After very careful consideration, sir, I’ve come to the conclusion that your new defense system sucks.

With Friday upon us, it’s the last part of virtualization and PCI. So as promise, I am going to dedicate this last post to giving a final round up on key things that you should hopefully start doing (or at least discussing internally) if you plan on moving down the path to compliance. I can’t promise it won’t be painful, but if you keep these things in mind from the beginning, it will be slightly less intrusive than it could be. Continue reading

Oooh, ahhh, that’s how it always starts. Then later there’s running and screaming.

Today I want to get back to the matter at hand, how to deal with PCI if you have a virtual environment. Because PCI DSS is one of the first glimpses Canadian organizations have into the need to secure their virtual environments, the learning curve for both auditors and IT teams is staggering. There is a lot of grey space at the moment where interpretation of the requirements can have a significant impact on the end result, and often it is a result of auditors walking into mixed environments where virtual and physical resources co-exist and they realize they are in over their heads. In fact, something that seems initially simple, such as the separation of trust zones, can actually be quite complex to not only understand, but to figure out how to comply with. But where to start? Continue reading

Oooh right, it’s actually quite a funny story once you get past all the tragic elements and the over-riding sense of doom.

One of the biggest questions on the minds of security folks when they start to add virtual components to their environments is “How do I even know where I stand as it relates to compliance?”. It’s a great question, as cloud and virtualization, until now, have blissfully been ignored from a compliance requirement. Until now that is, as PCI-DSS got a refresh back in November of 2010 that does include lots of verbiage around the requirements of securing virtual environments in order to meet the benchmarks of PCI. I want to spend some time this week addressing compliance and how virtualization fits in, primarily as it relates to PCI because of the familiarity with what PCI aims to accomplish, but also some of the tools and resources available. So today I want to highlight the key areas affected by PCI and what exactly is required to start down the road to full compliance. Continue reading