PCI-DSS for Cloud and Virtualization
The Hypervisor is Always In Scope
You want to virtualize more of your environment, including the Cardholder Data Environment (CDE), but you need to maintain compliance with standards such as PCI-DSS. Indeed, the virtualization of PCI in-scope applications is now very common, and under PCI-DSS the virtual platform or hypervisor (such as vSphere or KVM) is always in scope. This means that PCI-DSS requirements apply to hypervisors that are running workloads which are part of the Cardholder Data Environment. Furthermore, under PCI 3.2, Business As Usual (BAU) guidance helps drive the need for continuous compliance, rather than just focusing on annual audits. Finally, many organizations are considering the use of “mixed mode” virtual environments, in which CDE and non-CDE workloads co-exist on the same hypervisors, adding to the complexity faced by IT organizations needing to maintain compliance in addition to complexity faced by assessors conducting audits.
Unfortunately, platforms such as VMware vSphere and KVM do not provide the required controls and logging on administrator activity needed to meet any of these requirements. Typically compliance efforts will require at the least unique user IDs for all permitted (and all blocked) operations in addition to other essential information gathered.
HyTrust CloudControl offers the most complete solution available for administrator and configuration controls on VMware vSphere and vCenter infrastructure. As such, it allows organizations to meet PCI DSS requirements for admin activity and infrastructure configuration on virtual environments in an operationally efficient manner.