pixel - Fotolia


Using PCI DSS for a secure virtual machine setup

When plotting out your VMware environment, think about using PCI DSS requirements to secure data in a virtual machine.

As more personal information is stored online, the higher the likelihood that unauthorized people will attempt to access it. Any of us that have had to cancel our credit cards due to suspicious activity or fraudulent charges know what a pain it is. Not only that, but there is an invasive feeling when personal information is compromised.

This begs the question of how big is the problem? The Bureau of Justice Statistics has some very sobering information regarding identity theft. In 2012, the most recent year for which results are available, 7% of all persons 16 or older in the U.S. experienced at least one incident of identity theft during the year. The losses of this are substantial, to the tune of $24.7 billion. In comparison, all other property crimes measured by the National Crime Victimization Survey amounted to $14 billion. It is apparent that a lack of security in systems that handle non-public information is a real, ongoing problem.

Recognizing the importance of keeping personal and financial data, particularly in regard to credit and debit accounts, the Payment Card Industry (PCI) Security Standards Council has produced the Data Security Standard (DSS), which is currently at version 3.1. The PCI Security Standards Council is an open forum that is responsible for the development of the PCI standards, and their founding global brands are American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. Though you may never have heard of PCI DSS, the purpose and guidelines contained within it affect almost everyone who uses "plastic" to pay for anything. The council issues requirements for merchants, vendors and security consulting companies to prevent theft of information and stem credit card fraud.

Perhaps the greatest benefit to payment companies of meeting PCI requirements is the security it provides to their most valuable asset: their customers. A good reputation is worth a great deal; a bad one is really difficult to overcome.

The PCI DSS was developed to assist organizations in the payments industry to implement best practices for securing sensitive data, particularly data unique to the industry. However, we would be remiss if we dismissed this standard just because our organization or enterprise does not handle payment data or process transactions. Indeed, the guidelines that PCI DSS spells out, particularly in regard to using virtualization technology, can be helpful to any institution that desires to protect sensitive data. Compliance with PCI DSS, along with other standards specific to your industry, will help ensure you are using best security practices for the safeguarding of non-public information. A secure environment is good for an organization, its clients and its employees.

Eliminating the weakest link

Thankfully, PCI DSS contains requirements for the use of virtualization technologies in a PCI compliant environment. In particular, section 2.2.1 says a virtual system component or device can perform only one primary function.

The guidelines explain the risk of a system containing more than one primary function means the lowest security level of any of the functions could introduce weaknesses to the other functions. This makes sense, if you apply the analogy that a chain is only as strong as its weakest link. For example, having a virtual server hosting a wide-open website and a critical database is just asking for trouble. It would be much better, and in line with PCI requirements, to put these functions on different servers, and customize the security of each function for that particular virtual server. Additionally, the network communication channels between servers must be designed to not allow or introduce lower security functions from one server to another. As you can see, implementing the single server, single function requirement means taking a high-level view of your servers and everything they could potentially touch.

This requirement is very well thought out and represents a best practice for any industry that values the security of their systems. Virtualization has made this requirement quite attainable, by being able to use hardware resources much more efficiently, rather than having to allocate separate physical servers for each function. Planning server resources with this requirement in mind will provide a better level of security, as well as allowing more flexibility in the future for enhanced security controls for each primary function, as they become available.

Security is a moving target, and requires constant vigilance. The PCI DSS is an excellent example of an industry producing security standards that are beneficial for their specific industry, their customers and the wider field of IT.  Applying their requirements for separation of primary functions between servers is a good idea that all should consider adopting.

Next Steps

A complete guide to virtual machine security

Dig Deeper on VMware and networking