Since the PCI Security Standards Council released its PCI virtualization guidance almost a year ago, organizations and PCI assessors still face challenges when it comes to PCI compliance in virtualized and cloud environments.
The PCI virtualization guidance was an “enabler,” said Eric Chiu, president and co-founder of Mountain View, Calif.-based HyTrust, a supplier of policy management and access control products for virtual infrastructure. Beforehand, organizations weren’t sure if they could pass a PCI audit if they ran cardholder data in a virtualized environment,” he said: “Up to that time, it was really up to your auditor, your QSA, and depending on how comfortable they were with virtualization.”
Still, the guidance “hasn’t clarified it to the point where people can read a document and know what to do,” said Davi Ottenheimer, president of San Francisco-based security consultancy Flying Penguin and a PCI Qualified Security Assessor (QSA) for K3DES LLC.
The PCI virtualization guidance, released last June, outlined the complexities in securing cardholder data in virtualized environments. It’s based on four principals: PCI DSS requirements apply to virtualization technologies that are used for cardholder data; virtualization technology introduces new risks; virtual systems vary greatly and their characteristics and interaction with cardholder data must be thoroughly documented; and there is no one-size-fits-all solution to configure them for PCI compliance.
With the guidance, the PCI SSC showed it has some skin in the game, Ottenheimer said. “It showed they’re willing to open the discussion for how virtualization can be secured… Now it’s up to the QSAs and the vendors – it’s our job to help people use it in a secure fashion.”
Overall, that’s still the challenge, he added. “It comes down to management decisions and people and business process. The technology is there now. We can make a highly secure, compliant environment with the hypervisor, but can we get a business to adopt it in its most secure fashion within their business processes? That’s the meat of the issue.”
PCI virtualization compliance mistakes
Chui said his company began to see a flurry of PCI compliance activity starting in the first quarter of this year. As of Jan. 1, all PCI assessments must be under version 2.0 of the standard. HyTrust has been working with organizations that need to prepare for the updated standard or need to remediate deficiencies from failed audits. In three cases of failed audits the company was called into, auditors found deficiencies in virtualized environments that were hosting cardholder data, Chiu said.
One mistake he’s seen companies make is treating the virtual environment the same as the physical environment, Chiu said. A virtual environment is much more dynamic and uncontrolled access can have more widespread consequences, he said. “Someone can do a lot more harm because everything is converged on that one platform.”
Another mistake some companies make is assuming they’re PCI compliant because their cloud service provider is, said John Clark, security consultant and QSA at Kansas City, Mo.-based security services firm FishNet Security. “At the end of the day, it’s the merchant or customers of the cloud service provider” that’s responsible for PCI compliance, he said. “You can’t push that burden onto a service provider.”
It’s difficult for a cloud provider to say it has a PCI compliant service, said Eric Fisher, security consultant and QSA at FishNet Security. “Ultimately, you’re only offering a component of the overall compliance effort that a client needs to maintain. Anyone who signs up for a service and thinks they can be instantly PCI compliant is mistaken.”
Organizations using a cloud provider need to have a clear understanding and contractual agreement on what requirements the service provider is responsible for and which ones are theirs, Fisher said. “Otherwise things will start to slip,” Clark said.
Best practices for PCI virtualization compliance
The PCI virtualization guidance provided enough clarification that multi-tenancy is no longer an issue; less clear is how different levels of security can be on shared hardware, Ottenheimer said.
Using a bare-metal hypervisor -- which runs directly on the hardware -- when hosting different levels of security in your virtual machines can mitigate that concern, he said. Organizations should also follow hardening guidelines provided by VMware.
“And if you respond quickly to any vulnerabilities in the wild, then you’re definitely not worse off than if you were in a physical environment,” Ottenheimer said. “You might be better off because the virtual environment has more awareness of a machine state. Even when powered off, you can still inspect for compliance, which you can’t do in the physical world.”
He’s working with other QSAs to make recommendations to the PCI SSC that he expects will eventually become compliance requirements. Meanwhile, the PCI SSC this year formed a Special Interest Group (SIG) focused on providing guidance for PCI compliance in cloud environments.
In addition to proper planning up front – including performing due diligence when contracting with a cloud service provider -- companies should implement segmentation by having PCI data in a separate virtual environment, FishNet Security’s Fisher said.
He also refers clients to the guidance released by the Cloud Security Alliance and recommends that companies conduct an assessment of a QSA’s technical abilities before hiring him or her. “The customer has the opportunity to say, ‘This person isn’t the best fit for my organization’,” Fisher said.
HyTrust’s Chiu said virtualization still is a learning process for some QSAs. “These are brand-new technologies, they need to essentially become experts in understanding how they work and how to audit them for security best practices,” he said.
No matter what, though, auditors are going to have different opinions, Ottenheimer said. “We’re all trying to have the best approach given the unique requirements of each customer to run their business while still being compliant,” he said. “There’s no black and white unfortunately.”