PCI DSS 2.0 clarified that credit-card-handling organizations could, in fact, use server virtualization. But the question still remained: How, exactly?
A new information supplement from the Payment Card Industry (PCI) Security Standards Council attempts to answer that question. The supplement, produced by a PCI special interest group consisting of more than 30 merchants, vendors and security assessors, identifies the challenges of virtualizing PCI-regulated environments and advises organizations on how to implement virtualization in compliance with the Data Security Standard (DSS).
Guidelines focus on hypervisor access
The PCI council’s guidelines say virtualized organizations should constantly monitor the effectiveness of security controls and their ability to respond quickly when a breach occurs. These businesses should also educate personnel on the proper handling of sensitive data and how to recognize security threats, and they should isolate security functions such as network firewalls as well.
The main challenges facing organizations are configuring the hypervisor and deciding who has access to key parts of the infrastructure, said Hemma Prafullchandra, chief technology officer for security vendor HyTrust and a member of the group that created these new guidelines. The hypervisor adds a new attack surface, and with multiple virtual machines (VMs) sitting on it, it provides a single point of access to the entire infrastructure. That complicates access control: The flexibility of VMs and ability to access multiple virtual devices from a single logical location or user makes it difficult to pinpoint roles and access policies.
To overcome these challenges, the guidelines state that “access to the hypervisor be restricted according to least privilege and need to know, and that independent monitoring of all activities be enforced.” They also stress logging, where every instance of attempted infrastructure access (including whether it was granted or denied) should be tracked for security management.
Most importantly, PCI environments must define granular access according to administrators’ specific skills, Prafullchandra said. Network admins, for instance, should only have control of the network. Seasoned virtualization teams that are used to working across multiple technologies may find this separation of duties problematic.
For organizations that handle credit card data but haven’t virtualized yet, the biggest roadblock is the technology itself, Prafullchandra said. Virtualization security technologies are still evolving, and not all organizations are ready to take the plunge, because they’ve seen the implementation and security-assessment challenges that others have had to deal with. The new PCI guidelines, however, should alleviate these fears, Prafullchandra said.
Could PCI ease security?
The new guidelines also bring much-needed standardization. Their appendix of virtualization best practices will help all security assessors use the same testing methods to determine if a company has met PCI DSS requirements, Prafullchandra said. (That has not been the case in the past; as virtualization expert Eric Siebert wrote last year, “the enforcement of PCI DSS requirements is largely open to auditor interpretation.”)
Prafullchandra pointed out that virtualization can even improve security management, because common benefits such as increased server uptime and quick recovery times are especially vital for organizations that handle credit card data. With virtualization, it’s also easier to place compromised VMs in quarantine.
PCI in the cloud
Of course, what everyone wants to know is: What about cloud? The new PCI virtualization guidelines say the risks are still too high to store credit card data in shared hosting or public cloud environments.
“For now, the easiest is not to go cloud,” Prafullchandra said. “If you did, you would be dependent on the card brand and your qualified security assessors.”
Storing cardholder data in a hybrid or public cloud is tricky, because the network layer is shared among multiple merchants, and the organization is dependent on the service provider, Prafullchandra said.
“Typically, that’s where the public cloud starts falling short,” she added. But PCI in the private cloud is doable, she said, because an organization has complete control over the security of its assets.