The use of virtualization in information technology (IT) has a corroborative impact on infrastructure frameworks, processes and operations. As a result, organizations dealing with cardholder data have been impacted by virtualization. Although virtualization has a definite edge and offers greater return of investment than other technologies, it raises many information security and compliance issues.
The Payment Card Industry Security Standards Council’s (PCI SSC) recently released PCI Data Security Standard (DSS) version 2.0 states that system components also include virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Therefore, adapting virtualization for the cardholder data environment (CDE) without proper evaluation may lead to unexpected issues.
Cardholder environments that rely on virtualization can be secured using operation and process level improvements. This is achievable by embedding information security during the planning, deployment, and maintenance stages. Here is a PCI DSS compliance checklist to protect the CDE:
PCI DSS compliance checklistfor planning and evaluation
- Risk-based approach should be a part of your PCI DSS compliance checklist in order to decide the scope of virtualization. Identify the servers to be consolidated and take a call as to whether to include critical servers (for example, database servers storing cardholder data).
- Evaluation of server virtualization technologies is the next step in your PCI DSS compliance checklist. Take the call between full, para or operating system (OS) level virtualization. For consolidating critical servers, full virtualization should be preferred over para or OS level virtualization.
- Estimation of vendor specific security features is critical to ensure the desired level of security, including alerts for newly discovered vulnerabilities.
- Support infrastructure requirement and capacity planning is critical to achieve or maintain PCI DSS compliance in virtual environments like audit and logging.
- Evaluation of business continuity planning/disaster recovery planning and high availability plan is the next critical PCI DSS compliance checklist item. This should be achieved with respect to attacks involving sniffing, capturing and/or modifying virtual machine (VM) traffic during migration.
- Draft or modify policies and procedures as per virtualization and PCI DSS compliance requirements. For instance, develop a mandatory security hardening document for the hypervisor.
PCI DSS compliance checklistfor secure deployment
- Isolate critical servers containing cardholder data from the rest of guest OS. It’s critical to ensure that only one primary function is implemented per virtual system component.
- The PCI DSS compliance checklist should include appropriate network segmentation to ensure that all inbound and outbound traffic to the CDE hosted on virtual server(s) are restricted by the firewall.
- Secure configuration. Harden the guest OS as well as underlying hypervisor as per PCI DSS compliance requirements—remove or disable all unnecessary services.
- Access control comes next on your PCI DSS compliance checklist. All access should be provided based on least privilege. This includes communication between hypervisor and the guest OS (hosting critical server) as well as between the guest OS (hosting critical server) and other guest OS. For access control, the hypervisor’s access feature can be integrated using Active Directory technologies.
- The deployed antivirus should also provide protection from malware (such as Blue Pill/SubVirt or Vitriol) that target the hypervisor or virtualization layer.
- File integrity monitoring or other such solutions should be deployed to get alerts in case of changes to hypervisor configuration/new VM deployment.
- Deploy a VM-centric intrusion detection system/intrusion prevention system.
- Management console and management server protection is the last item of this part of your PCI DSS compliance checklist.
PCI DSS compliance checklist for maintain and monitor
- Changes in the virtual environment are extremely dynamic. Therefore, a proper change management process is critical to test and approve all changes, including those pertaining to the virtual system.
- The latest patches provided by your virtualization technology vendor should be deployed within a month (or as per your risk-based approach). Newly discovered vulnerabilities related to the hypervisor and virtualization should be signalled via alerts.
- A vital component of the PCI DSS compliance checklist at this stage includes undertaking audits and log reviews.
- Risk assessment should be conducted considering all threats related to virtualization technologies.
- Review of file integrity monitoring (FIM) alerts to ensure that there are no rogue virtual machines.
- Training and awareness sessions should include information security guidelines specific to virtualization.
- Incident management plan should include incidents related to virtualization technologies.
To sum up, all aspects of virtualization need to be duly considered prior to deployment. Also, the PCI DSS compliance checklist should be referred to at every phase to protect CDE in a virtual environment.
About the author: Swati Sharma is an associate consultant at SISA Information Security (CISSP & MS (Information Security) and can be reached at firstname.lastname@example.org. The views expressed are personal. Virtualization and PCI DSS was one of the topics discussed in the PCI DSS Implementation Workshop (http://www.sisa.co.in/Upload/Excerpts_PCI_DSS_Chennai_Feb2011.pdf) conducted by SISA in Chennai on February 24 & 25, 2011.