Executive Viewpoint: Rich Miller, Replicate Technologies

By Rich Miller
published: Wednesday, December 24 2008

Beefing Up Standards: Best Practices for Virtual Infrastructure and PCI DSS

With its ability to provide substantial savings in both capital and operational expenses, virtualization will be an increasingly attractive technology for adoption by the IT organization in commercial merchants. 2009 will be the year we see more commercial merchants deploy virtualization not just for development and test, but to create a more flexible and resilient data center, in support of their product computing needs. However, the increased and expanded use of virtualization will further raise the need to agree on best practices, standards and the tools by which assessors can address and audit compliance with respect to security in virtual environments.

While the recently released Payment Card Industry's Data Security Standard (PCI DSS) version 1.2 doesn't include virtualization in the scope of its specifications, we can't wait and should not need to develop standards from scratch.  There are a number of security specifications for virtual hosts which, if adopted, would be a reasonably objective basis for standards and best practices. With these standards in place, there is little reason why application vendors can not address the issue of security compliance with respect to the use of virtualized infrastructure (the hosts and networks) as well as the virtualization of the applications themselves.

This same tale is going to be told multiple times, and it's important to remember that virtualization security is not just about PCI, but also will impact standards and regulations like Sarbanes-Oxley, as well as the standards for data security and processing security in the emerging cloud computing environments of software as a service (SaaS) and infrastructure as a service (IaaS) which rely heavily on infrastructure virtualization. Virtualization will also affect application vendors who often do not take into account the security of their application while running in a virtual as opposed to traditional environment.

VMware recently announced it will participate in PCI SSC in order to ensure future standards address virtualization in a methodical, uniform manner. For commercial merchants who need to adhere to PCI DSS, this will be a double-edged sword. On the one hand, merchants will have a set of best practices to follow and use to ensure proper data center operation and security - or at least assure them that they're in compliance. On the other hand, merchants will have believe in the ability of their IT providers to adequately address data center complexity and the additional administrative and operational burden that virtualization represents.  If the price they have to pay is too great, the implementation of virtualization in the Payment Card Industry will be slow to reach the production systems.

In 2009 and beyond, companies will need to take stock of their virtualized data centers in order to prepare for future security standards and compliance regulations. Emerging solutions can assist organizations by providing tools to analyze infrastructure and provide preventive measures and remediation. Companies may meticulously plan their virtualization integrations and implementations, but without gathering information from the data center as a whole, significant security gaps will continue to exist. As the PCI DSS debate on virtualization and security continues, organizations will only have a short time before defined standards of compliance come into play.

Replicate Technologies

All Executive Viewpoint Article