OK, so this has been a topic of discussion around virtualization for a long time, but I just read a well-presented article on “Pesky Virtual Environments” from Trent Henry on the Burton Group blog.
While the article is specific to how QSA’s (auditors) policing the PCI-DSS (credit card data security standards) need to adjust their mindset when auditing virtualized card processing infrastructure.
One small example: PCI-DSS requires that you implement “one primary function per server.” Some QSA’s take that literally and gripe if you have multiple VM’s performing different functions on a single physical server. That’s lame – there is plenty of research showing that the isolation of VM’s makes them at least as secure as their physical counterparts, provided you understand how to configure them securely.
So, rather than going dogmatic about the “one primary function per server” the dialog should move to a higher level, such as:
- PCI requires segregating workloads and functions to different servers. How are you accomplishing that?
- Demonstrate that you understand the risks to each of the systems involved in processing or storing cardholder data.
- What guidelines / policies are you using as a basis for hardening your environment, and how do you know they’ve been implemented properly and consistently?
- Describe your security model and the controls you’ve implemented to mitigate the risks in your security plan.
- Substantiate that your IT controls are in place and effective.
- How many of those controls are automated, versus manual?
- What happens when the controls detect a violation? Can you show me an example of when that’s happened and how you dealt with it?
The bottom line is that compliance and security are not simply a checklist exercise, and they are not point-in-time “events.” Instead, they are a dynamic and continuous requirement, and need to be embraced as such by IT organizations and auditors alike.
How is that working in your environment? Do you have a healthy perspective?