PCI Council has released a new information supplement on virtualization. This is definitive guide for organizations looking to implement virtualization in their card holder data environment. Some of the highlights from the document:
There are four simple principles associated with the use of virtualization in cardholder data
environments:
a. If virtualization technologies are used in a cardholder data environment, PCI DSS
requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies,
and that must be assessed when adopting virtualization in cardholder data environments.
c. Implementations of virtual technologies can vary greatly, and entities will need to perform a
thorough discovery to identify and document the unique characteristics of their particular
virtualized implementation, including all interactions with payment transaction processes and
payment card data.
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet
PCI DSS requirements. Specific controls and procedures will vary for each environment,
according to how virtualization is used and implemented.
The document lists the general recommendations as follows:
General Recommendations
The document can be downloaded from here.
There are four simple principles associated with the use of virtualization in cardholder data
environments:
a. If virtualization technologies are used in a cardholder data environment, PCI DSS
requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies,
and that must be assessed when adopting virtualization in cardholder data environments.
c. Implementations of virtual technologies can vary greatly, and entities will need to perform a
thorough discovery to identify and document the unique characteristics of their particular
virtualized implementation, including all interactions with payment transaction processes and
payment card data.
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet
PCI DSS requirements. Specific controls and procedures will vary for each environment,
according to how virtualization is used and implemented.
The document lists the general recommendations as follows:
General Recommendations
- Evaluate risks associated with virtual technologies
- Understand impact of virtualization to scope of the CDE
- Restrict physical access
- Implement defense in depth
- Isolate security functions
- Enforce least privilege and separation of duties
- Evaluate hypervisor technologies
- Harden the hypervisor
- Harden virtual machines and other components
- Define appropriate use of management tools
- Recognize the dynamic nature of VM’s
- Evaluate virtualized network security features
- Clearly define all hosted virtual services
- Understand the technology
The document can be downloaded from here.
No comments:
Post a Comment