One of the biggest questions on the minds of security folks when they start to add virtual components to their environments is “How do I even know where I stand as it relates to compliance?”. It’s a great question, as cloud and virtualization, until now, have blissfully been ignored from a compliance requirement. Until now that is, as PCI-DSS got a refresh back in November of 2010 that does include lots of verbiage around the requirements of securing virtual environments in order to meet the benchmarks of PCI. I want to spend some time this week addressing compliance and how virtualization fits in, primarily as it relates to PCI because of the familiarity with what PCI aims to accomplish, but also some of the tools and resources available. So today I want to highlight the key areas affected by PCI and what exactly is required to start down the road to full compliance.
Let’s start at the beginning with the guidelines themselves. If you haven’t read the new guidelines, here are some of the key bits that show virtualization is now part of the mix.
“If virtualization is implemented, all components within the virtual environment will need to be identified and considered in scope for the review, including the individual virtual hosts or devices, guest machines, applications, management interfaces, central management consoles, hypervisors, etc. All intra-host communications and data flows must be identified and documented, as well as those between the virtual component and other system components.”
This one is big, as it basically says that if it talks to the virtual environment, it’s technically within scope. This means cloud-based data is included as well.
“The implementation of a virtualized environment must meet the intent of all requirements, such that the virtualized systems can effectively be regarded as separate hardware. For example, there must be a clear segmentation of functions and segregation of networks with different security levels; segmentation should prevent the sharing of production and test/development environments; the virtual configuration must be secured such that vulnerabilities in one function cannot impact the security of other functions; and attached devices, such as USB/serial devices, should not be accessible by all virtual instances.”
“Additionally, all virtual management interface protocols should be included in system documentation, and roles and permissions should be defined for managing virtual networks and virtual system components. Virtualization platforms must have the ability to enforce separation of duties and least privilege, to separate virtual network management from virtual server management.”
“Special care is also needed when implementing authentication controls to ensure that users authenticate to the proper virtual system components, and distinguish between the guest VMs (virtual machines) and the hypervisor.”
OK, so what you just read there is probably giving you heart palpitations because you are thinking “How the hell am I going to figure all that out?”. This is the key problem with compliance and virtual environments; virtual environments (including cloud) are treated as low priority as it relates to compliance, so until there is a forced audit to address these concerns, no one is even thinking about all these details. I can’t blame you either, since until now, people blissfully virtualized away and figured the auditors don’t even understand virtualization, so there is no need for us to even think about these controls. Cloud is hype, remember? No one hacks virtual environments! Maybe no significant virtual breaches exist, but it’s coming, so now is really the perfect time to start planning for these occurences.
One other key section that stands out from the PCI document is 2.2.1 which basically states:
“Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)”
What they are alluding to here is that if you are using virtualization, implement one primary function per virtual system component. This is so that if you have business critical data one one server, use another server for resources that have different access and security levels. It’s not only easier when it comes to assigning user privileges (you can use the entire server as access, rather than files here and there), but it reduces the risk of unauthorized access.
So as you can see, there is a HUGE laundry list of items that PCI wants us to start to think of and lock down in our virtual environments. So this week I am going to give you a bit of a cheat sheet to get you started, starting tomorrow with a great tool to give you the first round of visibility and tell you where you need to start.