SlideShare a Scribd company logo

PCI DSS & Virtualization

T
TobyRobinson13

Virtualization is a technology that has greatly benefited businesses around the globe. The technology has a significant impact on the modern IT landscape and today plays a key role in the development and delivery of cloud computing solutions.However, the adoption of this advanced technology has major security implications on businesses today. The adoption of Virtualization has openeddoors to a broad range of challenges for businesses in the industry. Especially, for organizations that are PCI regulated and required to comply with PCI DSS Standards, the challenges in this area only seem to grow.

Software
1 of 15
Download to read offline
PCI DSS & Virtualization PCI DSS & Virtualization Top Risks and Mitigation Strategies you should be knowing W: www.vistainfosec.com | E:info@vistainfosec.com US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.
Introduction PCI DSS & Virtualization Virtualization is a technology that has greatly ben- efited businesses around the globe. The technolo- gy has a significant impact on the modern IT land- scape and today plays a key role in the develop- ment and delivery of cloud computing solutions. However, the adoption of this advanced technolo- gy has major security implications on businesses today. The adoption of Virtualization has opened doors to a broad range of challenges for business- es in the industry. Especially, for organizations that are PCI regulated and required to comply with PCI DSS Standards, the challenges in this area only seem to grow. Virtualization is the most trending and highly discussed topic in the area of digital payments. The technology offers many benefits in terms of reliabili- ty, cost-efficiency, management, and scalability. However, these benefits come along with their share of challenges. Virtualized environments pose a huge security challenge for businesses. Addressing this issue the Pay- ment Card Industry Security Standards Council released PCI Data Security Standard Guidelines for Virtualization of System Components. With this, adapting virtualization for the Cardholder Data Environment (CDE) without appropriate evaluation and implementation of relevant measures may result in non-compliance. The PCI DSS Virtualization guidelines are designed to help merchants understand and mitigate the security risks in a virtual environment. With an increasing number of businesses adopting virtualization, it is essential that such system components comply with PCI DSS. The PCI DSS Virtualiza- tion Guideline focuses on the different classes of virtualization, and also suggests how virtual environment should be deployed to comply with PCI DSS. A cardholder data environment that relies on virtualization can be effectively secured by implementing operational and process-level securi- ty controls. That said, businesses must implement necessary information security controls during the planning, deployment, and maintenance phase to ensure compliance. For most businesses, security is clearly the top priority. More so, for PCI-regulated businesses, their security teams are expected to tackle sophis- ticated cyber-attacks and deal with the rapidly evolving IT infrastructure. So, clearly, with the increasing adoption of virtualization the funda- mental implications of security and sustaining compliance with PCI DSS is a major concern. Cover- ing top risks of virtualization and mitigation strate- gies, the article explains various PCI Compliance challenges and ways to tackle them. www.vistainfosec.com
The PCI DSS Virtualization Guidelines focuses on four principles for virtualization to meet PCI Standards: • If virtualization technologies are used in a cardholder data envi ronment, PCI DSS requirements must be applied. • Virtualization technologies introduce new risks that may not be relevant to other technologies. • Businesses must perform thorough due diligence to identify and document their virtualized implementations, including all interactions with payment transaction processes. • Depending upon how virtualization is used and implemented, specific controls and procedures will vary for each environment. Organizations should consult experts before adopting the technology for their digital payment environment. Understanding the implications and risk involved is critical for achieving compliance. That said, given below are some of the security and compliance challenges of implementing Virtualization. Security and Compliance Challenges of Virtualized Environment Virtualization offers a range of benefits to businesses, enabling a great level of flexibili ty, efficiency, and scalability in their IT infrastructure. However, for organiza- tions that are required to manage and secure sensitive data, virtualized environments pose a host of challenges as mentioned below. 