Virtualization and PCI DSS 1.2.1
Will PCI 2.0 Bring Virtual Relief to Real Questions?
PCI Data Security Standard (PCI DSS) 1.2.1, which is a set of standards for retail and other verticals that defines the requirements for security compliance, is relatively simple and straightforward. 12 requirements define the spirit and intent of the standard. These are good, common sense guidelines and best practices that are derived from decades of experience keeping customer data secure. However, there are areas where PCI DSS could do a better job of handling what has become common, well accepted practices; virtualization is one of those areas.
Section 2.2.1 of PCI 1.2.1 states “Implement only one primary function per server.” Specifically it says that “web servers, database servers, and DNS” should be implemented on separate servers. This makes sense and seems completely reasonable until you reflect on the fact that in a virtualized environment you might have a single server (hypervisor) with a number of virtual machines (VMs) or logical domains (depending on who built your box).
Currently, the question of whether or not multiple VMs on a single piece of hardware is considered multiple servers has been left to the informed judgment of the Qualified Security Assessors that are performing compliance audits. For example, let’s say you have Oracle databases on a few VM instances and perhaps Apache and Weblogic servers on several other VM instances, with each instance (i.e. Oracle database, Apache web server, etc.) on its own separate virtual machine. If these VMs share the same hypervisor on the same piece of hardware, do they count as one machine or several different machines?
The good news is that it is well understood and accepted that the current 1.2.1 version of PCI DSS can be improved, particularly in regard to virtualization. Fortunately the PCI Security Standards Council understands that virtualization is a necessity in the modern data center and in fact there is a PCI Special Interest Group that has made suggestions that will likely be incorporated into PCI DSS 2.0, including an update to requirement 2.2.1 that will clarify the intent of “one primary function per server” and the use of virtualization. Interested readers can see the full PCI DSS 2.0 and PA-DSS 2.0 summary of changes on the PCI website. The new standards should be available by the end of October 2010. In the meantime, why not check out the Cisco page on PCI DSS compliance to see how we can help you keep the bad guys away and your data out of the hands of the miscreants.