Virtualization, Cloud Computing and the PCI DSS

Two of the hottest IT technologies in 2010 are virtualization and cloud computing. Both are heavily evangelized in the industry as the “wave of the future” and the “next big thing.” This is primarily due to perceived promises of reductions in hardware, software licensing and maintenance costs. To a large extent, all of these claims have merit. But the overarching issue is that it is easy to get caught up in the hype of these new technologies, while being oblivious to the myriad operational and security challenges in making them work.

Just how hot is cloud computing? 2010 had barely started when HP and Microsoft announced a $250 million partnership to develop integrated data center products that HP will offer as the HP Private Cloud.

Other major cloud news includes none other than Microsoft, who announced the addition of the OS versioning feature to its recently released Windows Azure platform as a service offering. This was needed as Azure users complained about how patches and upgrades unexpectedly affected the operating systems running under Azure.

Historically, many organizations get caught up in the excitement and associated hype of the latest technologies due to the fascination with all things “new and improved.” In doing so, they can easily lose sight of the risk implications of quickly and indiscriminately embracing new technologies, without first performing the requisite due diligence exercises, including at the least, a formal risk assessment.

The concept of virtualized computing is deep-rooted in the halcyon days of mainframe computing. Mainframes were then and still are expensive to install and maintain. An enterprise fortunate enough to afford mainframes in the past also had to ensure the logical separation of computing system resources and data assets of the often various, and sometime competing business customers paying hefty sums to use them.

Out of this was born the concept of a logical partition or LPAR, which was conceived and secured to ensure a dedicated virtual environment from which those customers could address various critical business computing requirements. An LPAR was simply an early abstraction, similar to what we now know today, for example, as Citrix OS virtualization. The LPAR is but a subset of a mainframe’s hardware resources, virtualized as a separate computer. In effect, a physical machine can be partitioned into multiple LPARs, each housing a separate operating system.

The overall objective of this virtualization is to protect data and technology assets from unauthorized access and exposure, as well as other possible risk factors. Then, as is the case now, those who install, support and maintain such systems needed to ensure that sufficient security controls exist to properly protect critical information assets.

Server virtualization technology is here to stay, and as Gartner Group predicts, by 2012, more than 85% of enterprises will be using server virtualization extensively in production environments. But even though virtualization offers faster server provisioning, hardware utilization and lower costs for disaster recovery, there is a downside of which many organizations are unaware. Since virtualized environments are more complex than their physical counterparts to secure, if not dealt with accordingly, it can become significantly more difficult to be in regulatory compliance in virtual environments.

And today’s intensive IT environments are straining under many burdens, not the least of which is to properly address regulatory and industry compliance requirements for critical data asset protection. The overall objective of most regulatory requirements is to reduce the possible risk to computing resources and assets to an acceptable level, or even minimally optimized levels.

Cloud computing and virtualization environments are no different and are often found to be tightly coupled within production environments, frequently used in parallel. As such, it is a simple stretch to consider the concept of cloud computing as virtualization on a grand scale. In fact, cloud computing is, for the most part, a large-scale implementation of virtualization technologies. It is often used by cloud service providers to employ dedicated virtual services and, more importantly, the ability to scale them to meet growing customer needs.

The PCI Data Security Standard (DSS) is one such compliance requirement which is driven by industry factors. When it comes to PCI DSS compliance of virtualized information technologies, many PCI Qualified Security Assessors (QSA) are struggling to properly interpret the implications of the standard. While the PCI DSS is updated to the intensive dynamics of today’s IT environments, in its current version, there are no specific references to virtualization or cloud computing. The objective of this article is to bring some clarity to the matter.

Virtualization definitions

Part of the current challenge for QSAs and others is just getting an agreed upon definition of the specific terms.

Wikipedia defines virtualization in a fairly straight-forward manner as the abstraction of computer resources.

