PCI Council Releases Virtualization Guidance

PCI 2.0 DSS Virtualization Guidlines doc sheds light on compliance in the virtual world

Today the PCI council released its PCI DSS VIRTUALIZATION GUIDELINES Information Supplement. This supplement does not add any new requirements to the standard but rather provides guidance on how to interpret the PCI DSS 2.0 standard in a virtual environment. It covers hypervisor, virtual machine, cloud computing, virtual networking and several other topics of interest. The supplement will tackle these areas:

 Explanation of the classes of virtualization including virtualized operating systems, hardware/platforms and networks  Definition of the system components that constitute these types of virtual systems and high-level PCI DSS scoping guidance for each  Practical methods and concepts for deployment of virtualization in payment card environments  Suggested controls and best practices for meeting PCI DSS requirements in virtual environments  Specific recommendations for mixed-mode and cloud computing environments  Guidance for understanding and assessing risk in virtual environments
Here is sure to be most impactful part of the guidance, mixed mode recommendations and public cloud recommendations:
It is strongly recommended (and a basic security principle) that VMs of different security levels are not hosted on the same hypervisor or physical host; the primary concern being that a VM with lower security requirements will have lesser security controls, and could be used to launch an attack or provide access to more sensitive VMs on the same system.
-----
In a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. A public cloud environment could, for example, host hostile out-of-scope workloads on the same virtualization infrastructure as a cardholder data environment. More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity’s CDE. These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls.
Let me know your feedback based on the new guidance. You can get the new guide here https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf The council will also be putting on a couple webinars that will go through this new guide in detail. Here is the info for that https://www.pcisecuritystandards.org/pdfs/pci_pr_20110614.pdf

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.