Virtualization, Cloud Computing and the PCI DSS

How do virtualization and cloud usage affect compliance with PCI? QSAs Ben Rothke and David Mundhenk provide practical advice.

1 2 Page 3

Virtualization and the hypervisor

In a virtualized environment, a hypervisor, also known as a virtual machine monitor (VMM), is a piece of platform-virtualization software that allows multiple operating systems to run concurrently on a host computer. While each operating system instance appears to have the host's processor, memory and other resources to itself, it is the hypervisor that is truly controlling the host processor and resources. The job of the hypervisor is to allocate the resources that are needed to each operating system and to ensure that each virtual machine doesn't conflict.

The hypervisor is a powerful tool of abstraction, and it's the reason that malicious software and rootkits attempt to install as hypervisor in virtualized environments. They do this to intercept operations of the operating system without the antivirus software necessarily detecting it.

Security provided by hypervisors is based on their ability to isolate processes from each other. On the Intel architecture, once a malicious party has access to ring 0, which is the most privileged mode of operation, there is no limit to what it can do. This includes any read, write and modification of all data. For a comprehensive look at hypervisor security, the paper, Security Consideration for Virtualization [PDF link], provides a highly technical overview of the topic.

Security issues around hypervisors are not new. The challenge in securing hypervisors are somewhat complex and not for the fainthearted. Anyone using virtualization should realize that the hypervisor is the target of choice for any attacker.

There is an expanding set of hypervisor security software coming on the market. Those looking to get their feet wet may want to try Appgate Free Edition from AppGate Network Security. The free edition is a fully functional version of the AppGate Security server. It is delivered as a virtualized version and can be run on almost any computer hardware.

Cloud Computing and PCI

When it comes to cloud computing, organizations need to take a broad view of its use from a security perspective. Because cloud computing changes the risk landscape for organizations, particular consideration needs to be addressed regarding confidentiality, integrity, availability, privacy, regulatory and legal (e-discovery and more) areas.

While cloud computing simplifies many IT administrative tasks, enterprises are to a degree placing all of their data eggs in one large basket. When a huge amount of valuable data is stored in a single location; it becomes much more vulnerable to attacks. Therefore, it is imperative that both standard security and PCI DSS compliance be put into place.

Also see Clearing the Cloud 3: Some Security What-Ifs

As we've noted, cloud computing is another technology that is ahead of many standards, including PCI DSS. As a start, two excellent resources for cloud computing security are the Security Guidance for Critical Areas of Focus in Cloud Computing [PDF link] from the Cloud Security Alliance and the Cloud Computing Information Assurance Framework from the European Network and Information Security Agency (ENISA). One of the most important recommendations ENISA makes is the information assurance framework, which is a set of assurance criteria designed to assess the risk of adopting cloud services. They also strongly recommend that enterprises compare different cloud provider offers, obtain assurance from the selected cloud providers and reduce the assurance burden on cloud providers.

For those who are serious about cloud computing and security, the Cloud Security Alliance (CSA) is another excellent resource. CSA was created to promote the use of best practices for providing security assurance within cloud computing and provide education on the uses of cloud computing to help secure all other forms of computing.

As stated, there is no mention of cloud computing in the PCI DSS. In fact, some, such as security expert Phil Cox, have gone so far as to write that if you do store or process cardholder data in a public cloud, it would not be possible to currently achieve PCI-DSS compliance. While we disagree with Cox's opinion, it should be noted that the DSS essentially addresses cloud computing as an instance of a shared hosting environment as per DSS Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

The requirements of Appendix A are that all service providers with access to cardholder data (including shared hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that shared hosting providers must protect each entity's hosted environment and data.

Therefore, shared hosting providers must additionally comply with the requirements in Appendix A. In addition, and depending upon the services provided, the major card brands can impose additional compliance validation requirements for hosting service providers, including the need to have their own PCI DSS assessment completed by a qualified 3rd party QSA.

Nonetheless, ultimately, the main requirement is that the cloud computing vendor must ensure that a logically segregated cardholder data environment exists and is preserved for each client. In addition, the other PCI core requirements must be met, for example, logging, monitoring, event alerting, access control, testing, auditing, etc.

Show me the PCI data

Part of the process of a PCI assessment is a walk-through of the hosts that handle process and store the cardholder data. In a locally stored environment, this is an easy thing to do, since one simply has to walk to the appropriate racks in the data center. But in a cloud environment, it is conceivable that your data could be in the Denver data center on Tuesday and the Boise data center on Wednesday.

The way to obviate that is in the SLA process—to clearly require that all of your data be stored in a location that is static and auditable. If this tactic is not done, then your PCI compliance could definitely be in jeopardy.

It is hoped that once more cloud providers see the benefit of PCI compliance, combined with PCI DSS details around cloud computing, that this thorny issue will go away.

Amazon Web Services and PCI

For those who use Amazon Web Services (AWS), stop—you can't be PCI compliant. Amazon has stated that their solution is not PCI compliant, and they explicitly recommend not storing credit card information on their AWS platforms, including Simple Storage Service (S3) and Elastic Compute Cloud (Amazon EC2).

