Virtualization, Cloud Computing and the PCI DSS

How do virtualization and cloud usage affect compliance with PCI? QSAs Ben Rothke and David Mundhenk provide practical advice.

. What's this?

By Ben Rothke and David Mundhenk

February 24, 2010

Two of the hottest IT technologies in 2010 are virtualization and cloud computing. Both are heavily evangelized in the industry as the "wave of the future" and the "next big thing." This is primarily due to perceived promises of reductions in hardware, software licensing and maintenance costs. To a large extent, all of these claims have merit. But the overarching issue is that it is easy to get caught up in the hype of these new technologies, while being oblivious to the myriad operational and security challenges in making them work.

Just how hot is cloud computing? 2010 had barely started when HP and Microsoft announced a $250 million partnership to develop integrated data center products that HP will offer as the HP Private Cloud.

Other major cloud news includes none other than Microsoft, who announced the addition of the OS versioning feature to its recently released Windows Azure platform as a service offering. This was needed as Azure users complained about how patches and upgrades unexpectedly affected the operating systems running under Azure.

Historically, many organizations get caught up in the excitement and associated hype of the latest technologies due to the fascination with all things "new and improved." In doing so, they can easily lose sight of the risk implications of quickly and indiscriminately embracing new technologies, without first performing the requisite due diligence exercises, including at the least, a formal risk assessment.

Also see "End to end encryption: PCI's holy grail"


The concept of virtualized computing is deep-rooted in the halcyon days of mainframe computing. Mainframes were then and still are expensive to install and maintain. An enterprise fortunate enough to afford mainframes in the past also had to ensure the logical separation of computing system resources and data assets of the often various, and sometime competing business customers paying hefty sums to use them.

Out of this was born the concept of a logical partition or LPAR, which was conceived and secured to ensure a dedicated virtual environment from which those customers could address various critical business computing requirements. An LPAR was simply an early abstraction, similar to what we now know today, for example, as Citrix OS virtualization. The LPAR is but a subset of a mainframe's hardware resources, virtualized as a separate computer. In effect, a physical machine can be partitioned into multiple LPARs, each housing a separate operating system.

The overall objective of this virtualization is to protect data and technology assets from unauthorized access and exposure, as well as other possible risk factors. Then, as is the case now, those who install, support and maintain such systems needed to ensure that sufficient security controls exist to properly protect critical information assets.

Server virtualization technology is here to stay, and as Gartner Group predicts, by 2012, more than 85% of enterprises will be using server virtualization extensively in production environments. But even though virtualization offers faster server provisioning, hardware utilization and lower costs for disaster recovery, there is a downside of which many organizations are unaware. Since virtualized environments are more complex than their physical counterparts to secure, if not dealt with accordingly, it can become significantly more difficult to be in regulatory compliance in virtual environments.

And today's intensive IT environments are straining under many burdens, not the least of which is to properly address regulatory and industry compliance requirements for critical data asset protection. The overall objective of most regulatory requirements is to reduce the possible risk to computing resources and assets to an acceptable level, or even minimally optimized levels.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER