Virtualize Securely - VM Introspection and Automated Security in Action

Johnnie Konstantas

Subscribe to Johnnie Konstantas: eMailAlertsEmail Alerts
Get Johnnie Konstantas: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

PCI Officially Unmasks DSS v2.0

Well it’s official. On October 28, the PCI Security Standards Council (PCI SSC) released v2.0 of the Payment Card Industry Data Security Standard (PCI DSS), and with it, potentially set in motion the numerous cloud deployments that had been waiting on its release.

This new version is meant to replace the previous one – PCI-DSS v1.2.1, which had been in effect since July of 2009.  By all accounts, PCI-DSS v2.0 does not introduce new requirements, but rather provides clarifications for new technologies like virtualization that were unmentioned in the prior version.

So why the big leap from 1.2 to 2.0?  In a recent eSecurity Planet article, Jeremy King, European director for the PCI SSC, explains that the new naming convention based on whole numbers will be permanent and that the standard will see its next revision in three years. Essentially the next version of PCI-DSS will be called v3.0 and will be released in 2013.

Although Mr. King describes the vast majority of changes as relatively minor, when it comes to virtualizing and private cloud adoption, the clarification provided within v2.0 could have an enormous market impact. Section 2.2.1 of PCI-DSS v1.2 had stipulated a requirement of only “one function per server” for “in-scope” servers, that is those that contain data deemed significant to payment card processing. This one requirement tends to generate some confusion with regards to virtual machines (VMs) and compliance. The question at the heart of the matter was largely: Is a virtual machine equivalent to a physical server or to a VM host? Or to state differently, does placing an in-scope VM and an out-of scope VM on the same virtual machine host violate the requirement?

By defining a VM as the equivalent to a physical server, organizations can now move forward with taking their workloads to the virtual model without fearing the risk of non-compliance.  While PCI-DSS v2.0 does seem to open the door for virtualizing critical workloads, organizations will still have to seek the advice of experts in order to secure their new VMs because, as always, the PCI-DSS is not prescriptive and does not specify architectures. Some guidance in the form of a white paper and requirements mapping spreadsheet will be made available through a PCI-DSS Virtualization Special Interest Group (vSIG). So look for those documents.

Altor, along with others such as VMware, Cisco, etc., is a member of the PCI DSS technical working group.  We look forward to sharing further updates on how PCI DSS v2.0 will advance cloud and virtualization deployments.

Follow us on Twitter and we’ll keep you posted as new information becomes available.

Read the original blog entry...

More Stories By Johnnie Konstantas

Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings.

Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems.

Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a BS in Electrical Engineering from the University of Maryland.