Virtualization, Cloud Computing and the PCI DSS

How do virtualization and cloud usage affect compliance with PCI? QSAs Ben Rothke and David Mundhenk provide practical advice.

1 2 3 Page 2
Page 2 of 3
  • Requirement for a firewall should be included at each Internet connection and between any DMZ and the internal hosts. Today's virtualized firewall technologies can be highly distributed as standalone entities or even be host-based.
  • "
  • Always change vendor-supplied defaults before installing a system on the network. This includes the hypervisor.
  • "
  • Develop configuration standards for all system components, including baseline virtualized images.
  • "
  • PCI requirement 2.2.1 requires than an organization implement only one primary function per server. In a virtualized environment, ensure that each functional VM is appropriately isolated, including memory and network resources.
  • Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse; keys stored across VMs must be protected in accordance with PCI DSS 3.6.x
  • "
  • Deploy anti-virus software on all systems and across all VMs commonly affected by malicious software.
  • Ensure that all system components and software have the latest vendor-supplied security patches installed.
  • "
  • Install critical security patches within one month of release, including the VM OS.
  • "
  • Implement automated audit trails for all system components, including separate VMs.
  • "
  • Synchronize all system clocks; ensure that NTP is properly distributed.
  • "
  • Secure audit trails from individual hosts so they cannot be altered.
  • "
  • Ensure segregation of data; review all controls supporting data segregation.
  • Ensure segregation of applications; web-application server software should not co-exist on the same VM as database applications that store critical data.
  • "
  • Ensure effective security controls; regularly test your controls for effectiveness via vulnerability assessment and penetration testing.
  • "
  • Ensure that logging, monitoring, auditing and alerting enabled functionality is validated.

Virtualization security is essential. As Gartner noted through 2009, 60% of virtual servers will be less secure than their physical counterparts and 30% of virtualized servers will be associated with a security incident. Gartner also notes that like their physical counterparts, most security vulnerabilities will be introduced through mis-configuration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized.

At the end-user level, most users will access PCI data via their desktop. Each of these desktops has an operating system that needs to be managed and patched. These operating systems also require applications and office productivity software. Finally, the localized environment may also be used to store data.

With desktop virtualization, the operating system and applications reside on a server, most often in a data center. Users connect to these desktop environments (virtual desktop) via a network-based thin client. Perhaps one of the greatest privacy benefits of desktop virtualization is that no sensitive cardholder data is less likely to be stored on the desktop.

Virtualization and security, like cloud computing and security, is a dynamic area. An excellent reference to start with is a SANS Whitepaper—Top Virtualization Security Mistakes (and How to Avoid Them [PDF link]).

Desktop virtualization supports PCI by moving data off the desktop. This specifically makes compliance with PCI DSS requirements 3 (Protect stored cardholder data) and 9 (Restrict physical access to cardholder data) much easier.

DSS requirement 3.1 requires that entities keep cardholder data storage to a minimum. Desktop virtualization makes this easy as all data is offloaded to the server or secured SAN.

While PCI DSS lacks specifics around virtualization, a virtualized environment can be audited like any other environment. The key to this is to ask a lot of detailed questions during the PCI assessment. Some of the issues (which must be verified by documentation and processes) include:

  • Proof that the environments and data are properly segregated (perform robust datacenter physical and logical security assessments)
  • Only allow access via authorized persons
  • Separation of duties
  • Configuration management standards
  • Logging / auditing
  • Patching / vulnerability management

Virtualization and the hypervisor

In a virtualized environment, a hypervisor, also known as a virtual machine monitor (VMM), is a piece of platform-virtualization software that allows multiple operating systems to run concurrently on a host computer. While each operating system instance appears to have the host's processor, memory and other resources to itself, it is the hypervisor that is truly controlling the host processor and resources. The job of the hypervisor is to allocate the resources that are needed to each operating system and to ensure that each virtual machine doesn't conflict.

The hypervisor is a powerful tool of abstraction, and it's the reason that malicious software and rootkits attempt to install as hypervisor in virtualized environments. They do this to intercept operations of the operating system without the antivirus software necessarily detecting it.

Security provided by hypervisors is based on their ability to isolate processes from each other. On the Intel architecture, once a malicious party has access to ring 0, which is the most privileged mode of operation, there is no limit to what it can do. This includes any read, write and modification of all data. For a comprehensive look at hypervisor security, the paper, Security Consideration for Virtualization [PDF link], provides a highly technical overview of the topic.

Security issues around hypervisors are not new. The challenge in securing hypervisors are somewhat complex and not for the fainthearted. Anyone using virtualization should realize that the hypervisor is the target of choice for any attacker.

There is an expanding set of hypervisor security software coming on the market. Those looking to get their feet wet may want to try Appgate Free Edition from AppGate Network Security. The free edition is a fully functional version of the AppGate Security server. It is delivered as a virtualized version and can be run on almost any computer hardware.

Cloud Computing and PCI

When it comes to cloud computing, organizations need to take a broad view of its use from a security perspective. Because cloud computing changes the risk landscape for organizations, particular consideration needs to be addressed regarding confidentiality, integrity, availability, privacy, regulatory and legal (e-discovery and more) areas.

