PCI DSS Virtualization Guide. Part 1

Original author: Virtualization Special Interest Group PCI Security Standards Council
  • Transfer
Standard: PCI Data Security Standard (PCI DSS)
Version: 2.0
Date: June 2011
Author: Virtualization Task Force PCI Security Standards Council PCI
Additional Information: PCI DSS

Virtualization Guide PCI DSS Virtualization Guide. Part 2
PCI DSS Virtualization Guide. Part 3

1. Introduction

Virtualization separates applications, computers, machines, networks, data, and services from their physical limitations. Virtualization is an evolving concept that encompasses a wide range of technologies, tools, and methods that can lead to significant operational benefits for organizations that choose to use virtualization. As with any developing technology, however, risks also continue to develop, which are often less clear than the risks associated with more traditional technologies.
The purpose of this document is to provide guidance on the use of virtualization in accordance with Payment Card Data Security Standards ( PCI DSS ). For the purposes of this document, all references are to the PCI DSS standard .version 2.0.
There are four simple principles associated with using virtualization in environments with bank card holder data:
  • a. If virtualization technologies are used in a cardholder storage environment, PCI DSS requirements apply to these virtualization technologies.
  • b. Virtualization technology presents new risks that cannot be applied to other technologies, and which must be assessed when using virtualization when working with bank card holder data.
  • c. The implementation of virtual technologies can vary significantly, and organizations need to do a thorough research to identify and document the unique characteristics of their particular application of virtualization, including all interactions with payment transfer processes and payment card data.
  • d. There is no single method or solution to configure virtualized environments to meet PCI DSS requirements . The specific controls and procedures will vary for each environment, depending on how virtualization is implemented and used.

1.1 Target Audience

This white paper is intended for wholesalers and service providers who use or are considering using virtualization technologies in their cardholder data storage ( CDE ) environment . It can also be useful for assessors considering virtualized environments as part of their DSS assessment .

Note : This document assumes a basic understanding of virtualization, its technologies and principles. Nevertheless, an understanding of the architecture of virtualization technology is required to evaluate technical control in virtualized environments, since the nature of these environments, especially in the areas of process isolation and virtual networks, can differ significantly from traditional physical environments.

1.2 Scope

This document provides additional guidance on the use of virtualization technologies in bank card holder data environments and does not replace PCI DSS requirements . For specific audit criteria and requirements, virtualized environments should be evaluated based on criteria outlined in PCI DSS .
This document is not intended as an endorsement for any particular technology, product or service, but rather as an acknowledgment that these technologies exist and may have an impact on security with payment card data.

2 Virtualization Overview

2.1 Concept and virtualization classes

Virtualization is the logical separation of computing resources from physical constraints. One of the common abstractions is called a “virtual machine” or VM, which takes the contents of a physical machine and allows it to run on different physical hardware and / or together with other virtual machines on the same physical equipment. In addition to VMs, virtualization can be performed on many other computing resources, including the OS, networks, memory, and storage systems.
The term "workload" is increasingly used to describe a large number of virtual resources. For example, a virtual machine is a type of workload (workload). While virtual machines are the dominant way to apply virtualization technology today, there are a number of other workloads, including application systems, desktop PCs, the network, and virtualized storage models. The following types of virtualization are the focus of this document.

2.1.1 operating system
Virtualization of the operating system (OS) is usually used to take resources running on the OS on one physical server and divide them into several smaller partitions, such as virtual environments, VPS , zones, etc. In this scenario, all partitions will use the kernel of the same OS, but they can run different libraries, distributions, etc.
In the same way, application virtualization separates individual application instances from the main operating system, providing discrete applications — a work environment for each user.

2.1.2 Equipment / Platform
Equipment virtualization is achieved through hardware partitioning or hypervisor technology. The hypervisor establishes access to hardware for VMs running on a physical platform. There are two types of hardware virtualization:
  • Type 1 Hypervisor - A type 1 hypervisor (also known as “native” or “bare”) is a piece of software or firmware that runs directly on the hardware and is responsible for coordinating access to hardware resources, as well as hosting and managing the VM.
  • Type 2 Hypervisor - A Type 2 hypervisor (also known as “hosted”) works as an application on an existing operating system. This type of hypervisor emulates the physical resources needed by each virtual machine and is considered only by another application, just like the main OS.

2.1.3 Network
Network virtualization distinguishes logical networks from physical ones. For almost every type of physical network component (for example, switches, routers, firewalls, intrusion prevention systems, load balancers, etc.) there is a logical side available as a virtual appliance.
Unlike other stand-alone hosts (for example, a server, workstation or other type of system), network devices operate in the following logical “planes”:
  • Data Plane: Forwards message data between nodes in a network.
  • Management Plane: Manages traffic, network information, and routing information; including communication between network devices related to network topology, state, and routing.
  • Control plane: Processes messages addressed directly to the device itself for device management purposes (for example, for configuration, monitoring and maintenance).

2.1.4 Data storage
Virtualized data storage - when several physical storage devices on a network are combined and presented as a single storage device. This data consolidation is typically used in local area network ( SAN ) memory .
One of the benefits of virtual storage is that the complexity of the storage infrastructure is hidden from the eyes of users. However, it is also an important task for organizations wishing to document and manage their data warehouses, since a particular set of data can be stored in several locations at the same time.

2.1.5 Memory
Memory virtualization involves consolidating physical memory from several separate systems to create a virtualized “pool” of memory, which is then shared between system components.
Similar to virtualized data storage, combining multiple physical memory resources into one virtual resource can add complexity levels in terms of mapping and documenting the location of data.

