By Tim Cranny
Panoptic Security Inc.
Virtualization is a hot topic. Many people in the payments industry are being forced to deal with the question of what happens when virtualization meets the Payment Card Industry (PCI) Data Security Standard (DSS) and related PCI standards. It turns out to be a complicated and important issue. So, this article will look at what virtualization is and how it impacts PCI and security in general.
Virtualization is not a single technology: It is an entire approach to building and operating technology infrastructure. The key idea is this: a modern technology environment needs to perform many different tasks, which usually means maintaining a lot of different servers.
Yet modern computers are very powerful, often more powerful than any single task really needs. One approach is to buy enough servers to dedicate each one to a single function. But running dedicated servers at partial capacity is inefficient and expensive. You wind up paying a lot to get more computing power than you truly need. An alternative approach is to simply buy fewer servers and load them to perform multiple jobs. This saves money, but can be very messy and inflexible. Sometimes, different programs need fundamentally different types of servers, and programs can interfere with each other and cause problems. And at times, certain tasks need temporary additional capacity on their own servers, making the sharing of servers problematic.
It seems we want an impossible combination. We wish we could run many tasks on a single server to save money. Yet we also wish we could have all these tasks running on their own servers to ensure that the programs don't interfere with each other. And for true flexibility, we'd also like the ability to magically create new servers of whatever type we need, when we need them. On a day when the web servers are being hammered, we want more web servers to become instantly available.
Virtualization technology comes surprisingly close to granting us all three of these wishes. Instead of just loading multiple tasks onto a single powerful server and hoping they live happily together, we use virtualization to simulate multiple "virtual" servers that run software side by side on the server hardware. This way, we can run different tasks within different virtual servers.
The real hardware server is therefore handling multiple tasks - our first wish - but each task is isolated as a single virtual machine (VM). And each VM uses just the right server type and operating system for its particular task - our second wish. Furthermore, if the real server has enough capacity, we can create more virtual web or database servers whenever we need them - our third wish.
Virtualization can work surprisingly well and lead to dramatic savings and efficiency in setting up a modern computer center. This is why so many organizations are moving to virtualized environments.
But it is critical that they realize virtualization was never intended to be a security boost for organizations. In fact, the technology introduces more security problems than it solves. We need to consider and address the reasons for this when evaluating an operation's PCI status.
The first and most fundamental point is that virtualization is complicated compared to the traditional inefficient-but-simpler server approach. And complexity is always the enemy of security. In a virtualized world, we have more things to worry about, such as a greater attack surface. You have to worry about the virtual machines and everything they do, which is almost identical to the security issues of nonvirtual servers.
Additionally, you have to worry about the real hardware server that underlies the virtual machines and the new virtualization-specific software that is required. The real server uses "hypervisor" software, which manages the VMs. The hypervisor is also called a virtual machine manager. If the real server or the hypervisor is taken over by an attacker, it follows that the virtual machines are also compromised.
Secondly, virtualization is still a young technology, which means the solutions and their security are still untested by time and experience. There could be systematic weaknesses with the current solutions that we haven't stumbled across. Furthermore, people don't have a deep pool of experience with virtualization security from which to draw.
Thirdly, some security concerns arise directly from the nature of virtualization. Potential weaknesses can come from data or attacks leaking from one virtual machine to another on the same underlying hardware server, from the VM to the hardware server or from the hardware server to the VM.
The situation becomes particularly complicated when you maintain multiple virtual machines of differing security levels - for example a highly secured VM side by side with a less-secure sibling VM - together on a single hardware server.
Another situation occurs only in a virtualized environment: the entire virtual machine is ultimately software and data that can be captured, even accidentally, as part of a software image or backup of the real server.
This capture includes all the sensitive data the virtual machine was using at the time. Furthermore, a virtual server can easily be put into a dormant state that cuts it off from system updates and normal protective measures.
Virtualization can be particularly messy from a PCI perspective, because much of the PCI DSS operates on the fundamental idea of scope: which systems are in play and which are not. Virtualization, by its very nature, confuses that issue.
Given all these problems, what should you do to protect a virtualized environment and your PCI compliance status? The PCI Security Standards Council recently released an information supplement (available at www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf), which lays out the problems and offers advice.
Most of the advice is good and reasonable. But it is also regrettably very general and high level - for example, "Implement defense in depth," which is never wrong. The document is certainly worth reading, both to understand virtualization better and to plan the changes your security program will eventually need. At the end of the day, the key takeaway should be that virtualization can offer larger organizations significant savings in terms of infrastructure and resource management. But the technology complicates rather than simplifies security and compliance issues.
Organizations need to consider these negatives as well as the positives before deciding how to proceed. The worst possible approach is to ignore the security problems raised by the new technology.
Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599-3454.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
