VMWorld: Virtualization Poses Challenges For PCI Audits

How do organizations secure and stay compliant with virtual environments? The same way that they do physical environments -- just prepare for a few more challenges along the way.

During one of the final sessions of the 2010 VMWorld Conference Thursday, a VMWare executive and a compliance auditor provided their audience with tips on how to be compliance-ready in a virtual environment when it came to one of the most prescriptive standards in the industry -- Payment Card Industry Data Protection Standard, or PCI DSS.

Above all, executives emphasized in their presentation "Compliance Ready Virtual Infrastructure, Addressing PCI," that organizations should secure their virtual systems in many of the same ways that they secure their physical systems.

"Making sure your virtual machines are secure -- this is an area in which the virtual world is the same as the physical world," said Charu Chaubal, VMware technical marketing manager, during his presentation.

Altogether, organizations need to equip their virtual systems with many of the same security solutions as they would on their physical systems, including antivirus, patch management, network segmentation, intrusion detection and prevention and configuration management, Chaubal said.

"A lot of these tools are becoming virtualized," he said. "A lot of times it’s the same code, and you run it in the virtual machine."

So when it comes to being PCI compliant, often it's a matter of proving that the virtual machines are just as secure as the physical machines. However, that's where the compliance process can become challenging, executives said.

For one, there's a difference between being compliant and being secure -- and just because your organization has achieved one of these goals doesn't necessarily mean it has achieved the other, said Tom McAndrew, vice president of professional services for Coalfire, a Seattle-based IT governance and compliance firm.

Meanwhile, the current version of PCI doesn't acknowledge virtualized environments or even include the word "virtualization" in the text, he said.

"Technology changes faster than any standard. They're never going to be able to provide (a standard) as quickly as the technology is changing," McAndrew said.

In addition, a virtual environment poses different challenges than a physical one, he said. For example, a rebuild of a virtual environment could introduce new risks to an organization's IT environment. Attackers can easily replicate virtualized data, and store it on other systems that could enable them access -- even if that data is encrypted, McAndrew said.

"The data used to be only in one location. Now it could be transmitted to areas you're not used to in a physical environment," he said. "The integrity of that data can also be altered. You can use those credentials to attack other systems. Once you have access to hypervisor, you have access to all those systems."

In addition, system boundaries -- and all the components of a virtual system -- are not clear and even the simplest of virtual networks are "rather complicated," he said.

Another challenge to becoming compliant is in documentation. Often administrators have to know where all the data resides and are required to document it, which is a lot more difficult with multiple VMs, McAndrew said.

"Once you have it, you have to start documenting it early. Credit card data doesn’t just exist in an organization. It has to come from somewhere," he said. "Describe what virtualization is being used, where cardholder data is, the unique risks -- will this address multi-tenancy environment or mixed mode virtualization?"

"The larger you are, the more expectation there is that these things should be protected. Assessing the risk is different because that risk means your control should be a little bit stronger."