Since the SIG for addressing the impact of virtualization in PCI compliance has yet to be published, there has been a mixed reaction to whether or not virtualization SHOULD be used in the cardholder data environment.
While the PCI DSS is more specific and directive than other compliance frameworks, it does not state that a particular solution is or is not allowed. Therefore, the challenge we, as QSAs face when determining the impact a specific technology has on PCI compliance lies in understanding the intent of the specific requirements.
I’ve been working with a few clients who are in the process of implementing virtualization in their cardholder data environments, and have come up with some general guidance to get them started:
1. The virtualization technology must support a “virtual firewall” to ensure the implementation provides the same level of protection as a physical firewall. In other words, the firewall must control access by IP address and build ACLs to limit access to necessary services and deny all other traffic. Functions a firewall must provide include:
- Examine all network traffic and block transmissions that do not meet the specified security criteria
- Support configuration of a DMZ
- Restrict outbound traffic
- Perform stateful packet inspection
- Perform NAT (IP masquerading)
2. A server should perform a specific function, such as a web server OR a database server but not both, since the services required for a web server would make a database vulnerable to exploits. In a virtual cluster, as long as each guest does not perform more than one fundamental function, and the proper controls are put in place, virtualization does not hinder compliance with requirement 2.2.1.
3. Virtual Machine administrators have more concentrated power in their hands than traditional network and server administrators. Therefore, it is vital to use secure protocols such as SSL/TLS for connectivity to the hosts and virtual management servers. VNC has known exploits and should be disabled. In the best case scenario, management of the virtual machine(s) occurs from one highly secured system hosted on a separate segment. Access is controlled by IP and administrators utilize a VLAN to connect to the virtual machine(s) in the cardholder data environment via secure protocols.
4. Offline templates, images, and snapshots may quickly become out-of-date. Use of the rollback feature could instantly bring the cardholder data environment out of compliance. The use of products that can perform offline patching and antivirus updates is highly recommended. Virtualization vendors will most likely have recommendations specific to their technology regarding offline patching.
5. Usage policies should be extended to describe virtualization issues. Specifically, testing and production templates and virtual machines should not be copied and/or cloned outside of their functional area. Restrict the ability to create copy, delete or move VMs which are a part of the cardholder data environment. Prohibit system administrators from enabling “shared” technologies between guest virtual machines, especially those in the cardholder data environment. Hardening Guidelines should include very specific procedures for building templates, clones and virtual machines.
Obviously this is the tip of a 200 requirement iceburg, but I am confident merchants and service providers can use virtualization in their cardholder data environments and still maintain PCI compliance.
Next week I’ll address specific PCI DSS requirements and how virtualization CAN meet the intent…