The bottom line is that if you are considering a cloud computing solution that requires PCI compliance; ask the vendor the obvious question upfront—if they are complaint. If they say no, there is no reason to spend money on a QSA to perform a fruitless endeavor.

Some cloud vendors tout that they are PCI compliant. It is important to note a common misconception that even if the cloud provider is PCI compliant, which does not necessarily mean that the merchant/entity using their services will automatically, is PCI compliant. Irrespective what is outsourced, PCI compliance is always ultimately the responsibility of the entity that owns the cardholder data.

PCI Steps For Cloud Computing

Garter writes in Assessing the Security Risks of Cloud Computing that organizations need to demand transparency from their cloud providers. They advise not to contract for cloud services with a vendor that refuses to provide detailed information on its security and business continuity management programs. In addition, cloud computing offerings that include verifiable and specific information about security and uptime are easier to assess, providing a competitive advantage over those that do not.

Cloud computing requires an entity to be both aggressive and proactive with their vendors. While none of the major cloud providers is necessarily hiding things, it is up to the client to get out in front and understand what the cloud provider's security architecture is. Any enterprise considering cloud services needs to work closely with their cloud vendors and clearly understand what security controls are in place.

While you don't control the cloud, your provider must map your security framework to their cloud architecture. For some entities, this framework may be a hybrid of industry and business security requirements. Ultimately, cloud security is only as good as you define it and make associated demands from your cloud provider.

While the authors believe that many cloud computing environments can be PCI complaint, do not think that it will be an easy endeavor. In fact, be ready to be frustrated, flabbergasted and more. Many of the cloud providers barely understand the concept of "governance," are not experts in PCI and many QSAs may not have the expertise in cloud computing. Also, since many companies have not adequately documented and diagramed their cloud environments, there may be some frustrating moments waiting for the appropriate documentation.

The following areas are some of the areas (but clearly not a comprehensive listing) of items that need to be dealt with during a PCI assessment of a cloud computing environment:

  1. Entities that are required to be PCI compliant for the most part understand the benefits of cloud computing, but often don't consider the risks of cloud-based services. Therefore, step one is to perform a risk assessment. As per PCI, this is required—PCI requirement 12.1.2.
  2. As part of the cloud risk assessment, define acceptable use cases.
  3. Take a look at the entire cloud architecture and ensure that the design has adequate security built-in. There are many things to analyze, including the nature of the architecture in addition to trust boundaries, administrative controls and more.
  4. Cloud provider policy and procedures review—the cloud provider should be willing to share with you the policies and procedures they follow to secure your data. Make sure those policies and procedures align with your requirements.
  5. Detail any compensating controls before allowing PCI data to be shared.
  6. Establish a qualitative professional relationship with your cloud provider. Many of the larger cloud providers have excellent security resources (both documentation and staff members) available. Make sure you use them to their fullest.
  7. Fully understand how the cloud provider will secure your critical data and see their architecture for how they will execute on that.
  8. Ensure that the cloud provider has effective administrative access controls and a formalized set of detailed and comprehensive processes.
  9. Since administrative access is out of your control, you need strong contract language including SLAs and validation that the vendor is capable of applying all appropriate PCI controls.
  10. Negotiate the ability to have read-only access to system monitoring. While this is rarely done, it can make all the difference in cooperative ownership of security and uptime monitoring.
  11. Fully detail compliance status reporting provisions.
  12. Ensure that the cloud security provider is compliant with PCI requirement 9—Restrict physical access to cardholder data. The cloud provider should have undergone a physical security site review. They should share the report with you and should also agree to a physical security inspection of their data center. In the event they refuse to, look for another cloud provider. The bottom line is that at the heart of any cloud is a well secured and managed data center.
  13. Patch management—PCI requirement 6.1 requires that all system components and software have the latest vendor-supplied security patches installed. Your cloud provider should be more than happy to provide you with their processes around patch management. In the event they refuse to, look for another cloud provider.

Finally, if your cloud provider is outside of the United States or is U.S.-based but they "off-shores" their resources, you certainly want to make sure they understand what their obligations are regarding requirements in the U.S. In some countries, (e.g., China), data protection laws can be sparse and offer you little legal protection.

While the use of cloud computing may appear to ease economic and regulatory burden, it is imperative that organizations understand that storing data in the cloud does not in any way relieve them of their legal and regulatory obligations. The bottom line is that nearly everything can be outsourced, but an enterprise can never outsource liability.

Conclusions

As hot as cloud security and virtualization are, so are the challenges for making them PCI complaint. Nonetheless, cloud security and virtualization PCI DSS compliance is possible. But like every other aspect of information security, it requires attention to detail, strong requirements, formal processes and a documented architecture.

For those who follow the directive of this article, it is hoped that their use of cloud security and virtualization is easy, and PCI DSS compliant.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education) and a founding member of the Cloud Security Alliance.

David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net) is a Security Consultant with a major professional services firm.

Copyright © 2010 IDG Communications, Inc.

1 2 Page 3
The 10 most powerful cybersecurity companies