Can a virtualized environment be compatible with regulatory compliance? It's question rarely raised, but one that's important to address because non-compliance can be serious -- not to mention costly.
In October last year the PCI Security Standards Council (PCI SSC) published the PCI Data Security Standard (PCI DSS) v2.0, and for the first time it was explicitly stated that you could use virtualization technologies and be PCI-DSS compliant. Before that it was up to the auditor to decide if server virtualization -- or any other form of virtualization for that matter -- was acceptable at all, and conservative ones could simply rule it out.
But saying you can use virtualization really opens a can of worms. A recent Ponemon Institute study found that PCI-DSS is widely regarded as a higher priority than all other regulations including HIPAA, the EU Privacy Directive, Sarbanes-Oxley and United States state laws for data breach, as well as the most difficult set of regulations to comply with. Given how hard it is to be in compliance with PCI-DSS at the best of times, what chance do organizations really have of getting auditors to sign them off as being compliant with a virtualized infrastructure?
The good news is that help is at hand in the form of 39 pages of PCI DSS Virtualization Guidelines, published earlier this month by the Virtualization Special Interest Group of the PCI SSC. "Virtualization is inevitable, so it was something we had to address," said Hemma Prafullchandra, CTO of virtualization control and compliance provider HyTrust and a member of the Special Interest Group.
The document highlights a number of new risks that virtualization technology introduces. It points out that the hypervisor is a new attack surface that doesn't exist in the physical world and highlights worries about the principal of running only one primary function on any given system. Virtual machines may have only one primary function, but these may all be hosted on the same physical machine, it points out.
It also goes into some detail about the risk of dormant and forgotten virtual machines.
VMs that are not active (dormant or no longer used) could still house sensitive data, such as authentication credentials, encryption keys or critical configuration information. Inactive VMs containing payment card data can become unknown, unsecured data stores, which are often only rediscovered in the event of a data breach ... Though dormant, inactive VMs represent a viable security threat and therefore must be identified and tracked so appropriate security controls can be applied.
This raises the question of how virtualized infrastructures can best be managed. Prafullchandra warned that many traditional management tools may not be up to the job. "In the past, you might have used unified management systems from the likes of IBM, CA or BMC. But these might not be up to date when it comes to virtualization, VM lifecycle management or the ability to do live migrations between physical hosts. You have to ask if your management systems are aware of these technologies."
Prafullchandra said that even VMware's management systems are not up to scratch when it comes to compliance, adding that companies will have to fill the functionality gaps with offerings from third-party vendors like her own company, HyTrust. For example, HyTrust offers software that can ensure certain workloads are permitted to boot up only on specific hosts or specific clusters, which is critical for compliance with PCI-DSS. VMware's vCenter alone can't currently do this, although she admits with refreshing honesty that this type of functionality will probably be included in VMware's offering within the next few years.
Perhaps of most use, the guidelines offer some recommendations and best practices to help meet PCI DSS requirements in virtual environments.
They also have a warning for anyone thinking of using cloud computing as part of their cardholder data environment (CDE). The document points out that in a public cloud environment, additional controls must be implemented to compensate for the inherent risks and lack of visibility into the public cloud architecture. "More stringent preventive, detective, and corrective controls are required to offset the additional risk that a public cloud, or similar environment, could introduce to an entity's CDE. These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner."
So going back to the original question: "Can a virtualized environment be compatible with regulatory compliance?" the answer is yes -- but it will even more fiendishly difficult than it is in a non-virtualized one. You have been warned. And if you're thinking of the public cloud the answer is maybe. But, depending on your cloud provider, perhaps not.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.