Many enterprises are transitioning their data centers to virtual environments, but doing so may have unintended consequences when it comes to complying with various laws and regulations. In this tip, we look at the impact that virtualization has on enterprise compliance programs and provide some advice on how you can design a virtualization strategy that enhances, rather than jeopardizes your organization's compliance efforts.
Data center virtualization and PCI compliance
The cost of compliance should be a part of any organization's calculations when evaluating the business case for virtualization.
Before we examine the technical considerations of data center server virtualization, any discussion of virtualization and compliance must begin with the Payment Card Industry Security Standards Council, the publishers of PCI Data Security Standard (DSS). The SSC has published a separate guide, the PCI DSS Virtualization Guidelines, which offers specific advice on how to apply PCI DSS in a virtualized environment. This is a must-read for any merchant organization or one that is otherwise involved with payment processing, as it interprets how to apply PCI DSS guidelines in virtual environments.
It's also significant to note that the August 2012 release of the summary of feedback gathered on PCI DSS 2.0 does not even mention virtualization, so it's likely that there won't be any major virtualization-related changes in the near future. It's a safe bet that adherence to the SSC's virtualization guidance when implementing a virtual environment will likely mean that an organization won't run afoul of the next version of the PCI DSS, which is expected in the fall of 2013.
The challenges of server virtualization
In a virtualized environment, operating systems do not run directly on top of physical hardware. Instead, there is a middle layer, known as the hypervisor, that manages access to the physical hardware. The hypervisor is responsible for balancing the needs of multiple guest operating systems and presenting each of them with a view of the hardware that imitates the view that the guest operating systems would have of physical hardware. The hypervisor is responsible for ensuring that guest systems are not aware of each other's presence.
The introduction of the hypervisor presents new security concerns for those building and maintaining virtualized platforms and two major security issues in virtualized environments. First, the hypervisor's position between the guest operating system and the physical hardware provides it with extremely privileged access, including the ability to manipulate resources assigned to the guest systems. Therefore, security and compliance professionals must consider the hypervisor as an additional potential entry point for an attacker.
The PCI DSS directly addresses this concern by stating that, "If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope." While other compliance standards may not be so direct, this is solid advice for other compliance obligations as well. Compliance professionals must examine the design of virtualized environments processing regulated information and ensure that both the guest systems and the hypervisor meet regulatory requirements.
The second new concern in virtualized environments is about ensuring that the hypervisor correctly enforces isolation among machines with different security levels. If guest operating systems are able to gain unauthorized access to each other's resources, the potential exists for sensitive information to flow between those systems or for security breaches to occur across system boundaries. Because of this concern, most security and compliance professionals recommend against hosting systems with different security levels on the same virtualized platform. In fact, the PCI DSS Virtualization Guidelines also address this situation by stating that any hypervisor hosting both in-scope and out-of-scope guests must have extremely strict segmentation. It then offers this summary:
"Even if adequate segmentation between virtual components could be achieved, the resource effort and administrative overhead required to enforce the segmentation and maintain different security levels on each component would likely be more burdensome than applying PCI DSS controls to the system as a whole."
FROM THE EDITORS: MORE ON VIRTUALIZATION COMPLIANCE
The bottom line? It's not a good idea to attempt to mix systems of differing security levels. The security bar for those environments is set so high as to be impractical.
Defense in depth
It's important to remember that the specific security challenges that apply to data center virtualized environments are in addition to the security concerns that would otherwise exist on those systems. You should still practice a standard defense-in-depth approach to security and build in all of the security controls that you would otherwise apply to your systems. These include:
- Regular patching of operating systems and applications (as well as the hypervisor!)
- Maintaining current malware defenses
- Networks and host firewalls
- Intrusion detection and prevention
- System integrity monitoring
- Encryption of sensitive information
- Logging, auditing and monitoring
The added complexity of virtualized environments only underscores the importance of paying attention to the basic security controls that apply in all environments.
Virtualization brings the promise of reduced cost, smaller physical footprints and energy efficiency to IT computing environments. These powerful benefits often present a compelling business case and merit further consideration. From a compliance perspective, virtualization is nothing to fear. It is certainly possible to build compliant systems that process highly sensitive information in a virtualized world. You should, however, remember that virtualization increases the complexity of your security environment and brings with it concerns of hypervisor security and isolation that must be considered as you design your virtualized environment.
In fact, the cost of compliance should be a part of any organization's calculations when evaluating the business case for virtualization. While there may be some incremental expense from implementing virtualization security controls, it's likely that the costs of these controls will be dwarfed by the savings you achieve by lowering the cost of hardware acquisition. I know of one organization, for example, that found virtualization so compelling that it built a separate virtual infrastructure for use exclusively in its card-processing environment, lowering its IT costs significantly. While this may not hold true for every organization, don't rule out virtualization for fear of compliance costs, as that would mean missing out on the many benefits gained by virtualization.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Study Guide and Information Security Illuminated.