1. Vulnerabilities in the Physical Environment Apply in a Virtual Environment Physical threats and vulnerabilities also apply to virtual implementations. Similar to the attacks and vulnerabilities that exist in physical infrastructure, virtual systems and networks are also subject to the same vulnerabilities. So, for instance, applications that have configuration flaws or vulnerabilities will also have those in the virtual implementation when installed. Another good example of this would be a poorly configured virtual firewall that can expose systems to a range of internet-based attacks which is similar to the possible threats resulting due to the misconfiguration on a physi- cal firewall. So, the even most securely configured virtual systems and networks will still need implementation of physical security controls for the protection of hardware. For these reasons, hardware systems cannot be completely off guard when it comes to securing systems and infrastructure. 2. Hypervisor creates a new attack surface The hypervisor also known as Virtual Machine Monitor provides a single point of access into the virtual environment. So, misconfigura- tion of the hypervisor can result in security failure of all virtual ma- chines hosted on it. So, no matter how secure the individual virtual ma- chines or components may be configured, a compromised hypervisor can expose systems to risk and also unauthorized access to the sensi- tive virtual system. Further, the hypervisor may also create a new attack surface and open doors to direct attacks. Any vulnerabilities in hypervisor isolation technology, access controls, security hardening, and patching can result in attackers exploiting and gaining access to VMs. So, unless appropriately configured and access is restricted to least privilege, even a secure hypervisor can potentially be exploited. 3. Increased Complexity of Virtualized Systems and Networks Virtualization can encompass both systems and networks which may involve the transmission of data through the hypervisor, or even over virtual network connections or through virtual network security like virtual firewalls. While such configurations provide operational bene- fits, but it also increases the complexity of system/network www.vistainfosec.com
functioning. That said, it will accordingly require additional security con- trols and complex policy management to ensure appropriate imple- mentation of security at each level. Increased complexity and added potential vulnerabilities in virtual operating systems and applications, may result in misconfiguration or creating new threat surface unfore- seen by the system designers. Such vulnerabilities could result in signifi- cant compromise across the entire virtual and physical environment as well. 4. More Than One Function per Physical System In the virtual environment compromise in even one virtual system func- tion could result in compromise of other functions on the same physi- cal system. Compromised Virtual Machines may use virtualization-layer communication mechanisms to launch attacks on other Virtual Ma- chines on the same host or even the hypervisor. So, these multiple func- tions hosted on one system increase the possible scope of compromise should an attacker gain physical access to the host system. While the Virtualization technology may mitigate the risk by segregation of differ- ent functions, yet one must consider the risk associated with locating multiple functions or components on a single physical system. The lower level security control can be easily com- promised resulting in opening doors to the high- er-risk and exposure to even sensitive Virtual Ma- chines on the same system. So technically hosting Virtual Machines of different security levels on the same hypervisor or host reduces the overall security for all components. With increased risks and configuration challenges, the security and risk level associated with each Virtual Machine function should be considered when designing the virtualized system. Further systems that store cardholder data require a higher security level than the ones having non-sensitive data stored. 6. Lack of Separation of Duties- In a virtualized environment having access to the hypervisor would mean gaining access to a broad range of systems, networks, and key infrastruc- ture components. This may include access to switches, firewalls, payment applications, log-aggregation servers, databases, etc. Such increased access to multiple virtual devices and functions from a single logical 5. Mixing VMs of Different Trust Levels There is always a huge risk of hosting multiple Virtual Machines with different levels of security on the same host. This needs careful evaluation because a Virtual Machine with a lower level of security controls can also impact the security of Virtual Machines with higher security controls. location or a user can result in a security collapse. This is why defining www.vistainfosec.com