The NIST definition of cloud computing, which is decidedly impartial and a bit more involved, defines cloud computing as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models and four deployment models.“

PCI compliance and virtualization

As of March 2010, version 1.2.1 is the most current revision of the PCI DSS and one will not find in it either of the terms cloud computing or virtualization. Both these areas are being actively addressed by the PCI Security Standards Council via various working groups While the council released the PCI DSS Wireless Guidelines in July 2009, directives around cloud computing and virtualization are not scheduled for release until 2011.

In fact, in January, PCI Security Standards Council general manager Bob Russo said the next revision of the PCI DSS, due in October 2010, will contain clarifications but no major changes to the standard. Therefore, QSAs will have to wait until 2011 for specific guidance on cloud computing and virtualization. The authors would like to strongly request that rather than wait until 2011, the PCI Council should accelerate the process to document PCI cloud computing and virtualization requirements. The longer there exists the vacuum of PCI compliance ambiguity, the more difficult it becomes to secure such technologies.

The job of a lawyer is to apply the facts to the law. While the current PCI DSS makes no mention of virtualization or cloud computing, it does establish the core concepts of securing cardholder information. With that, there is no reason that the 12 PCI requirements can’t be applied to cloud computing and virtualization. Even in the absence of specific PCI directives, enterprises utilizing virtualization should still be able to provide adequate security. This can be done

by ensuring that any virtualization and cloud computing initiatives map to the overall enterprise security framework.

While there is no mention of virtualization, some people, including many QSAs, have misinterpreted this to mean that virtualization is incompatible with PCI DSS compliance. This has led to heated discussions in some organizations on how they can deploy the technology and still be PCI DSS compliant. For example, PCI requirement 2.2.1 states that an entity must implement only one primary function per server.

It is clear what the intent of requirement 2.2.1 is—and some take the letter of the law approach and misunderstand it to mean that virtualization and PCI are incompatible. This is due to the fact that the hypervisor or piece of software that allows multiple operating systems to run on the same computer has multiple virtual machines under its control. Some opine the view that a hypervisor is a direct contradiction to 2.2.1. On the other hand, the authors of this article believe that PCI DSS compliance can be achieved within a virtualized environment.

For a full mapping of the specific PCI requirements against virtualization, check out the McAfee white paper How Virtualization Affects PCI DSS Part 1: Mapping PCI Requirements and Virtualization [PDF link].

Virtualization and PCI

Virtualization is a hot area in the electronic payment space due to its many benefits, some of which are:

• reliability
• cost-efficiency
• manageability
• scalability

But with those benefits comes complexity as a virtualized environment can present non-trivial risk analysis challenges. The following are a number of the key issues around virtualization to check for when performing a PCI assessment:

• Requirement for a firewall should be included at each Internet connection and between any DMZ and the internal hosts. Today’s virtualized firewall technologies can be highly distributed as standalone entities or even be host-based.
• Always change vendor-supplied defaults before installing a system on the network. This includes the hypervisor.
• Develop configuration standards for all system components, including baseline virtualized images.
• PCI requirement 2.2.1 requires than an organization implement only one primary function per server. In a virtualized environment, ensure that each functional VM is appropriately isolated, including memory and network resources.
• Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse; keys stored across VMs must be protected in accordance with PCI DSS 3.6.x
• Deploy anti-virus software on all systems and across all VMs commonly affected by malicious software.
• Ensure that all system components and software have the latest vendor-supplied security patches installed.
• Install critical security patches within one month of release, including the VM OS.
• Implement automated audit trails for all system components, including separate VMs.
• Synchronize all system clocks; ensure that NTP is properly distributed.
• Secure audit trails from individual hosts so they cannot be altered.
• Ensure segregation of data; review all controls supporting data segregation.
• Ensure segregation of applications; web-application server software should not co-exist on the same VM as database applications that store critical data.
• Ensure effective security controls; regularly test your controls for effectiveness via vulnerability assessment and penetration testing.
• Ensure that logging, monitoring, auditing and alerting enabled functionality is validated.

