Virtualization Standards & Compliance

Niranjana.S.KarandikarMSc IISem 4

Contents• Introduction

• Need

• Standards

• Compliance

• PCI DSS and Virtualization

• Risks in Virtual Environments

• PCI DSS Requirements

Virtualization

• Logical abstraction of computing resources

• Work load equivalent to physical machine

• Same threats

• Security Needed

Need

• Increased use of VMs

• VMs are movable

• Handling of sensitive Data

• Single point of Compromise

Standards

• DMTF(Distributed Management Task Force)

• OVF (Open Virtualization Format)

• VMAN(Virtualization Management Initiative)

DMTF

• 2007• “simplify and provide ease-of-use for the

virtual environment by creating an industry standard for system virtualization management.”-Winston Bumpus, President , DMTF

• DMTF initiated the availability of the OVF standard for delivering VMs, and the new VMAN.

OVF

• Virtualization platform–independent• Supports a full range of current virtual hard

disks and is extensible to deal with future formats

• Not reliant on the use of any specific host platform, virtualization platform, or guest operating system.

• OVF is a portable format that allows deployment of any supporting hypervisor.

VMAN

• The management lifecycle of a virtual environment is addressed in DMTF’s VMAN

• Standardized approach to VM:• Deployment• Discovery and inventory• Lifecycle management• Creation, deletion, and modification• Health and performance monitoring

Compliance

• The ability to act according to an order, set of

rules or request

• Eg: ISO, SOX, HIPAA

PCI DSS and Virtualization

PCI DSS and Virtualization make a good combination as

• Many monetary transactions are being carried out on a virtual environment.

• The PCI Security Standards Council (SSC) is international.

• VMware has joined the PCI SSC

PCI DSS

• A set of comprehensive requirements for• Enhancing payment account data security. • Developed by the founding payment brands of

the PCI SSC, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International,

• To help facilitate the broad adoption of consistent data security measures on a global basis.

Contd.• PCI DSS is a group of principles and accompanying

directives organized into 12 requirements in the following

six categories:

• Build and Maintain a Secure Network

• Protect Cardholder Data

• Maintain a Vulnerability Management Program

• Implement Strong Access Control Measures

• Regularly Monitor and Test Networks

• Maintain an Information Security Policy

PRINCIPLESa. If virtualization technologies are used in a cardholder

data environment, PCI DSS requirements apply to those virtualization technologies.

b. Virtualization technology introduces new risks that may not be relevant to other technologies

c. Implementations of virtual technologies can vary greatly

d. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements.

Risks for Virtualized Environments1. Vulnerabilities in the Physical Environment Apply in a Virtual

Environment

2. Hypervisor Creates New Attack Surface

3. Increased Complexity of Virtualized Systems and Networks

4. More Than One Function per Physical System

5. Mixing VMs of Different Trust Levels

6. Lack of Separation of Duties

7. Dormant Virtual Machines

8. VM Images and Snapshots

9. Immaturity of Monitoring Solutions

10. Information Leakage between Virtual Network Segments

11. Information Leakage between Virtual Components

PCI DSS REQUIREMENTS1. Install and maintain a firewall configuration

to protect cardholder data.2. Do not use vendor-supplied defaults for

system passwords and other security parameters.

3. Protect stored cardholder data.4. Encrypt transmission of cardholder data

across open, public networks.5. Use and regularly update anti-virus software

or programs.

CONTD.

6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need to know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.10. Track and monitor all access to network

resources and cardholder data

CONTD.

11. Regularly test security systems and

processes

12. Maintain a policy that addresses information

security for all personnel

Requirement A.1:

Shared hosting providers must protect the CDE

REFERENCES• Virtualization_InfoSupp_v2.pdf

• Virtualization and Forensics By Diane Barrett,

Greg Kipper

• Virtualization Security Protecting virtualized

environment By Dave Shackleford

• http://searchvmware.techtarget.com/How-

PCI-DSS-20-affects-virtualization-compliance

THANK YOU