I’ve had offline discussions about this with a number of customers, but was just reading an article about how PCI needs to address virtualization in its standards. The fact is, virtualization is being used by most of the companies I’ve met who are subject to PCI, but the “acceptability” of virtualization is very much subject to the judgment of the assessor (QSA) that’s auditing organizations for PCI compliance.
Some of the gray areas that seem to be yielding mixed results, particularly for those who host PCI-subject services for multiple clients, are those which require the segregation of data such that data from one client is not on the same host as data from another client.
The isolation of virtual machines running on a single hypervisor is very sound – and there has been a lot of scrutiny verifying that hosting client data on VM’s on the same host is no less secure than if the client data resided on separate physical systems. The caveat is that you always need to properly configure the hypervisor and VM’s for security (the free ConfigCheck utility can help).
In fact, the biggest thing virtual and physical systems have in common is that they are only as secure as their configurations. Consider this quote from the article:
"For example, if there are [cardholder data environment] and non-[cardholder data environment] virtual servers on the same hardware and the merchant/retailer argues that the virtualization alone provides adequate zoning and separation, there would still need to be firewalling — as per PCI — in place to separate the virtual servers into zones and proper monitoring on the hardware and virtual switching to ensure traffic isn’t passing inappropriately from one server instance to another," [Diana Kelley, founder and partner at consulting firm Security Curve] explained.
As you can see, the issue isn’t virtualization technology – it’s how you configure it.
The virtualization vs. PCI tension is not new at all, yet it is still not adequately addressed by the PCI Council. Always calling it like he sees it, my friend Chris Hoff has nailed the issues with the PCI standards and virtualization in a recent post – let’s hope the PCI folks are listening…