separate roles/duties is crucial in a virtual environment. But defining roles and maintaining separate authority for access can be very challeng- ing. For instance, having a separate role defined for network administra- tor and server administrator and having different access policies across the distributed virtualized environment can be very difficult. Here the risk of failing to appropriately define roles and access policies can result in a significant security compromise. 7. Dormant Virtual Machines Virtualized platforms often house dormant Virtual Machines that may no longer be in use. These dormant machines could however still have several sensitive data such as authentication credentials, encryption keys, or critical configuration information stored in them. Since the ma- chines are not in use they may often be overlooked and inadvertently left out of scope during the security procedures. Sensitive data captured in its dormant state results in unintentional storage and only gets discov- ered in an event of a data breach. Further, Inactive machines get neglect- ed and likely not be updated with the latest security patches, resulting in the system being exposed to known vulnerabilities and organizations unaware of the same. Such machines are also most likely to have not been included in the updated access policies and may also be excluded from security and monitoring procedures. Looking at this, it is clear that inactive Virtual Machines create a viable security threat. For these reasons it should be identified and tracked so appropriate security controls can be applied. 8. Virtual Machine Images and Snapshots Virtual Machine images and snapshots quickly deploy or restore virtual systems across multiple hosts within a short period. However, these VM images and snapshots may capture sensitive data present on the system at the time the image was taken, including contents of active memory. This could result in the inadvertent capture, storage, or even deployment of sensitive information through- out the environment. Moreover, if such images are not appropriately secured can result in modification, unauthorized access, and insertion of vulnerabilities or malicious code into the image. This could then further lead to deployment of vulnerabilities throughout the environment lead- ing to rapid compromise of multiple hosts. 9. Immaturity of Monitoring Solutions While virtualization offers benefits in terms of operational efficiency and management yet it falls short of technology and solutions for monitoring and logging virtual environment. The tools to monitor the virtual net- works, virtual firewalls, virtual compliance systems, etc. are not as mature as their physical counterparts. They do not provide the same level of insight or monitoring within intra-host communications or traffic flowing between Virtual Machines on a virtual network. Specialized tools for monitoring and logging virtual environments are required to capture the level of detail from multiple systems and network components, including hypervisors, management interfaces, virtual machines, host www.vistainfosec.com
systems, and virtual appliances. 10. Information Leakage between Virtual Network Segments The potential risks of information leakage between logical network seg- ments should be understood when considering network virtualization. Information leakage at the data plane results in sensitive data existing outside of known locations, circumventing the data protection controls that would otherwise apply. Information leakage at the control plane or management plane can be exploited to enable information leakage at the data plane or to influence network routes and forwarding behavior to bypass network-based security controls. Ideally, virtualization capabili- ties at all three planes of operation in the network infrastructure should provide controls and features to secure the virtualized infrastructure at a level equivalent to individual physical devices. 11. Information Leakage between Virtual Components Information leakage between virtual networks can occur when there are multiple access granted for components on the same host. One compro- mised component can result in an attacker gaining access to other com- ponents in the same host. This can result in gaining access to sensitive information from multiple components and potentially leading to fur- ther compromise. Even a misconfigured hypervisor can lead to informa- tion leakage between hosted virtual components and networks. It is therefore essential that all physical resources such as memory, CPU, net- work, are isolated to prevent information leakage between Virtual Ma- chines and other components or networks on the same host. With this, the PCI Council has provided recommendations and standards for best practices to implement for the virtual environment to ensure PCI DSS Compliance and for risk mitigation. Given below are some of the recommendations outlined in the official guide. General Recommendations for Risk Mitigation 1. Evaluate risks associated with virtual technologies- Entities should first evaluate the risks concerning the implementation of virtual technology in their environment. The technology should be only deployed after considering all the pros and cons of virtual solutions and after defining a set of effective systems, applications, data, and environ- mental controls for the same. The risk evaluation and management should be accurately documented as part of this risk assessment pro- cess to ensure that all risk areas are identified and appropriately mitigat- ed. Risk Assessment should be an ongoing annual process for Virtual- ized environments and system components. 