This week I went through out annual audit process for the fourth time, and as usual the virtual hosts were mostly ignored. Why? The Payment Card Industry (PCI) security standards have yet to be updated to include the virtualization layer of environments that are audited for PCI compliance. The auditor acknowledged this fact and said at some point in the future this may eventually change so virtual hosts are more closely scrutinized.
The purpose of PCI standards is to ensure that IT environments meet a set of security standards to ensure the protection of card holder data and are a requirement for any companies that take credit cards and have a certain transaction volume.
VMware announced their participation in the PCI Council last year but so far nothing has come out of it. As to how this will affect a new PCI standard, this is anyone’s guess. The auditor I spoke with suggested that new regulations might require segregation of hosts so you do not mix development and test virtual machines (VMs) on the same hosts as productions VMs. Many large environments already separate their test and production VMs, but smaller environments that have a limited number of hosts may find this difficult. New regulations may also require further segregation so hosts that have VMs that are involved in the processing or storage of credit card data are isolated from other hosts.
Whatever comes out of VMware’s participation in the PCI council, we should finally see virtualization covered in the next update. Currently, PCI specification is at version 1.2, and was last updated in October 2008. This participation is critical to the success of the PCI standard, as applying security standards to VMs means nothing if you don’t also apply them to the hosts that the VMs reside on.
The lifecycle process document for the next version of the PCI specification indicates that the next release is not due out until 2010. Since virtualization will be added to the PCI specification in the future it would be wise for an administrator to start getting ready for the upcoming changes today. This would include assessing your virtual environment to identify hosts and VMs that are involved in credit card data, planning on how you might segregate your environment, reading through the published security standards for ESX hosts (i.e. CIS Security Benchmark, VMware’s hecurity hardening guide) and applying them and using virtualization specific security tools to monitor and secure your virtual environment.
VMware has a new Compliance Center on their website that includes white papers and presentations specifically on virtualization and PCI compliance. By doing this now you can be better prepared when the PCI standard is updated and be ahead of the game as often times you will find yourself scrambling to remediate your environment once the new PCI standard is in place and you are audited.
Editor’s note: For more information on how current auditing fails to address virtualized servers, read about how three separate auditing firms failed to address several security vulnerabilities involving virtualized servers in Virtual machine security enters the mainstream.