Winter 2011: Password security standards and trendsWhat has been the work of the Virtualization Special Interest Group (SIG) thus far?
There are a few different SIGs meeting here. The Virtualization SIG is working to find common
ground between the virtualization providers, the banks, some of the merchants as well as the
auditors and assessors. The initial goal is to try to find common ground and say this is a
reasonable path for deploying virtualization in your environment, such that it can be PCI
DSS compliant.
The virtualization SIG has been meeting for a year. Has it been difficult to find common
ground?
Typically we have weekly sessions that are open. It has been going on for about a year now. I
think it's a credit to the people that are leading the group in that they have been managing those
different viewpoints. We can't simply say this works for a level one merchant so that's what we're
going to follow. We have to consider how every organization is using virtualization in the
environment and how they are dealing with compliance. Everybody from Bob's gas station down the
street to an organization the size of any level one merchant you want to name. We have to look at
how they're deploying that technology and also talk about what's reasonable from a security
perspective.
We've heard that the people who have introduced
Requires Free Membership to View
SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!
Michael S. Mimoso, Editorial Director
virtualization into their environments are finding that traditional security technologies that work in a physical environment seem to be working in a virtual environment. If that is the case, what are some of the challenges when it comes to compliance?
As organizations have migrated into the virtual environments and started to adopt them in their production architectures, the security solutions have had a struggle to catch up. The challenge we come into is the fact that there's an increased level of complexity, which from the security perspective is usually a challenge. Anything that is increasing in complexity by definition is easier [for an attacker] to get around and get into. The second challenge is that security is hard and it takes a long time to do things right. When you look at some of those security solutions that have been out there, such as virtualized intrusion detection engines, virtualized compliance management solutions, and even virtualized switching, what we're discovering again is that most of those tools are less than two years old. That has had a significant impact on the overall maturity level of the environment.
For merchants that have already deployed virtualization and have already gone through an
assessment, what are some of the compensating controls being used right now?
A lot of the compensating controls being used by people that I've been talking to as SunGard
customers has been in the area of some of those technologies I spoke of, but more importantly, it's
been focusing on an effective design -- by not mixing zones of trust for example. They've been able
to say that's what we consider to be a compensating control because that's what we feel comfortable
with. You may be able to get 40:1 from a virtualization perspective on the same physical platform,
however, we don't feel comfortable mixing the Web servers and the database tier on the same
hypervisor instance. Those are the decisions that the merchants themselves are making without any
guidance necessarily from us. One of the challenges the PCI SIG is addressing without any kind of
guidance, it's very much like Russian roulette when you're trying to figure out who you want to be
your certified quality assessor. Some qualified security assessors have said we can't mix
virtualization and PCI compliance. Others don't really have a position on it or haven't really
considered that in how they address an assessment. That's why it's so critical that this
Virtualization SIG is able to drive a reasonable common sense set of standards.
Are QSAs given any training in how to assess a virtualized environment?
At this point in time that's not standard QSA curriculum because there isn't any official guidance
on it. One thing that looks to be going on this week is that this is going to be the beginning of
it. … There's solutions that are there that let you virtualize and so this is the guidance that you
want to take back to people you work with to help them. It would explain the options. If you go one
way it would be more challenging but you would still be compliant. If you go the other way it's
going to be extremely simple for you, but nonetheless there's going to be additional costs in
there. You won't be able to realize some of the benefits of virtualization.
Is the SIG looking at tools such as virtual appliances and virtual firewalls as a possible
recommendation to be part of the PCI standard?
During the discussions we have, obviously we have to look at the way organizations are
deploying the technology today as well as the security solutions that are available to help protect
it. I'm not necessarily one to get up and say if it hasn't existed for five years I don't want it
in my environment. Today's business environment can't support that. They have to take much greater
advantage of the hardware and software savings as well as the consolidation benefits of
virtualization. The point is to try and figure out that middle path or even maybe two or three
paths organizations can go down while still meeting their compliance targets while using
virtualization effectively to get a lot of the benefits out of it.