2. Understand the Impact of Virtualization to scope of the CDE Virtualization makes systems and network configurations complicated. Consolidating the environment into one or more physical hardware plat- forms makes it difficult to determine the boundaries or scope of the Cardholder Data Environment. For these reasons, the scope of PCI DSS across virtual components must be thoroughly evaluated, verified, and documented. The environment should be evaluated using the guidance provided in the Scope of Assessment for Compliance with PCI DSS Requirements. Designing virtualized components need careful attention and consideration, taking into account even components out of scope to meet the PCI DSS security requirements. This will provide a secure base- line for the entire virtual environment and also reduce the overall com- plexity and risk associated with managing multiple security profiles. It also lowers the additional effort required to maintain and validate com- pliance of the in-scope components. So, it is technically recommended that any part or components on a single hypervisor should be consid- ered in-scope to ensure tight security measures for the environment. www.vistainfosec.com
nel should also be a part of a defense-in-depth approach to secure the virtual environment. Adopting a defense-in-depth approach that encom- passes preventive, detective, and responsive controls is the best prac- tice for securing data and other virtual systems and networks of an orga- nization. 5. Isolate Security Functions The security features for the virtual machine should be implemented the same way as for the physical environment. In fact, it is recommend- ed that the security requirement to be enforced for the virtualized system should be stringent, especially in a way that it complicates the efforts required by an attacker to compromise multiple Cardholder Data Environment system components. There should be multiple layers of security with the level of isolation between security functions in a way that they can be considered as being installed on separate machines. For instance security controls, processes controlling network segmenta- tion, and the log aggregation function that would detect tampering of network segmentation controls should not be combined and should implement each security function in isolation. This strengthens the defense against unknown threats and makes hacking complicated for the attacker. 3. Restrict Physical Access Hosting multiple components on one physical system could greatly increase the possibility of unauthorized access to that host system. Therefore physical access controls are essential in virtualized environ- ments to strengthen the security measures and mitigate the associated risks. Entities must consider the potential risk and impact of an unautho- rized or malicious individual gaining simultaneous access to all virtual machines, networks, security devices, applications, and hypervisors on a single host. It is also important to ensure all the unused physical inter- faces are disabled, and physical or console-level access is restricted and monitored. 4. Implement Defence in Depth Implementing defense-in-depth for a virtualized environment is crucial. Appropriate security controls should be identified and implemented in a virtualized environment that provides the same level and depth of security as in a physical environment. Entities must consider implement- ing security controls to each technical layer, including physical device, hypervisor, host platform, guest operating systems, VMs, perimeter net- work, intra-host network, application, and data layers. Further, physical controls, documented policies and procedures, and training of person www.vistainfosec.com
6. Enforce Least Privilege and Separation of Duties Entities should enforce limited access controls for administrative access to the hypervisor. This should be implemented depending on the level of risk exposure evaluated in the environment. Entities should consider implementing two-factor authentication or establish dual or split-con- trol of administrative passwords between multiple administrators. Fur- ther, access controls for both local and remote access to the hypervisor and management system should be periodically assessed. For every virtual component appropriate role-based access controls (RBAC) and separation of duties must be established to prevent unauthorized access to resources. Administrative privileges should also be appropri- ately segregated or it may result in undetected tampering and data loss. As a best practice, administrative access should be restricted based on specific virtual machine functions, virtual networks, hypervisor, hard- ware, application, and data storage. 7. Evaluate Hypervisor Technologies Testing the security of the hypervisor before deployment is highly rec- ommended. There should also be appropriate patch management and other security controls in place to respond to threats and exploits. Enti- ties must identify and implement technologies that facilitate strong secu- rity practices as not all hypervisors or virtual machine management have the functionality to support appropriate security controls. 8. Harden the Hypervisor Hypervisor platforms should be deployed in a secure manner adopting the industry-d best practices and security guidelines. Careful manage- ment of virtual system configurations, patching, and change-control pro- cesses are essential to ensure that all hypervisor changes are moni- tored, authorized, fully tested, and carefully controlled. Due to the poten- tial severity of a hypervisor compromise, patches, and other mitigating www.vistainfosec.com
