2010 Prediction: Tom Ashoff, Sourcefire

New PCI Standards Will Fuel Demand for Virtualization Security

Virtualization is now a mainstream technology for deploying production applications, and interest in virtualization security is also growing steadily. As one indicator, the annual VMworld conference held three times as many security-related sessions as it did the previous year, and many of these sessions were standing-room only. This heightened interest, however, has not yet been fully converted into increased purchases of virtualization security (VirtSec) solutions such as virtual firewall or IPS/IDS appliances. In 2009 many organizations held off on VirtSec purchases, either because of budget constraints or because they wanted to first make organizational and policy adjustments to better tackle the challenges of managing and securing virtual infrastructure.

Demand for VirtSec products should increase dramatically when standards such as the Payment Card Industry’s Data Security Standard (PCI-DSS) become more explicit in addressing virtual infrastructure. Until now, auditors have had to apply their own subjective judgment about whether virtual networks meet regulatory requirements, but this will change. The PCI Council now has a Virtualization Special Interest Group that is studying how virtualization affects the security of credit card data and whether technologies such as virtual switches, firewalls and IPS could help mitigate risks. We can expect that the next revision of the PCI Standard due in October 2010 will have specific virtualization requirements.

Below are a few steps that forward thinking organizations should take to deploy security best practices and begin laying the groundwork in preparation for the anticipated PCI VirtSec mandates later next year.

1. As you would with a physical system, “harden” the hypervisor layer and the administrative layer to minimize security vulnerabilities. System hardening ensures your virtualized systems are configured with the proper security settings, unused components are removed, and the latest patches are applied. A variety of hardening guides are available and organizations should consult with internal and external auditors to identify the most effective hardening guide for their environment.
2. Once your virtualized environment is hardened, maintain proper configuration and change management on a continuous basis to ensure the right settings and patches are in place, that security policies are met, and that any changes are authorized. Configuration and change management are more complex in a virtualized environment because changes can be made quickly and easily, making it difficult to track system profiles. Processes and solutions that document configuration and change management will prove critical to demonstrating compliance.
3. Maintain separation between administrative functions even though virtualization vendors provide software to consolidate the management of server, network and security infrastructure. Define specific roles and privileges to limit administrative access to the hypervisor.
4. Maintain the same level of network segmentation and security among your virtual systems as you do with your physical systems. Use virtual switches and firewalls to isolate systems holding critical information such as personally identifiable information (PII), payment card and financial data. Use security devices such as virtual IDS/IPS to provide visibility into critical networks to reduce the risk of unauthorized network access.

By following these recommendations now, virtualization experts can be more confident that their virtual infrastructure will comply with the next PCI Standard.