- of
Virtualization, Cloud PCI Compliance Tips for Your Enterprise
by Brian Prince
Do Ask, Do Tell
Companies should get independent verification that its cloud/virtualization vendor is PCI-compliant, and make sure there are measures in place to maintain that compliance. Companies should study their SLA to see if it protects them in the event of a data breach on their end.
Know Your Data
Not all data is meant for the cloud. "Ideally, you should limit the exposure and scope of where payment card data resides and moves in your systems and confine that data accordingly to the most heavily protected element of your network, with all the PCI DSS controls in place," advises Bob Russo, general manager of the PCI Security Standards Council. "If you put payment data into the cloud - you are opening up that entire cloud to the scope of a PCI QSA assessment."
Minimize the Scope of the Project
Ensure segmentation of your environment from other customer systems, your non-PCI cloud systems and the host and hypervisor.
Use Secure Images
Leverage a provider who can scale your environment dynamically based upon preconfigured PCI-compliant system images.
Segregate Systems and Networks
"Ensure that your firewall, IPS and IDS protect each of your virtual machines separately," advises Todd Thiemann, senior director of data center security at Trend Micro. "Especially in a public cloud environment, the other virtual machines running on the same physical hardware should be considered hostile, and the firewall at the cloud provider's perimeter cannot help you here." Deploying your own host-based firewall/IDS/IPS also offers portability if you decide later to change cloud service providers, he says.
User Management and Provisioning
Companies need to secure and manage privileged administrative users in both virtualized and cloud environments because excessive entitlements can be a serious weakness. This is usually complicated by virtual server sprawl and the use of public cloud services, says Matthew Gardiner, director of security and compliance for CA. User rights should be restricted by a least-privileges approach.
Monitor Your Environment
With the ability to dynamically activate and deactivate cloud systems, logging and monitoring becomes critical. Make sure a strong correlated log monitoring solution is in place to monitor your systems. Better yet, take advantage of the innate benefits of cloud computing and go with a provider that can provide this service within your cloud.
Logging and Auditing
Virtualization vendors have tools to help organizations meet this requirement. Companies should ensure all audit trails have tight access controls that are maintained for virtual infrastructure components such as management utilities and the host. Audit trails should be secured so they cannot be altered.
Virtualization Technology News & Reviews 
Tablet King for 2012: 10 Factors That Will Determine the Leader
Digium Launches Line of IP Handsets
SMBs Are Losing Confidence in IT Disaster Recovery Systems: Surve[..]
Facebook IPO to Dwarf Recent Groupon, Zynga, LinkedIn Stock Marke[..]
Super Bowl XLVI: 10 Winning Gadgets, Apps You Need
Kindle Fire Grabbing Control of Android Tablet Market: 10 Reasons[..]
See All Slideshows
Adoption of virtualization and cloud computing is not slowing down, and neither are the challenges facing businesses looking to migrate to the cloud. At the top of the list for many firms is maintaining security and compliance when moving from physical to virtual and cloud environments. Though an update of the PCI DSS (Payment Card Industry Data Security Standard) regulations is forthcoming and the PCI Security Standards Council has a special interest group looking at virtualization and how that maps to PCI, the council does not plan to release separate guidance on cloud computing. This means that businesses looking at the cloud may not get much detailed guidance on what to do. However, there are multiple sources for those searching for advice. With that in mind, eWEEK has compiled a list of the most important steps your business can take to make sure PCI compliance does not fall to the backburner of your plans for virtual, public and private cloud environments.