Home » The Art of Data Protection » The Cloud Advocate: The PCI DSS Virtualization Guidelines Now Published

3 to 132.That’s the number of times virtualization was mentioned in PCI 2.0 DSS vs. the just published PCI Virtualization Guidelines.  Yes, after being relatively light on guidelines, the PCI Council now has recommendations for using cloud computing and virtualization. And at 40 pages, it’s a page-turner.

So here are my takeaways from the new guidelines:

1. Shared responsibility formalized: Yes, like we all keep saying, you and the cloud provider are both on the hook for PCI. The guidelines gives guidance on the demarcation, then requires your cloud provider to document what they believe is in scope and document it, and for you to do the same. I wrote on this here.
2. If you use, think, sneeze on, or think about your hypervisor, it’s in scope: This is what security guys have been saying for years- the underlying hypervisor underpins the entire trust model for virtualization and the cloud, get it wrong and the entire security model is upended. This is the most breathtaking part of the new guideline, which is the aggressive stance it has on placing hypervisors in scope. Essentially, the *entire* hypervisor is in scope if it holds any virtualization instance that is in scope. AND any instance on that hypervisor is now in scope. Yes, the new regulations assume the hypervisor is tainted. While as a security professional I agree, I think this clarification has the most wide reaching implications.
3. Segment your virtual instances by risk and separate the hypervisors: Following from the distrust of hypervisors, there is a recommendation to segment your instances into segments of like-risk. The thinking is to separate critical PCI data from higher risk instances which could “pollute” the hypervisor and potentially breach critical PCI scoped data. I know the large financial institutions were doing this in straight up Data Center virtualization, but I’m not sure how wide spread the model is or how many who were in the middle of a cloud architecture model actually were approaching it this way. This model totally makes sense if you follow from an assumption that the hypervisor is not to be trusted.
4. The bar to using Public Cloud for PCI is set high: Extending from the distrust of hypervisors and segmentation requirements, the general assumption is the public cloud is not realistic for the cloud unless an organization has done rigorous segmentation and isolation controls, and can convince their auditors that your risk mitigation strategy is solid.
5. Section 3- use encryption, use it often, use it right: Like I wrote in a previous blog, the underlying shared ownership of the cloud requires us to rethink ownership and how we prove it to auditors. And guess what? This is now written into the guideless. Encrypt at multiple places in the stack- instance, storage, and at data processing layer. And make sure you run key management right. This falls right in line with my four recommendations for extending physical like ownership in the cloud.
6. Vague cloud management language sets wide scope: This caught my eye- the guidelines place any cloud management that provisions and automates virtualization in scope… and any “plug-in”. I think we need a call from the referee on this one. My first take, all those complex meta cloud management systems you are building on top of virtualization, are now in scope. Didn’t see that coming did you? So this could be a headache given all of these platforms are brand new, and security professional’s like to call anything new, “untested and unproven.” Let’s see how this plays out with the auditors.
7. Lock your hypervisor and cloud management, control your admins: No surprise here, separation of duties is written about ad nauseam just so no one misses it. And use Multi-Factor authentication. Can anyone say spearfishing? Yes, your admins are targets so lock down you admin identities.
8. Get things in writing and in service agreements: I’ve had a lot of conversations with customers about their frustrations of contracts with cloud providers. Now the PCI council asks that the cloud providers document what they are going for controls and ask that you do it with your contracts and service agreements.
9. Your auditor has the last word: At the end of the day, strong as some of the recommendations are, it will be up to your auditor to have the final word. But at least we have what I think is a firmer stance under which an auditor can run their assumptions and walk through your risk mitigation strategies where you need to make a variance from it based on your operational requirements.

So grab your pop-corn, this should be interesting to watch how this plays out the next couple years. -Dean

This entry was posted in Authentication, Cloud, Compliance, Crypto and tagged cloud compliance, Cloud Encryption, cloud management, financial services, PCI, PCI DSS, PCI Virtualization Guidelines, retail by Dean Ocampo. Bookmark the permalink.