HyTrust announced today that it has joined the Virtualization Special Interest Group of the Payment Card Industry (PCI) to provide leadership as the industry seeks to establish an official position on the subject.
"The PCI Security Standards Council has shown tremendous foresight in providing rules designed to protect cardholder data," says Eric Chiu, HyTrust CEO. "The intersection of virtualization and compliance represents unchartered territory for many of the organizations that are subject to PCI compliance, however. We look forward to providing our unique insight and expertise into the issues and working alongside the council to deliver specific guidance for virtualized PCI-related infrastructure."
In advance of the emerging PCI requirements for virtual infrastructure, HyTrust has jointly published a new white paper with Protiviti Inc., a global business consulting and internal audit firm, and a fellow member of the PCI virtualization special interest group. The paper aims to provide guidance to organizations that have adopted virtualization but remain unclear about the implications within PCI-compliant infrastructure.
Virtualization, given its powerful capabilities, requires special consideration within the context of compliance. Virtualized application servers that encapsulate payment card data drive compliance considerations both for their virtual machines and underlying hypervisors. Dedicated virtualized network devices, firewalls, intrusion detection systems, and storage are no longer tied to hardware or physically locked down in a datacenter and can now be reconfigured, relocated, or even disabled by remote administrators with privileged access-a worrisome prospect for any organization that relies on virtualized critical infrastructure for security and compliance. This administrative flexibility combined with inconsistent access control and disparate logs create a significant compliance challenge.
"Virtualization technology introduces another piece of software or application that must be managed, patched and secured properly to ensure the security of the virtual system," says Scott Laliberte, a managing director in Protiviti's IT Effectiveness and Control practice. "In the current age of virtualization and the significant performance and cost benefits it can provide, we must consider the virtualized system but ensure it truly presents the same risk as that of a single system."
HyTrust has identified six key areas of concern, unique to virtualized infrastructure and applications subject to compliance, that need to be addressed with proper IT controls. Each of the following six areas of concern are covered in greater detail in the white paper:
- Inconsistent access control and undefined access path
- Separation of duties
- Manual log collection
- Assessment and remediation
- Critical infrastructure virtual appliances
- Virtual machine sprawl
"As the standards continue to evolve, organizations are hard pressed to balance the obvious cost benefits of virtualization along with the risks. One of our primary goals is to keep organizations ahead of this critical issue," says Hemma Prafullchandra, chief security architect at HyTrust. "In the absence of clear, yet-to-be-defined standards, HyTrust has made available a new PCI configuration template for HyTrust Appliance that maps the various control objectives to specific checks and remediation capabilities for VMware infrastructure."