Virtualization security is essential. As Gartner noted through 2009, 60% of virtual servers will be less secure than their physical counterparts and 30% of virtualized servers will be associated with a security incident. Gartner also notes that like their physical counterparts, most security vulnerabilities will be introduced through mis-configuration and mismanagement. The security issues related to vulnerability and configuration management get worse, not better, when virtualized.

At the end-user level, most users will access PCI data via their desktop. Each of these desktops has an operating system that needs to be managed and patched. These operating systems also require applications and office productivity software. Finally, the localized environment may also be used to store data.

With desktop virtualization, the operating system and applications reside on a server, most often in a data center. Users connect to these desktop environments (virtual desktop) via a network-based thin client. Perhaps one of the greatest privacy benefits of desktop virtualization is that no sensitive cardholder data is less likely to be stored on the desktop.

Virtualization and security, like cloud computing and security, is a dynamic area. An excellent reference to start with is the SANS Whitepaper Top Virtualization Security Mistakes (and How to Avoid Them) [PDF link].

Desktop virtualization supports PCI by moving data off the desktop. This specifically makes compliance with PCI DSS requirements 3 (Protect stored cardholder data) and 9 (Restrict physical access to cardholder data) much easier.

DSS requirement 3.1 requires that entities keep cardholder data storage to a minimum. Desktop virtualization makes this easy as all data is offloaded to the server or secured SAN.

While PCI DSS lacks specifics around virtualization, a virtualized environment can be audited like any other environment. The key to this is to ask a lot of detailed questions during the PCI assessment. Some of the issues (which must be verified by documentation and processes) include:

• Proof that the environments and data are properly segregated (perform robust datacenter physical and logical security assessments)
• Only allow access via authorized persons
• Separation of duties
• Configuration management standards
• Logging / auditing
• Patching / vulnerability management

Virtualization and the hypervisor

In a virtualized environment, a hypervisor, also known as a virtual machine monitor (VMM), is a piece of platform-virtualization software that allows multiple operating systems to run concurrently on a host computer. While each operating system instance appears to have the host’s processor, memory and other resources to itself, it is the hypervisor that is truly controlling the host processor and resources. The job of the hypervisor is to allocate the resources that are needed to each operating system and to ensure that each virtual machine doesn’t conflict.

The hypervisor is a powerful tool of abstraction, and it’s the reason that malicious software and rootkits attempt to install as hypervisor in virtualized environments. They do this to intercept operations of the operating system without the antivirus software necessarily detecting it.

Security provided by hypervisors is based on their ability to isolate processes from each other. On the Intel architecture, once a malicious party has access to ring 0, which is the most privileged mode of operation, there is no limit to what it can do. This includes any read, write and modification of all data. For a comprehensive look at hypervisor security, the paper, Security Consideration for Virtualization [PDF link], provides a highly technical overview of the topic.

Security issues around hypervisors are not new. The challenge in securing hypervisors are somewhat complex and not for the fainthearted. Anyone using virtualization should realize that the hypervisor is the target of choice for any attacker.

There is an expanding set of hypervisor security software coming on the market. Those looking to get their feet wet may want to try Appgate Free Edition from AppGate Network Security. The free edition is a fully functional version of the AppGate Security server. It is delivered as a virtualized version and can be run on almost any computer hardware.

Cloud Computing and PCI

When it comes to cloud computing, organizations need to take a broad view of its use from a security perspective. Because cloud computing changes the risk landscape for organizations, particular consideration needs to be addressed regarding confidentiality, integrity, availability, privacy, regulatory and legal (e-discovery and more) areas.

While cloud computing simplifies many IT administrative tasks, enterprises are to a degree placing all of their data eggs in one large basket. When a huge amount of valuable data is stored in a single location; it becomes much more vulnerable to attacks. Therefore, it is imperative that both standard security and PCI DSS compliance be put into place.

