Virtualization Technology: Virtualization, Cloud PCI Compliance Tips for Your Enterprise

 
 
By Brian Prince  |  Posted 2010-07-21
 
 
 

Virtualization, Cloud PCI Compliance Tips for Your Enterprise

by Brian Prince

Virtualization, Cloud PCI Compliance Tips for Your Enterprise

Do Ask, Do Tell

Companies should get independent verification that its cloud/virtualization vendor is PCI-compliant, and make sure there are measures in place to maintain that compliance. Companies should study their SLA to see if it protects them in the event of a data breach on their end.

Do Ask, Do Tell

Know Your Data

Not all data is meant for the cloud. "Ideally, you should limit the exposure and scope of where payment card data resides and moves in your systems and confine that data accordingly to the most heavily protected element of your network, with all the PCI DSS controls in place," advises Bob Russo, general manager of the PCI Security Standards Council. "If you put payment data into the cloud - you are opening up that entire cloud to the scope of a PCI QSA assessment."

Know Your Data

Minimize the Scope of the Project

Ensure segmentation of your environment from other customer systems, your non-PCI cloud systems and the host and hypervisor.

Minimize the Scope of the Project

Use Secure Images

Leverage a provider who can scale your environment dynamically based upon preconfigured PCI-compliant system images.

Use Secure Images

Segregate Systems and Networks

"Ensure that your firewall, IPS and IDS protect each of your virtual machines separately," advises Todd Thiemann, senior director of data center security at Trend Micro. "Especially in a public cloud environment, the other virtual machines running on the same physical hardware should be considered hostile, and the firewall at the cloud provider's perimeter cannot help you here." Deploying your own host-based firewall/IDS/IPS also offers portability if you decide later to change cloud service providers, he says.

Segregate Systems and Networks

User Management and Provisioning

Companies need to secure and manage privileged administrative users in both virtualized and cloud environments because excessive entitlements can be a serious weakness. This is usually complicated by virtual server sprawl and the use of public cloud services, says Matthew Gardiner, director of security and compliance for CA. User rights should be restricted by a least-privileges approach.

User Management and Provisioning

Monitor Your Environment

With the ability to dynamically activate and deactivate cloud systems, logging and monitoring becomes critical. Make sure a strong correlated log monitoring solution is in place to monitor your systems. Better yet, take advantage of the innate benefits of cloud computing and go with a provider that can provide this service within your cloud.

Monitor Your Environment

Logging and Auditing

Virtualization vendors have tools to help organizations meet this requirement. Companies should ensure all audit trails have tight access controls that are maintained for virtual infrastructure components such as management utilities and the host. Audit trails should be secured so they cannot be altered.

Logging and Auditing

Rocket Fuel