PCI Guidance on Virtualization and CloudBy: Beau Woods
Recently, the PCI-SSC released an Information Supplement providing guidance for compliance with the DSS in virtualized and cloud environments. Great news for anyone with virtualization within their cardholder data environment (CHDE), or who has been considering it. Many organizations have been putting off virtualization projects precisely because they were unsure of how to ensure if or how do demonstrate compliance in a virtualized environment - even a well secured one. For quite a while merchants and service providers have been asking for more clear guidance and this document is worth the wait.
This document provides a long term solution to a big problem with the PCI compliance industry. Too often we've heard horror stories of QSAs misapplying the DSS because they don't really understand virtualization. In fact, when creating the 2.0 Standard the SSC specifically mentions that virtualization can be used in a CHDE. (For a more extensive discussion on this, see the SANS whitepaper on changes in the PCI-DSS 2.0) This document goes one step further and gives merchants, service providers as well as QSAs guidance on how the SSC sees the risks associated with virtualization and cloud.
As I'm fond of saying, Information Security lives where analogies break down - and that is nowhere more true today than in virtualization. This document illustrates that by identifying many of the hidden risks present in virtualization. Most people have a working understanding of virtualization as virtual hardware, analogous to physical hardware. This analogy is excellent for using the technology in the way it was intended. But the security model then breaks down near the edges of the analogy. The document is full of real-world examples where hidden risks lurk - and it even made me aware of some I hadn't thought of before. And this is precisely why the guidance says up front that "an architectural-level understanding of virtualization technologies is required to assess technical controls in virtualized environments" (my emphasis).
All in all, this is an excellent document which will be a great benefit to merchants, service providers and QSAs. It provides good general guidance, clearly states that there is no one-size-fits-all solution to compliance in a virtualized environment, and provides recommendations for organizations moving forward. In addition to the general guidance, an appendix is provided that gives detailed guidance on what virtualization considerations match which parts of the DSS. For those waiting on clear guidance from the Council, your wait is over. Go forth and comply.