As we’ve noted, cloud computing is another technology that is ahead of many standards, including PCI DSS. As a start, two excellent resources for cloud computing security are the Security Guidance for Critical Areas of Focus in Cloud Computing [PDF link] from the Cloud Security Alliance and the Cloud Computing Information Assurance Framework from the European Network and Information Security Agency (ENISA). One of the most important recommendations ENISA makes is the information assurance framework, which is a set of assurance criteria designed to assess the risk of adopting cloud services. They also strongly recommend that enterprises compare different cloud provider offers, obtain assurance from the selected cloud providers and reduce the assurance burden on cloud providers.

For those who are serious about cloud computing and security, the Cloud Security Alliance (CSA) is another excellent resource. CSA was created to promote the use of best practices for providing security assurance within cloud computing and provide education on the uses of cloud computing to help secure all other forms of computing.

As stated, there is no mention of cloud computing in the PCI DSS. In fact, some, such as security expert Phil Cox, have gone so far as to write that if you do store or process cardholder data in a public cloud, it would not be possible to currently achieve PCI-DSS compliance. While we disagree with Cox’s opinion, it should be noted that the DSS essentially addresses cloud computing as an instance of a shared hosting environment as per DSS Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

The requirements of Appendix A are that all service providers with access to cardholder data (including shared hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that shared hosting providers must protect each entity’s hosted environment and data.

Therefore, shared hosting providers must additionally comply with the requirements in Appendix A. In addition, and depending upon the services provided, the major card brands can impose additional compliance validation requirements for hosting service providers, including the need to have their own PCI DSS assessment completed by a qualified 3rd party QSA.

Nonetheless, ultimately, the main requirement is that the cloud computing vendor must ensure that a logically segregated cardholder data environment exists and is preserved for each client. In addition, the other PCI core requirements must be met, for example, logging, monitoring, event alerting, access control, testing, auditing, etc.

Show me the PCI data

Part of the process of a PCI assessment is a walk-through of the hosts that handle process and store the cardholder data. In a locally stored environment, this is an easy thing to do, since one simply has to walk to the appropriate racks in the data center. But in a cloud environment, it is conceivable that your data could be in the Denver data center on Tuesday and the Boise data center on Wednesday.

The way to obviate that is in the SLA process—to clearly require that all of your data be stored in a location that is static and auditable. If this tactic is not done, then your PCI compliance could definitely be in jeopardy.

It is hoped that once more cloud providers see the benefit of PCI compliance, combined with PCI DSS details around cloud computing, that this thorny issue will go away.

Amazon Web Services and PCI

For those who use Amazon Web Services (AWS), stop—you can’t be PCI compliant. Amazon has stated that their solution is not PCI compliant, and they explicitly recommend not storing credit card information on their AWS platforms, including Simple Storage Service (S3) and Elastic Compute Cloud (Amazon EC2).

The bottom line is that if you are considering a cloud computing solution that requires PCI compliance; ask the vendor the obvious question upfront—if they are complaint. If they say no, there is no reason to spend money on a QSA to perform a fruitless endeavor.

Some cloud vendors tout that they are PCI compliant. It is important to note a common misconception that even if the cloud provider is PCI compliant, which does not necessarily mean that the merchant/entity using their services will automatically, is PCI compliant. Irrespective what is outsourced, PCI compliance is always ultimately the responsibility of the entity that owns the cardholder data.

PCI Steps For Cloud Computing

Garter writes in Assessing the Security Risks of Cloud Computing that organizations need to demand transparency from their cloud providers. They advise not to contract for cloud services with a vendor that refuses to provide detailed information on its security and business continuity management programs. In addition, cloud computing offerings that include verifiable and specific information about security and uptime are easier to assess, providing a competitive advantage over those that do not.

