Can sensitive payment card data be processed and held in virtual-machine (VM) systems or cloud-computing environments?
That question has been debated for a number of years, even though the PCI Security Standards Council, which sets the payment-card industry requirements that impact merchants, enterprises and vendors, has never expressly said "no" to it. Today the council has issued its first in-depth report describing guidelines it says should be used for securing PCI data in VM and cloud environments -- and candidly says it won't necessarily be easy.
MORE ON SECURITY: Survey on PCI: How it's impacting network security
VM and cloud-computing environments are known to be dynamic because workloads can be moved around very quickly but "the key point is you, as a merchant, have the responsibility to know where the data is," says Bob Russo, general manager of the PCI Security Standards Council.
The document made public today, "Information Supplement, PCI DSS Virtualization Guidelines," spells out in detail how the council's existing 12-part Data Security Standard should be considered for PCI data processed or held in virtualized and cloud environments. The report does acknowledge that there will be many cases where lack of security and management for virtualized and cloud environments will mean they are not suitable candidates for sensitive PCI data.
"A key risk factor unique to virtual environments is the hypervisor -- if this is compromised or not properly configured, all VMs hosted on that hypervisor are potentially at risk," the report notes. "The hypervisor provides a single point of access into the virtual environment and is also potentially a single point of failure."
To minimize risk, the report includes several guidelines. One of the main ones is not to host VMs of different trust levels on the same hypervisor or host. "It is strongly recommended (and as a basic security principle) that VMs of different security levels are not hosted on the same hypervisor or physical host; the primary concern being that a VM with lower security requirements will have lesser security controls, and could be used to launch an attack or provide access to more sensitive VMs on the same system."
The council also says its 12-part DSS standard that requires use of firewalls, encryption, prohibiting direct public access to the Internet, system hardening, deploying antivirus and strong two-factor authentication for remote access, logging, intrusion-prevention systems and monitoring, among other things, must all be brought into a virtualized and cloud environment, if they are to be used for PCI data. Noting there are a wide variety of virtual-machine options, the report questions whether there are mature management tools in place in some instances.
Cloud providers receive strong criticism in terms of their suitability for PCI data.
"The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant. In a public cloud environment, the services and computing resources provided by the cloud provider are typically shared across multiple entities, or tenants. This is in contrast to typical hosting environments where dedicated resources are usually provisioned to each hosted entity or tenant."
The report says there are many reasons why public cloud environments may not be suited for PCI data, including "the host entity has limited or no oversight or control over cardholder data storage" and "no knowledge 'who' they are sharing resources with."
These and other reasons are why "these challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls," the report concludes.
The "Information Supplement, PCI DSS Virtualization Guidelines" was formulated over several months through work by the council's Virtualization Special Interest group, chaired by Kurt Roemer, Citrix chief security strategist, and more than 30 representatives from companies that include Bank of America, LL Bean, AT&T, HP, Savvis, Southwest Airlines, VMware, Verizon Business, Stanford University and Southwest Airlines.
Read more about wide area network in Network World's Wide Area Network section.