM is dormant (off or suspended)? For PCI in-scope VMs it likely contains CHD. It may even contain it in an unencrypted state depending on when it was suspended. Worse it would contain sensitive authentication data in memory (verboten to store). What about moving images around? Some solutions do this to allow for increased availability. Maybe you are backing them up. Or moving them up to AWS to do some testing. We now have a new class of files that can contain both CHD, and verboten sensitive authentication data. Proper care and handling will have to be taken. What policies, procedures, technical controls are in place?

3. Complexity: There’s a saying in computer science that all things can be solved by adding another layer of abstraction. That in a nutshell is what virtualization essentially is. OS process isolation wasn’t sufficient so we invented the virtual machine monitor in the 60’s and this essentially gave birth to today’s virtualization hypervisors. That additional level of abstraction has many implications. First off we have just increased the attack surface. Also we now need processes to control the lifecycle of VMs so we can keep a handle on them. We have also created a new class of administrators: the virtual machine admin. They have administrator level access to the hypervisor of course. But what about the underlying VMs? What about the virtual appliances that perform traditional network or security functions, the virtual switches, virtual firewalls, virtual AV? This has implications for separation of duties.

There is nothing to get too alarmed about. Most of this is already included in the PCI DSS on careful reading. It does highlight that in an effort to cut down on costs and leverage infrastructure we’ve introduced a host of other issues that we’ll have to deal with. Perhaps the cost saving and leverage wasn’t quite as large as was originally thought, especially when you throw PCI DSS compliance into the mix.

Jason M.

If you have any questions regarding virtualization and how it will affect your PCI DSS compliance efforts, please leave a comment or feel free to contact us directly. Our team of experienced QSAs would be happy to have a discussion with you.

I recently read an article in eWeek by Fahmida Y. Rashid “PCI-DSS Compliance Helps Prevent Data Breaches Despite IT Doubts: Survey”.

So who are the people who remain skeptical about the security effectiveness regulatory compliance? Probably those people who believe the accounting, engineering, and medical industries should have no regulatory compliance either.

Let’s face it, information technology is a relatively new field and has begun to standardize itself with regulatory compliance in some key areas like privacy and the use of payment cards. Without it, how can an organization assure the public, its customers, and business partners that they are not putting their information at risk? 

Well of course there are those running their organizations’ IT Security programs very well; most likely using some type of standard similar to ISO 27001 to baseline themselves. Which is great and they very well might be very secure and doing a great job. Compliancy helps to achieve this in needed areas.

I have not met one senior IT person (CIO, Director/Manager of IT) that doesn’t believe in securing there organizations’ assets. Many look at regulatory compliance as a positive step forward. Many times, budgets will not present themselves without something like regulatory compliancy to drive their IT security projects forward.

Standards like PCI & NERC are put in place to help ensure that we are being protected. Like any compliancy program it has its positives and negatives; however, I believe the positives out weigh the negatives.

Each year I see more and more demand from clients to understand how they can reassure their senior management that they are using industry best practices measured by some standard. IT security is a very complicated and evolving paradigm. With so many avenues for an intrusion to take place it is my belief that standards and compliancy are a healthy step forward in the IT security industry.

Danny T.