Cloud computing requires an entity to be both aggressive and proactive with their vendors. While none of the major cloud providers is necessarily hiding things, it is up to the client to get out in front and understand what the cloud provider’s security architecture is. Any enterprise considering cloud services needs to work closely with their cloud vendors and clearly understand what security controls are in place.

While you don’t control the cloud, your provider must map your security framework to their cloud architecture. For some entities, this framework may be a hybrid of industry and business security requirements. Ultimately, cloud security is only as good as you define it and make associated demands from your cloud provider.

While the authors believe that many cloud computing environments can be PCI complaint, do not think that it will be an easy endeavor. In fact, be ready to be frustrated, flabbergasted and more. Many of the cloud providers barely understand the concept of “governance,” are not experts in PCI and many QSAs may not have the expertise in cloud computing. Also, since many companies have not adequately documented and diagramed their cloud environments, there may be some frustrating moments waiting for the appropriate documentation.

The following areas are some of the areas (but clearly not a comprehensive listing) of items that need to be dealt with during a PCI assessment of a cloud computing environment:

1. Entities that are required to be PCI compliant for the most part understand the benefits of cloud computing, but often don’t consider the risks of cloud-based services. Therefore, step one is to perform a risk assessment. As per PCI, this is required—PCI requirement 12.1.2.
2. As part of the cloud risk assessment, define acceptable use cases.
3. Take a look at the entire cloud architecture and ensure that the design has adequate security built-in. There are many things to analyze, including the nature of the architecture in addition to trust boundaries, administrative controls and more.
4. Cloud provider policy and procedures review—the cloud provider should be willing to share with you the policies and procedures they follow to secure your data. Make sure those policies and procedures align with your requirements.
5. Detail any compensating controls before allowing PCI data to be shared.
6. Establish a qualitative professional relationship with your cloud provider. Many of the larger cloud providers have excellent security resources (both documentation and staff members) available. Make sure you use them to their fullest.
7. Fully understand how the cloud provider will secure your critical data and see their architecture for how they will execute on that.
8. Ensure that the cloud provider has effective administrative access controls and a formalized set of detailed and comprehensive processes.
9. Since administrative access is out of your control, you need strong contract language including SLAs and validation that the vendor is capable of applying all appropriate PCI controls.
10. Negotiate the ability to have read-only access to system monitoring. While this is rarely done, it can make all the difference in cooperative ownership of security and uptime monitoring.
11. Fully detail compliance status reporting provisions.
12. Ensure that the cloud security provider is compliant with PCI requirement 9—Restrict physical access to cardholder data. The cloud provider should have undergone a physical security site review. They should share the report with you and should also agree to a physical security inspection of their data center. In the event they refuse to, look for another cloud provider. The bottom line is that at the heart of any cloud is a well secured and managed data center.
13. Patch management—PCI requirement 6.1 requires that all system components and software have the latest vendor-supplied security patches installed. Your cloud provider should be more than happy to provide you with their processes around patch management. In the event they refuse to, look for another cloud provider.

Finally, if your cloud provider is outside of the United States or is U.S.-based but they “off-shores” their resources, you certainly want to make sure they understand what their obligations are regarding requirements in the U.S. In some countries, (e.g., China), data protection laws can be sparse and offer you little legal protection.

While the use of cloud computing may appear to ease economic and regulatory burden, it is imperative that organizations understand that storing data in the cloud does not in any way relieve them of their legal and regulatory obligations. The bottom line is that nearly everything can be outsourced, but an enterprise can never outsource liability.

Conclusions

As hot as cloud security and virtualization are, so are the challenges for making them PCI complaint. Nonetheless, cloud security and virtualization PCI DSS compliance is possible. But like every other aspect of information security, it requires attention to detail, strong requirements, formal processes and a documented architecture.

For those who follow the directive of this article, it is hoped that their use of cloud security and virtualization is easy, and PCI DSS compliant.

Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education) and a founding member of the Cloud Security Alliance.

David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP (stratamund@sbcglobal.net) is a Security Consultant with a major professional services firm.