What has been the work of the Virtualization Special Interest Group (SIG) thus far?
There are a few different SIGs meeting here. The Virtualization SIG is working to find common ground between the virtualization providers, the banks, some of the merchants as well as the auditors and assessors. The initial goal is to try to find common ground and say this is a reasonable path for deploying virtualization in your environment, such that it can be PCI DSS compliant.
The virtualization SIG has been meeting for a year. Has it been difficult to find common ground?
Typically we have weekly sessions that are open. It has been going on for about a year now. I think it's a credit to the people that are leading the group in that they have been managing those different viewpoints. We can't simply say this works for a level one merchant so that's what we're going to follow. We have to consider how every organization is using virtualization in the environment and how they are dealing with compliance. Everybody from Bob's gas station down the street to an organization the size of any level one merchant you want to name. We have to look at how they're deploying that technology and also talk about what's reasonable from a security perspective.
We've heard that the people who have introduced virtualization into their environments are finding that traditional security technologies that work in a physical environment seem to be working in a virtual environment. If that is the case, what are some of the challenges when it comes to compliance?
As organizations have migrated into the virtual environments and started to adopt them in their production architectures, the security solutions have had a struggle to catch up. The challenge we come into is the fact that there's an increased level of complexity, which from the security perspective is usually a challenge. Anything that is increasing in complexity by definition is easier [for an attacker] to get around and get into. The second challenge is that security is hard and it takes a long time to do things right. When you look at some of those security solutions that have been out there, such as virtualized intrusion detection engines, virtualized compliance management solutions, and even virtualized switching, what we're discovering again is that most of those tools are less than two years old. That has had a significant impact on the overall maturity level of the environment.
For merchants that have already deployed virtualization and have already gone through an assessment, what are some of the compensating controls being used right now?
A lot of the compensating controls being used by people that I've been talking to as SunGard customers has been in the area of some of those technologies I spoke of, but more importantly, it's been focusing on an effective design -- by not mixing zones of trust for example. They've been able to say that's what we consider to be a compensating control because that's what we feel comfortable with. You may be able to get 40:1 from a virtualization perspective on the same physical platform, however, we don't feel comfortable mixing the Web servers and the database tier on the same hypervisor instance. Those are the decisions that the merchants themselves are making without any guidance necessarily from us. One of the challenges the PCI SIG is addressing without any kind of guidance, it's very much like Russian roulette when you're trying to figure out who you want to be your certified quality assessor. Some qualified security assessors have said we can't mix virtualization and PCI compliance. Others don't really have a position on it or haven't really considered that in how they address an assessment. That's why it's so critical that this Virtualization SIG is able to drive a reasonable common sense set of standards.
Are QSAs given any training in how to assess a virtualized environment?
At this point in time that's not standard QSA curriculum because there isn't any official guidance on it. One thing that looks to be going on this week is that this is going to be the beginning of it. … There's solutions that are there that let you virtualize and so this is the guidance that you want to take back to people you work with to help them. It would explain the options. If you go one way it would be more challenging but you would still be compliant. If you go the other way it's going to be extremely simple for you, but nonetheless there's going to be additional costs in there. You won't be able to realize some of the benefits of virtualization.
Is the SIG looking at tools such as virtual appliances and virtual firewalls as a possible recommendation to be part of the PCI standard?
During the discussions we have, obviously we have to look at the way organizations are deploying the technology today as well as the security solutions that are available to help protect it. I'm not necessarily one to get up and say if it hasn't existed for five years I don't want it in my environment. Today's business environment can't support that. They have to take much greater advantage of the hardware and software savings as well as the consolidation benefits of virtualization. The point is to try and figure out that middle path or even maybe two or three paths organizations can go down while still meeting their compliance targets while using virtualization effectively to get a lot of the benefits out of it.