Imagine this scenario: You've successfully migrated all the company's non-critical applications, the internal infrastructure and the development center on to virtual servers. Management is happy because you've lowered both capital and operating costs, increased energy efficiencies, as well as improved business continuity.
But like every business at the moment, your managers need you to reduce costs even further. They're pushing for you to consolidate and run the mission-critical applications, including the Internet-facing e-commerce ones, on virtualized servers, too. But can you remain compliant with the Payment Card Industry Data Security Standard (PCI DSS) while fully leveraging the business benefits of virtualization?
What PCI has to say about virtualization
This is a problem many IT managers face, and there's a distinct lack of guidance on virtualization from the PCI Security Standards Council. Version 1.2 of the standard, released in October, did clarify a number of issues, but it didn't address virtualized environments.
To benefit from virtualization, virtual servers will typically have multiple functions running on a single physical server. Section 2.2.1 of the PCI DSS, however, states that a server should perform only one primary function. So, according to the standard, Web servers and database servers should each be implemented on a separate machine. For a company that needs to be PCI compliant, those restrictions make the task of virtualizing an infrastructure a difficult one.
The PCI Data Security Standard does not yet address virtualized servers or related audit requirements, meaning that qualified security assessors (QSAs) must use their own judgment to determine whether organizations that implement virtualized servers meet the PCI mandates. This less-than-ideal situation is compounded when you consider that IT and security professionals themselves are still unsure of how virtualization changes the risk profile of a system, especially when the technology has been described as one that keeps "all the eggs in one basket," due to the fact that a compromise of the VM host comprises all the virtual servers running on it.
PCI virtualization specifications on the way
Thankfully, this is a short-term situation, as a PCI Security Standards Council special interest group (SIG) for virtualization is currently taking shape. Its aim will be to address the challenges and issues associated with virtualization and PCI compliance, providing much-needed explanation in the same way the clarification document regarding Web application firewalls and code reviews had done in early 2008.
The virtualization SIG will solicit feedback from not only participating organizations, such as VMware Inc., Microsoft and other industry stakeholders, but also the security assessors that currently perform assessments. They will no doubt focus on the security of host servers. Any VM containing credit card-related data means its host server is also in-scope. Other issues to be addressed include access control, monitoring and the security of remote console sessions to the VMs. Adequate security for clones and copies of virtualized servers, such as those used for disaster recovery and business continuity, should be covered as well.
The decision that will have the biggest effect on merchants will be whether virtualization provides adequate zoning and separation of functions. That choice will specify if virtual servers are acceptable as long as they are only performing a single function. For example, will a merchant be able to run in-scope and out-of-scope virtual servers on the same hardware? In such a situation, there would certainly need to be a firewall in place to separate the virtual servers into zones.
One approach may be for a single hypervisor to only allow the compliant systems handling data covered by PCI, which would avoid the non-compliant state of having multiple classifications of data residing on the one storage medium. A current best practice is to not use virtual machines that run across multiple secure zones on the same host. In the upcoming clarification document, it will also be important to monitor not just the VM workloads, but also the hypervisors, using products such as those from Tripwire Inc. Comprehensive monitoring offers reporting ability, which will certainly help towards demonstrating compliance.
It will be some time before the virtualization SIG is able to quantify the risks posed by a virtualized environment and establish auditing standards to assess host servers and guest virtual machines. QSAs are used for auditing and assessing risk in highly segmented and layered architectures where duties and responsibilities are largely separated and well-defined. The opposite is true in virtualized architectures, which means another auditing approach is necessary.
My view is that the most conservative approach would be to delay implementing virtualization and wait for the findings and recommendations of the SIG in order to ensure your chosen product doesn't fail any upcoming revisions to requirements. When the PCI requirements for security in virtual environments are announced, it will have some fairly broad implications for the whole cloud computing community.
For those who are more bullish on virtualization, when researching some of the virtualization security products coming onto the market today, I would recommend paying particular attention to their management control features. For example, to what degree can an organization limit the scope of permissions to specific objects or parts of the infrastructure and grant the correct access rights to the right people, without violating the principle of "least privilege?" Separation of duties between hosts and VMs will be critical to achieve compliance.
To that end, administrators looking to get a head-start should be aware that VMware, one of the major virtualization vendors, has launched the VMware Compliance Center website: an initiative to help merchants understand how to achieve, maintain and demonstrate compliance of various industry standards in virtual environments. I also recommend reading the case studies of companies that have successfully passed compliance audits in their VMware environments. Good documentation to prove there are sufficient controls in the virtualized environment seems to be a common component of setups that have passed an audit. It's also important to choose an assessor who understands security controls in a virtual environment and has experience in how they should be deployed.
The bottom line is that virtualization is a complex and evolving technology, and those looking to implement virtualized systems in the near-term -- regardless of the business drivers, such as cost reduction, availability and resiliency -- should be aware that PCI compliance guidelines will likely be in a state of flux for some time. That means implementations may be forced to evolve as well.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in March 2009