• Removal of unnecessary interfaces, ports, devices, and services, • Ensure secure configuration of all virtual network interfaces and storage areas. • Limit the usage on virtual machines, and ensure hardening of operating systems and applications in a virtual machine. • Send logs to separate, secured storage as close to real-time • Validate the integrity of the cryptographic key-management operations; • Harden individual virtual hardware and containers; • Other security controls as applicable. controls should be deployed as soon as possible whenever new security vulnerabilities are discovered and include immediate testing for the vulnerability to confirm the risk has been addressed. Because the hypervisor represents a single point of failure, an unauthorized or malicious modification could threaten the integrity of all hosted sys- tems in the environment. Other additional controls recommended for the hypervisor and significant management tools include implement- ing restricted administrative functions, multi-factor authentication for all administrative functions, separate administrative functions, monitor audit logs to identify suspicious activities, separate duties 10. Define Appropriate Use of Management Tools Management tools allow administrators to perform system back-up, restore, remote connectivity, migration, and configuration changes to virtual systems. Since Management tools directly impact the security and functioning of the in-scope compo- nents they should also be considered in scope. More- over, entities should enforce limited access to management tools based on the job requirement. Segregation of roles and responsibilities is highly recommended for management tool functions, and the use of management tools should be regularly monitored and logged for enhanced security. 11. Recognize the Dynamic Nature of Virtual Machines for administrative functions, and verify securi- ty control solution support virtualization to minimize the risk of compromise to the hyper- visor. 9. Harden Virtual Machines & Other Components Every virtual machine must be installed and configured securely in accordance with the industry best practices and security guide- lines. The recommendations provided for hardening the hypervisor are also applicable to all virtual machines and components. Fur- ther, every security control implementations should be evaluated individually to confirm. Virtual Machines are data that can reside in an active state on a hypervisor or in a dormant state. Dormant VMs may possi- bly contain sensitive information and other virtual device con- figuration details. So implementing measures for access to dormant VMs should therefore be restricted, monitored, and carefully controlled. Inactive VMs should be secured equally with the same level of sensitivity and have the same safeguards as any other cardholder data store. Further, entities should evaluate migration paths of inactive VMs, take backups of VMs (active VMs, and inactive VMs) and securely delete the data when no longer needed. Implementing an effective change-management, monitoring, and alerting processes is essential www.vistainfosec.com
to ensure only authorized VM’s are added to and removed from the envi- ronment, and all related activities are recorded and monitored. 12. Evaluate Virtualized Network Security Features Effective security measures at the data plane, control plane, and manage- ment plane should be implemented for any deployment of virtualized network infrastructure. This minimizes the possibility of direct and indi- rect vulnerability impact on all three operational planes and compromise of the virtual network devices. It is important to ensure that the underly- ing physical components are adequately isolated and secured leaving no scope or path between virtual network devices for vulnerabilities to per- colate. Entities must maintain security isolation between virtualized net- work devices in a way that virtual systems are treated as separate hard- ware. Every virtualized device should have independent access-con- trolled configurations. Further, the audit trails for virtual infrastructures should be detailed in a way that facilitates the identification of access and activities performed on every virtual component. Not just that, the access controls implemented should be the least privilege for each device and across the entire platform. 13. Clearly define all Hosted Virtual Services In cases where entities use shared hosting where the service providers virtualize their offerings, provisioning separate workloads to customers rather than provisioning separate physical systems, the entities should ensure there is an enforcement of administrative, process, and technical segmentation to isolate every hosted entity’s environment. This isolation should include the implementation of all PCI DSS controls, including but not limited to segmented authentication, network and access controls, encryption, and logging. It is also critical to ensure that all responsibilities for maintaining controls that could affect the security or integrity of sensi- tive data or that could impact the entity’s PCI DSS compliance should be well-defined and documented in a formal agreement. www.vistainfosec.com
