With Friday upon us, it’s the last part of virtualization and PCI. So as promise, I am going to dedicate this last post to giving a final round up on key things that you should hopefully start doing (or at least discussing internally) if you plan on moving down the path to compliance. I can’t promise it won’t be painful, but if you keep these things in mind from the beginning, it will be slightly less intrusive than it could be.
First things first, make sure you know what data you are looking at moving to the cloud. If you plan on moving data that has PCI implications, you’re really just ensuring that your entire cloud environment is going to be in scope of the audit. I’m not saying that you shouldn’t do it, but if you aren’t using a private cloud (that is only your VMs run on a single hypervisor, no one else shares it) it will get pretty ugly pretty fast. Try to simplify it so that all PCI data is in one place and hopefully separated from anything else to prevent scope creep.
Second, separate your systems and network and protect them in this way. Assume that other VMs on the same hardware are a threat and deploy your firewall, IPS/IDS to protect each of your VMs separately, especially in a public environment. This will help ensure that if you ever need to move your data around (even to another cloud provider) you can take the same security controls with you.
Monitoring is the next key thing. Virtual environments are a pain to monitor because it is so dynamic. VMs are created, moved, restarted, shut down, and you need to ensure you have a proper monitoring and logging solution in place. If you outsource your cloud environment, most providers should offer this as a service (if not include it!). In addition, make sure that the audit trails and logging information have tight user access restrictions in place and that they cannot be altered.
Speaking of users, managing users in virtual and cloud environments is critical. It is so easy to overlook entitlements and suddenly any user can access your sensitive data. Server sprawl and public cloud environments just make it worse, so start with a least-privilege approach and then work your way up. Also make sure that if you are using multiple locations that these privileges extend across to other locations.
The last point I am going to touch upon is that if you are planning on outsourcing your PCI data, work with a provider that can offer PCI compliant VM images. If you start with an image that already has the right controls in place, it’s going to be a lot easier than auditing every single image every time you create a new VM.
Hopefully this has helped you out somewhat. I’m not an auditor by any means, but the goal here is to educate you on what kind of things you need to think about if you need to meet PCI requirements. There are tons of specific documents out there and consultants who can provide even more detail on how to meet these requirements, but hopefully this has been a good starting point.