Virtualization, Cloud PCI Compliance Tips for Your Enterprise

Virtualization, Cloud PCI Compliance Tips for Your Enterprise

by Brian Prince

Do Ask, Do Tell

Companies should get independent verification that its cloud/virtualization vendor is PCI-compliant, and make sure there are measures in place to maintain that compliance. Companies should study their SLA to see if it protects them in the event of a data breach on their end.

Know Your Data

Not all data is meant for the cloud. “Ideally, you should limit the exposure and scope of where payment card data resides and moves in your systems and confine that data accordingly to the most heavily protected element of your network, with all the PCI DSS controls in place,” advises Bob Russo, general manager of the PCI Security Standards Council. “If you put payment data into the cloud – you are opening up that entire cloud to the scope of a PCI QSA assessment.”

Minimize the Scope of the Project

Ensure segmentation of your environment from other customer systems, your non-PCI cloud systems and the host and hypervisor.

Use Secure Images

Leverage a provider who can scale your environment dynamically based upon preconfigured PCI-compliant system images.

Segregate Systems and Networks

“Ensure that your firewall, IPS and IDS protect each of your virtual machines separately,” advises Todd Thiemann, senior director of data center security at Trend Micro. “Especially in a public cloud environment, the other virtual machines running on the same physical hardware should be considered hostile, and the firewall at the cloud provider’s perimeter cannot help you here.” Deploying your own host-based firewall/IDS/IPS also offers portability if you decide later to change cloud service providers, he says.

User Management and Provisioning

Companies need to secure and manage privileged administrative users in both virtualized and cloud environments because excessive entitlements can be a serious weakness. This is usually complicated by virtual server sprawl and the use of public cloud services, says Matthew Gardiner, director of security and compliance for CA. User rights should be restricted by a least-privileges approach.

Monitor Your Environment

With the ability to dynamically activate and deactivate cloud systems, logging and monitoring becomes critical. Make sure a strong correlated log monitoring solution is in place to monitor your systems. Better yet, take advantage of the innate benefits of cloud computing and go with a provider that can provide this service within your cloud.

Logging and Auditing

Virtualization vendors have tools to help organizations meet this requirement. Companies should ensure all audit trails have tight access controls that are maintained for virtual infrastructure components such as management utilities and the host. Audit trails should be secured so they cannot be altered.