Conclusion Entities need to understand that there is no specific solution for securing data in a virtualized environment. However, as outlined in the PCI DSS standard guidelines, it is a mandate to implement all the 12 require- ments including the use of firewalls, encryption, prohibition of direct public access to the Internet, system hardening, deploying antivirus, and two-factor authentication for remote access, logging, and intrusion-pre- vention systems in the virtual and cloud environments. Neglecting these requirements will result in heavy penalties such as fines, increased trans- action fees, or even losing the right to access a payment card network’s resources. The process may seem quite complicated for entities to imple- ment PCI compliance in a virtual environment. So, it is highly recom- mended that entities obtain professional guidance to make it a has- sle-free process. An experienced professional can perform a PCI gap assessment that addresses specific requirements for application, net- work, physical, and database compliance and accordingly guide entities in implementing security measures and achieve PCI compliance for virtu- al and cloud environment. 14. Understand the technology Virtualized environments are very different from the traditional physical environment. So entities must understand the virtualiza- tion technology to effectively evaluate and secure their environ- ment. Entities must also be aware of the industry best practice and guidelines for securing virtualized environments. Entities must take guidance from insightful resources and publication like The Center for Internet Security (CIS), International Organization for Standardization (ISO), ISACA (formerly the Information Sys- tems Audit and Control Association), National Institute of Stan- dards Technology (NIST), SysAdmin Audit Network Security (SANS) Institute to name a few for effective implementation of security controls and standards. www.vistainfosec.com
VISTA lnfoSec is a Global Cyber Security Consulting firm offering exceptional Cyber Security Consulting & Audit Service, Regulatory & Compliance Consulting Services and Infrastructure Advisory Solu- tions. With strong industrial presence since 2004, we have been serving clients from across the world with our robust, end-to-end security services and solutions. We are a 100% vendor neutral company with strict no out- sourcing policy and built on our core values of strict code of ethics, transparency and professionalism. About Us www.vistainfosec.com
OUR SERVICES OFFERINGS www.vistainfosec.com Compliance & Governance • SOC 1 Consulting & Audit • SOC 2 Consulting & Audit • PCI DSS Advisory and Certification • PCI PIN Advisory and Certification • PA SSF Advisory and Certification • ISO 27001 Advisory and Certification • • ISO 20000 Advisory and Certification Business Continuity Management (ISO22301) • Cloud Risk CCM / CStar / ISO27017 • lnformation Security Audit • Software License Audit • ATM Security Assessment Regulatory And Compliance • GDPR Consulting and Audit • HIPAA Consulting and Audit • CCPA Consulting and Audit • NESA Consulting and Audit • MAS-TRM Consulting and Audit • NCA ECC Compliance • SAMA Compliance Managed Service • Adaptive Security Managment Pro gram • DPO Consultancy Services • CISO Advisory • Managed Compliance Services • Managed Security Services IT Audit & Advisory • Infrastructure Audit • Infrastructure Design & Advisory • Datacenter Design & Consultancy Services Training & Skill Development • Training & Skill Development Technical Assessment • Vulnerability Assessment • Penetration Testing • Web App Security Assessment • Mobile Security Assessment • Thick Client Application Security Assessment • Virtualization Risk Assessment • Secure Configuration Assessment • Source Code Review
OUR OFFICES SINGAPORE INDIA UK USA VISTA INFOSEC LLC 24007 VENTURA BLVD SUITE 285 CALABASAS CA 91302 +1-415-513-5261 USSALES@VISTAINFOSEC.COM SGSALES@VISTAINFOSEC.COM SALES@VISTAINFOSEC.COM UKSALES@VISTAINFOSEC.COM VISTA INFOS EC PTE. LTD 20 COLLYER QUAY #09-01 20 COLLYER QUAY SINGAPORE (049319) VISTA INFOSEC PVT. LTD 001, NORTH WING, 2ND FLOOR, NEOSHINE HOUSE, LINK ROAD, ANDHERI (W) MUMBAI - 400053 6 AMBER COURT GOLDSMITH CLOSE HARROW, GREATER LONDON UNITED KINGDOM HA20EZ +65-3129-0397 +91 99872 44769 +447405816761 +91-22-26300683 www.vistainfosec.com
CONTACT US US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 W: www.vistainfosec.com| E: info@vistainfosec.com You can reach us on Top Risks and Mitigation Webinar : PCI DSS & Virtualization