While cloud computing simplifies many IT administrative tasks, enterprises are to a degree placing all of their data eggs in one large basket. When a huge amount of valuable data is stored in a single location; it becomes much more vulnerable to attacks. Therefore, it is imperative that both standard security and PCI DSS compliance be put into place.

Also see Clearing the Cloud 3: Some Security What-Ifs

As we've noted, cloud computing is another technology that is ahead of many standards, including PCI DSS. As a start, two excellent resources for cloud computing security are the Security Guidance for Critical Areas of Focus in Cloud Computing [PDF link] from the Cloud Security Alliance and the Cloud Computing Information Assurance Framework from the European Network and Information Security Agency (ENISA). One of the most important recommendations ENISA makes is the information assurance framework, which is a set of assurance criteria designed to assess the risk of adopting cloud services. They also strongly recommend that enterprises compare different cloud provider offers, obtain assurance from the selected cloud providers and reduce the assurance burden on cloud providers.

For those who are serious about cloud computing and security, the Cloud Security Alliance (CSA) is another excellent resource. CSA was created to promote the use of best practices for providing security assurance within cloud computing and provide education on the uses of cloud computing to help secure all other forms of computing.

As stated, there is no mention of cloud computing in the PCI DSS. In fact, some, such as security expert Phil Cox, have gone so far as to write that if you do store or process cardholder data in a public cloud, it would not be possible to currently achieve PCI-DSS compliance. While we disagree with Cox's opinion, it should be noted that the DSS essentially addresses cloud computing as an instance of a shared hosting environment as per DSS Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

The requirements of Appendix A are that all service providers with access to cardholder data (including shared hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that shared hosting providers must protect each entity's hosted environment and data.

Therefore, shared hosting providers must additionally comply with the requirements in Appendix A. In addition, and depending upon the services provided, the major card brands can impose additional compliance validation requirements for hosting service providers, including the need to have their own PCI DSS assessment completed by a qualified 3rd party QSA.

Nonetheless, ultimately, the main requirement is that the cloud computing vendor must ensure that a logically segregated cardholder data environment exists and is preserved for each client. In addition, the other PCI core requirements must be met, for example, logging, monitoring, event alerting, access control, testing, auditing, etc.

Show me the PCI data

Part of the process of a PCI assessment is a walk-through of the hosts that handle process and store the cardholder data. In a locally stored environment, this is an easy thing to do, since one simply has to walk to the appropriate racks in the data center. But in a cloud environment, it is conceivable that your data could be in the Denver data center on Tuesday and the Boise data center on Wednesday.

The way to obviate that is in the SLA process—to clearly require that all of your data be stored in a location that is static and auditable. If this tactic is not done, then your PCI compliance could definitely be in jeopardy.

It is hoped that once more cloud providers see the benefit of PCI compliance, combined with PCI DSS details around cloud computing, that this thorny issue will go away.

Amazon Web Services and PCI

For those who use Amazon Web Services (AWS), stop—you can't be PCI compliant. Amazon has stated that their solution is not PCI compliant, and they explicitly recommend not storing credit card information on their AWS platforms, including Simple Storage Service (S3) and Elastic Compute Cloud (Amazon EC2).

The bottom line is that if you are considering a cloud computing solution that requires PCI compliance; ask the vendor the obvious question upfront—if they are complaint. If they say no, there is no reason to spend money on a QSA to perform a fruitless endeavor.

Some cloud vendors tout that they are PCI compliant. It is important to note a common misconception that even if the cloud provider is PCI compliant, which does not necessarily mean that the merchant/entity using their services will automatically, is PCI compliant. Irrespective what is outsourced, PCI compliance is always ultimately the responsibility of the entity that owns the cardholder data.

PCI Steps For Cloud Computing

Garter writes in Assessing the Security Risks of Cloud Computing that organizations need to demand transparency from their cloud providers. They advise not to contract for cloud services with a vendor that refuses to provide detailed information on its security and business continuity management programs. In addition, cloud computing offerings that include verifiable and specific information about security and uptime are easier to assess, providing a competitive advantage over those that do not.

Cloud computing requires an entity to be both aggressive and proactive with their vendors. While none of the major cloud providers is necessarily hiding things, it is up to the client to get out in front and understand what the cloud provider's security architecture is. Any enterprise considering cloud services needs to work closely with their cloud vendors and clearly understand what security controls are in place.

While you don't control the cloud, your provider must map your security framework to their cloud architecture. For some entities, this framework may be a hybrid of industry and business security requirements. Ultimately, cloud security is only as good as you define it and make associated demands from your cloud provider.

While the authors believe that many cloud computing environments can be PCI complaint, do not think that it will be an easy endeavor. In fact, be ready to be frustrated, flabbergasted and more. Many of the cloud providers barely understand the concept of "governance," are not experts in PCI and many QSAs may not have the expertise in cloud computing. Also, since many companies have not adequately documented and diagramed their cloud environments, there may be some frustrating moments waiting for the appropriate documentation.

The following areas are some of the areas (but clearly not a comprehensive listing) of items that need to be dealt with during a PCI assessment of a cloud computing environment:

1 2 3 Page 2
Page 2 of 3
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!