PCI Council: Don't Go Mixed-Mode In Virtualization

The PCI Council released its guidelines for using virtualization in payment-card systems on Tuesday (June 14). That's not news—the PCI Virtualization Special Interest Group has been working on the guidelines for months. What is surprising is just how blunt the guidelines are. For once, a PCI document actually tells you what to do.

Example: Section 4.2, the guidelines' advice for "mixed-mode environments." That means cases where a single server contains some virtual machines that are in-scope for PCI, while other VMs running on the same hardware are out-of-scope. If you're accustomed to PCI's usual generalized, loophole-laden language, you're in for a shock. The bottom-line recommendation for mixed-mode environments comes down to three words: Don't do it.

OK, it's not quite that blunt, but it's close. "It is strongly recommended [and a basic security principle] that VMs of different security levels are not hosted on the same hypervisor or physical host; the primary concern being that a VM with lower security requirements will have lesser security controls, and could be used to launch an attack or provide access to more sensitive VMs on the same system," the guidelines say.

They continue: "This principle should also be applied if in-scope and out-of-scope virtual systems are to be located on the same host or hypervisor. As a general rule, any VM or other virtual component that is hosted on the same hardware or hypervisor as an in-scope component would also be in scope for PCI DSS, as both the hypervisor and underlying host provide a connection (either physical, logical or both) between the virtual components, and it may not be possible to achieve an appropriate level of isolation, or segmentation, between in-scope and out-of-scope components located on the same host or hypervisor."

In fact, the guidelines do state plainly—and repeatedly—that if any component on a piece of server hardware is in-scope, then the hardware itself is in-scope for PCI DSS.

"In order for in-scope and out-of-scope VMs to co-exist on the same host or hypervisor, the VMs must be isolated from each other such that they can effectively be regarded as separate hardware on different network segments with no connectivity to each other," the PCI clarifications said. "Even if adequate segmentation between virtual components could be achieved, the resource effort and administrative overhead required to enforce the segmentation and maintain different security levels on each component would likely be more burdensome than applying PCI DSS controls to the system as a whole."

This being PCI, the guidelines then go on to explain what's required if a merchant decides to try it anyway.This being PCI, the guidelines then go on to explain what's required if a merchant decides to try mixing in-scope and out-of-scope components on the same hardware anyway—drilling down to the controls required for out-of-band communication channels and virtual storage. But it's clear, from the point of view of these recommendations, that's the wrong way to go.

The guidelines take the same harder-than-usual line on cloud computing services. After laying out how hard it is to make sure an in-scope application in the cloud is secure, the guidelines said: "These challenges may make it impossible for some cloud-based services to operate in a PCI DSS compliant manner. Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider, and such proof should be accepted only based on rigorous evidence of adequate controls."

How heavily? "The cloud provider should be prepared to provide their hosted customers with evidence that clearly indicates what was included in the scope of their PCI DSS assessment as well as what was not in scope; details of controls that were not covered and are therefore the customer's responsibility to cover in their own PCI DSS assessment; details of which PCI DSS requirements were reviewed and considered to be 'in place' and 'not in place'; and confirmation of when the assessment was conducted," the clarification said.

Admittedly, it's a little easier for PCI guidelines to avoid waffling when it comes to virtualization. This is largely a matter of reshuffling applications to consolidate existing hardware, and all the old PCI rules about securing and isolating in-scope systems are already in place. So are the lists of PCI-compliant applications.

That means the working group could focus just on the new layer of technology—technology that, in the case of virtualization, has been in use in many datacenters for years. That practical experience translates into PCI recommendations that, for once, are clean and clear. You can actually hand the guidelines to datacenter operations people and they'll have a prayer of understanding them.

Enjoy those very specific (and very helpful) recommendations while you can. An upcoming major set of PCI guidelines for a hot new technology will be those for mobile payments—an area that involves new applications, technology that's in the hands of users and almost impossible to control, and a widespread lack of consistent understanding of how to make it secure for payments.

When those recommendations arrive next year, you'll need all the help you can get.