2.2 Virtual System Components and Scope Guidance
This section contains some of the more general virtual abstractions or virtual system components that may be present in many virtual environments and provides scope guidance for each.
Please note that the task definition specified in this section should be considered as complementary to the basic principle that PCI DSS applies to all system components, including virtualized, cardholder data included in or connected to the environment. The determination of whether to consider a separate virtual component of the system in the field of tasks will depend on the particular technology and how it will be implemented in the environment.

2.2.1 Hypervisor
A hypervisor is software or firmware that is responsible for hosting and managing virtual machines. The system component of the hypervisor may also include a virtual machine monitor ( VMM ). VMM is a software component that applies and manages the hardware abstraction of a VM and can be considered as a management function of the hypervisor platform. VMM manages the system processor, memory, and other resources to allocate everything that requires the OS of each VM (also known as a "guest"). In some cases, it provides this functionality in combination with hardware virtualization technology.
Scope: If any virtual component connected to (or placed on) a hypervisor is in scopePCI DSS , the hypervisor itself, will always be in scope. For additional guidance regarding the presence of both inbound and outbound VMs on the same hypervisor, see section 4.2 Recommendations for mixed mode environments.

Note: The term “mixed mode” refers to a virtualization configuration in which both inbound and out of scope virtual components are running on the same hypervisor or host.

2.2.2 virtual machine
A virtual machine (VM) is an independent work environment that behaves like a separate computer. She is also known as a Guest and works on the hypervisor.
Scope: An entire VM will be included in the scope if it stores, processes or transfers data about the cardholders, or if it connects to or provides an entry point to the CDE . If a VM is within the scope, then the host system and the hypervisor at its core will also be included in the scope, since they are directly connected and have a fundamental impact on the functionality and security of the VM.

2.2.3 Virtual device
Virtual devices can be described as a packaged software image for use inside a virtual machine. Each virtual device performs a specific function, and usually consists of the basic components of the operating system and one application. Physical network devices such as routers, switches, or firewalls can be virtualized and run as virtual devices.
Virtual Security Appliance ( VSA or SVA ) - A virtual appliance consisting of a hardened operating system and one application. VSAs generally have a higher level of trust than conventional virtual appliances ( VA), including privileged access to the hypervisor and other resources. In order for VSA to perform system and network management functions, it usually has increased visibility in the hypervisor and in any of the virtual networks running on the hypervisor. Some VSA solutions can be connected directly to the hypervisor, providing added security to the entire platform. Examples of hardware systems that have virtual applications include firewalls, IPD / IDS, and antiviruses.
Scope: Virtual devices used to connect or to provide services to system components within the scope are also considered to be within the scope. Any VSA / SVAthat may affect CDE will also be included.

2.2.4 Virtual Switch or Router
A virtual switch or router is a software component that provides functionality for routing and switching data at the network level. A virtual switch is often an integral part of a virtualized server platform - for example, as a driver, module, or hypervisor plug-in. A virtual router can be used as a separate virtual device, or as a component of a physical device. Additionally, virtual switches and routers can be used to generate multiple logical network devices from a single physical platform.
Scope of application:Networks configured on a virtual hypervisor-based switch will be included in the scope if they have a component within the scope, or if they provide services or are connected to a component within the scope. Physical devices that host virtual switches or routers will be considered to be in scope if any of the hosted components connects to a network in scope.

2.2.5 Virtual applications and desktops
Individual applications and desktop environments can also be virtualized to provide functionality to end users. Virtual applications and desktops are usually installed in central locations. They can be accessed through the remote desktop interface. Virtual computers can be configured to allow access through several types of devices, including thin clients and mobile devices, and can work using local or remote computing resources. Virtual applications and computers can be at the point of sale, customer service, and within other forms of interaction in the payment chain.
Scope of application:Virtual applications and computers will be included in the scope if they are involved in the processing, storage or transfer of data from cardholders, or provide access to CDE . If a virtual application or desktop is allocated on the same physical host or hypervisor as a component of the scope, the virtual application / desktop will also be included in the scope, unless adequate segmentation is applied, which isolates all components of the scope from not entering. For additional guidance on the presence of both inbound and outbound components on the same host or hypervisor, see section 4.2 Recommendations for mixed-mode environments.

2.2.6 Cloud Computing

Cloud computing is a rapidly growing area of ​​virtualization that provides computing resources as a service or utility through public, semi-public or private infrastructures. Cloud service offerings are typically provided from a pool or cluster of connected systems and provide service-based access to shared computing resources for multiple users, organizations, or tenants.
Scope: The use of cloud computing is causing some problems that need to be considered when defining boundaries. Organizations planning to use cloud computing for their PCI DSSenvironments, first they must make sure that they clearly understand the details of the services offered, and must also perform a detailed assessment of the risks associated with each service. In addition, as is the case with any managed service, it is imperative that the organization and the provider clearly identify and document the responsibilities assigned to each party to maintain the PCI DSS standard and any other measures that may affect the security of the data of cardholders .
The cloud service provider must clearly identify which PCI DSS requirements , system components, and services are covered by its PCI DSS compliance program .. Any service aspects not covered by the cloud provider must be defined and clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the organization hosting the hosting service. The cloud service provider must provide sufficient evidence and assurances that all processes and components under their control comply with PCI DSS requirements .
For more guidance on using cloud environments, see Section 4.3 Guidelines for Cloud Computing Environments.

Also popular now: