PCI-DSS for Cloud and Virtualization
The Hypervisor is Always In Scope
You want to virtualize more of your environment, including the Cardholder Data Environment (CDE), but you need to maintain compliance with standards such as PCI-DSS. Indeed, the virtualization of PCI in-scope applications is now very common, and under PCI-DSS the virtual platform or hypervisor (such as vSphere or KVM) is always in scope. This means that PCI-DSS requirements apply to hypervisors that are running workloads which are part of the Cardholder Data Environment. Furthermore, under PCI 3.1, Business As Usual (BAU) guidance helps drive the need for continuous compliance, rather than just focusing on annual audits. Finally, many organizations are considering the use of “mixed mode” virtual environments, in which CDE and non-CDE workloads co-exist on the same hypervisors, adding to the complexity faced by IT organizations needing to maintain compliance in addition to complexity faced by assessors conducting audits.
Unfortunately, platforms such as VMware vSphere and KVM do not provide the required controls and logging on administrator activity needed to meet any of these requirements. Typically compliance efforts will require at the least unique user IDs for all permitted (and all blocked) operations in addition to other essential information gathered.
HyTrust CloudControl offers the most complete solution available for administrator and configuration controls on VMware vSphere and vCenter infrastructure. As such, it allows organizations to meet PCI DSS requirements for admin activity and infrastructure configuration on virtual environments in an operationally efficient manner. Specifically, CloudControl supports 28 controls in the following PCI DSS sections:
- Section 2: Vendor Defaults
- Section 6: Secure Systems
- Section 7: Restrict Access to Cardholder Data
- Section 8: Identify and Authenticate Access
- Section 10: Track and Monitor All Access
In addition, CloudControl supports a further six recommendations in the Virtualization Guidelines Document, as well as one Best Practice recommendation and one Sampling example.
HyTrust CloudControl also fully supports mixed-mode PCI deployments with the following controls and functions for both administrative and logical segmentation:
- Enforced workload (VM) placement
- Configuration hardening to eliminate segmentation violations
- Administrator role separation (PCI vs. Non-PCI)
- Independent logging of PCI workloads
HyTrust DataControl provides NIST-approved encryption and strong key management to help organizations address PCI Requirement 3, “Protect Stored Data.” DataControl encryption was designed to encrypt virtual machine data, and unlike disk encryption, is able to travel with the virtual machine, ensuring data is secure from the moment a VM is created, including replication for backup or disaster recovery purposes. All keys are stored securely, in accordance with all key management guidelines of PCI.