Recommended

Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...iosrjce
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution OverviewCisco Service Provider
 
Cloud security
Cloud securityCloud security
Cloud securityPedro Alexander Romero Tortosa
 
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTING
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTINGA SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTING
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTINGijcsit
 
Cyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityCyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityJoe Slowik
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
 

Recommended

Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Winston morton - intrusion prevention - atlseccon2011
Winston morton - intrusion prevention - atlseccon2011Atlantic Security Conference
 
Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...Internal & External Attacks in cloud computing Environment from confidentiali...
Internal & External Attacks in cloud computing Environment from confidentiali...iosrjce
 
Cisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco VMDC Cloud Security 1.0 Design Guide
Cisco VMDC Cloud Security 1.0 Design GuideCisco Service Provider
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution OverviewCisco Service Provider
 
Cloud security
Cloud securityCloud security
Cloud securityPedro Alexander Romero Tortosa
 
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTING
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTINGA SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTING
A SURVEY ON SECURITY CHALLENGES OF VIRTUALIZATION TECHNOLOGY IN CLOUD COMPUTINGijcsit
 
Cyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityCyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityJoe Slowik
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
 
Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...IAEME Publication
 
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?EC-Council
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Past and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsPast and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsJoe Slowik
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceAustin Eppstein
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...SubmissionResearchpa
 
Vertualisation
VertualisationVertualisation
VertualisationChkifa Khalid
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityArunvignesh Venkatesh
 
C43021014
C43021014C43021014
C43021014IJERA Editor
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayIvanti
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloudkairostech
 
Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-ensandeep1721
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affairGeorge Delikouras
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingCommit Software Sh.p.k.
 

More Related Content

What's hot

Security for v mware
Security for v mwareSecurity for v mware
Security for v mwareReadWrite
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...IAEME Publication
 
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?EC-Council
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Past and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsPast and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsJoe Slowik
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceAustin Eppstein
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...SubmissionResearchpa
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Michael Noel
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayIvanti
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloudkairostech
 
Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-ensandeep1721
 

What's hot (19)

Security for v mware
Security for v mwareSecurity for v mware
Security for v mware
 
Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...Investigative analysis of security issues and challenges in cloud computing a...
Investigative analysis of security issues and challenges in cloud computing a...
 
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
HOW TO TROUBLESHOOT SECURITY INCIDENTS IN A CLOUD ENVIRONMENT?
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Past and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsPast and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environments
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...Cloud technology to ensure the protection of fundamental methods and use of i...
Cloud technology to ensure the protection of fundamental methods and use of i...
 
Vertualisation
VertualisationVertualisation
Vertualisation
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization Security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
C43021014
C43021014C43021014
C43021014
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity Management
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud
 
Brochure network security-en
Brochure network security-enBrochure network security-en
Brochure network security-en
 

Similar to PCI DSS & Virtualization

WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_01132_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113Jim Romeo
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised ComputingIOSR Journals
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences Markit
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertChapter247 Infotech
 
Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsSiddharth Coontoor
 
Virtual security is no less real
Virtual security is no less realVirtual security is no less real
Virtual security is no less realguest24ab95c
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...Dana Gardner
 
The Top 5 Risks of Cloud Migration
The Top 5 Risks of Cloud Migration The Top 5 Risks of Cloud Migration
The Top 5 Risks of Cloud Migration Protected Harbor
 
Discuss the challenges of maintaining information security at a remo.docx
Discuss the challenges of maintaining information security at a remo.docxDiscuss the challenges of maintaining information security at a remo.docx
Discuss the challenges of maintaining information security at a remo.docxstandfordabbot
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoJonathan Eubanks
 
Cloud Security - Types, Common Threats & Tips To Mitigate.pdf
Cloud Security - Types, Common Threats & Tips To Mitigate.pdfCloud Security - Types, Common Threats & Tips To Mitigate.pdf
Cloud Security - Types, Common Threats & Tips To Mitigate.pdfDataSpace Academy
 
Cybersecurity Goes Mainstream
Cybersecurity Goes MainstreamCybersecurity Goes Mainstream
Cybersecurity Goes MainstreamRob Marson
 
FORTINET_WP-WEBFILTERING-201106.pdf
FORTINET_WP-WEBFILTERING-201106.pdfFORTINET_WP-WEBFILTERING-201106.pdf
FORTINET_WP-WEBFILTERING-201106.pdfMuhammadSajidAbdulga
 

Similar to PCI DSS & Virtualization (20)

WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Managing The Virtualized Enterprise New Technology, New Challenges
Managing The Virtualized Enterprise New Technology, New ChallengesManaging The Virtualized Enterprise New Technology, New Challenges
Managing The Virtualized Enterprise New Technology, New Challenges
 
2_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_01132_24551_Virtualization_SC_0113
2_24551_Virtualization_SC_0113
 
