Did you know the VISA PCI security auditing process guidelines don't recognize virtualized servers, one way or another. It's not prescriptive at all about virtualization and virtualized servers could be interpreted as violating one of PCI's "one function per server" requirements (Requirement 2.2.1.) Visa PCI has probably done more to secure IT networks, servers and applications than most other regulations or auditing standards, but PCI is mute on anything about virtualization. That's unusual because PCI tends to be more prescriptive than the security elements of well know Federal regulations like HIPAA or GLBA or SOX. (Note that PCI is not issued by a standards body, nor is it a Federal regulation. It is a security requirements auditing guideline created by VISA intended to better secure customer credit card data.)
As a Microsoft IT person, why do you care? You most likely already know about PCI if you're impacted by Visa's security auditing standard, but even if you don't handle customer credit card, PCI's worth using as a guide for your own security architecture. And why is it an issue that PCI doesn't address virtualization?
Because it then leaves PCI approved auditors to interpret and decide how virtualized servers and applications might be subject to PCI security requirements. On the one hand, we've had the previous generation's equivalent of virtualization in our data centers and on desktops for years; Citrix servers, and PCI isn't out to ban those. So it's not likely that just because something is virtualized it will fall out of favor during a PCI audit, at least I hope that's the case. But it does cause you to question why PCI hasn't and doesn't seem to want to address virtualization. According to this SeachSecurity.com article by Marcia Savage, well know security blogger, and security architect at Unisys, Chris Hoff has been asking why PCI won't get ahead of the virtualization train (see this blog post).
As with many technologies, we don't stop to consider the security implications of new technologies and their uses, during our rush to implement those technologies. (This is something Chris writes frequently about on his blog, btw. I'd definitely recommend reading Hoff's blog, Rational Survivability.) Virtualization in many ways is no different. Maybe the PCI security standards council is holding, letting the industry shake out virtualization and any security implications a bit more. But then again, isn't that how our credit card data keeps being stolen on what seems like a daily basis... by taking a sit back, wait and see approach, school of fish approach to security? VMware joining the PCI security standards council is a nice gesture and all but that doesn't mean PCI has taken up the cause of wrapping its arms around the security issues virtualization presents. But like the credit crisis, housing bubble, or just about any other big problem we like to ignore, virtualization and security will become an issue... one way or another.
Post new comment