I’m trying to determine how effective the free VMware PCI Compliance Checker is. Can you give me a sense of whether a tool like this can actually give me clear insight into my organizational compliance posture?
If you have virtualized PCI environment in which VMware virtualization technology is in place, then the VMware PCI Compliance Checker possibly could be a useful tool in assisting with PCI compliance. Specifically, this tool collects data from servers and desktops and produces a detailed summary of which requirements have been met and which ones have not. The challenge with this tool is its interpretation of compliance for PCI versus that of a QSA. In short, differences could arise, creating constraints on the engagement.
Please keep in mind that these free tools are typically used as effective vendor marketing tools for up selling an organization to more expensive and costly tools. As a QSA, a much better approach for ensuring PCI compliance with your VMware environment is to interpret the 12 PCI DSS standard requirements, where applicable, for virtual environments. One of the biggest issues currently seen with virtualization is not provisioning, hardening, securing or locking down the hypervisor itself, as this is now in scope as being a "system component". Organizations spend time locking down the virtual matching monitors (i.e., "guest operating systems"), but are lax on the hypervisor.
And, the PCI DSS provisions have provided an excellent resource to greatly assist you in the form of a free, 39-page document titled PCI DSS Virtualization Guidelines (.pdf). This is an excellent resource that is now being used by many QSAs and numerous individuals in the PCI industry. In short, it's a must-read if you have a virtualized environment or are thinking of migrating to one.
The critical points that are highlighted within this guidance document is that organizations must really strive to meet PCI compliance in a virtualized environment, difficulties and challenges exist, and, once again, all answers and solutions are not simply black and white. The guidance paper also talks about the inherent risks of virtualization, while also providing recommendations for compliance.
In short, while VMware’s (or any vendor’s) tool may very well prove valuable, don’t assume it will correctly assess your PCI compliance posture. The guidance provided by PCI is far superior in my mind in this regard.
This was first published in September 2011