Security in a Virtualised Computing
Security in a Virtualised ComputingSecurity in a Virtualised Computing
Security in a Virtualised Computing
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences Cyber security providers adopt strategic defences
Cyber security providers adopt strategic defences
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
 
Risk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized EnvironmentsRisk Analysis and Mitigation in Virtualized Environments
Risk Analysis and Mitigation in Virtualized Environments
 
Virtualization Security Risks
Virtualization Security RisksVirtualization Security Risks
Virtualization Security Risks
 
Virtual security is no less real
Virtual security is no less realVirtual security is no less real
Virtual security is no less real
 
BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...BriefingsDirect Transcript--How security leverages virtualization to counter ...
BriefingsDirect Transcript--How security leverages virtualization to counter ...
 
The Top 5 Risks of Cloud Migration
The Top 5 Risks of Cloud Migration The Top 5 Risks of Cloud Migration
The Top 5 Risks of Cloud Migration
 
Discuss the challenges of maintaining information security at a remo.docx
Discuss the challenges of maintaining information security at a remo.docxDiscuss the challenges of maintaining information security at a remo.docx
Discuss the challenges of maintaining information security at a remo.docx
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance Info
 
Cloud Security - Types, Common Threats & Tips To Mitigate.pdf
Cloud Security - Types, Common Threats & Tips To Mitigate.pdfCloud Security - Types, Common Threats & Tips To Mitigate.pdf
Cloud Security - Types, Common Threats & Tips To Mitigate.pdf
 
Cybersecurity Goes Mainstream
Cybersecurity Goes MainstreamCybersecurity Goes Mainstream
Cybersecurity Goes Mainstream
 
FORTINET_WP-WEBFILTERING-201106.pdf
FORTINET_WP-WEBFILTERING-201106.pdfFORTINET_WP-WEBFILTERING-201106.pdf
FORTINET_WP-WEBFILTERING-201106.pdf
 

Recently uploaded

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Recently uploaded (20)

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

PCI DSS & Virtualization

  • 1. PCI DSS & Virtualization PCI DSS & Virtualization Top Risks and Mitigation Strategies you should be knowing W: www.vistainfosec.com | E:info@vistainfosec.com US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 An ISO27001 Certified Company, CERT-IN Empanelled, PCI QSA, PCI QPA USA. SINGAPORE. INDIA. UK. MIDDLE EAST. CANADA.
  • 2. Introduction PCI DSS & Virtualization Virtualization is a technology that has greatly ben- efited businesses around the globe. The technolo- gy has a significant impact on the modern IT land- scape and today plays a key role in the develop- ment and delivery of cloud computing solutions. However, the adoption of this advanced technolo- gy has major security implications on businesses today. The adoption of Virtualization has opened doors to a broad range of challenges for business- es in the industry. Especially, for organizations that are PCI regulated and required to comply with PCI DSS Standards, the challenges in this area only seem to grow. Virtualization is the most trending and highly discussed topic in the area of digital payments. The technology offers many benefits in terms of reliabili- ty, cost-efficiency, management, and scalability. However, these benefits come along with their share of challenges. Virtualized environments pose a huge security challenge for businesses. Addressing this issue the Pay- ment Card Industry Security Standards Council released PCI Data Security Standard Guidelines for Virtualization of System Components. With this, adapting virtualization for the Cardholder Data Environment (CDE) without appropriate evaluation and implementation of relevant measures may result in non-compliance. The PCI DSS Virtualization guidelines are designed to help merchants understand and mitigate the security risks in a virtual environment. With an increasing number of businesses adopting virtualization, it is essential that such system components comply with PCI DSS. The PCI DSS Virtualiza- tion Guideline focuses on the different classes of virtualization, and also suggests how virtual environment should be deployed to comply with PCI DSS. A cardholder data environment that relies on virtualization can be effectively secured by implementing operational and process-level securi- ty controls. That said, businesses must implement necessary information security controls during the planning, deployment, and maintenance phase to ensure compliance. For most businesses, security is clearly the top priority. More so, for PCI-regulated businesses, their security teams are expected to tackle sophis- ticated cyber-attacks and deal with the rapidly evolving IT infrastructure. So, clearly, with the increasing adoption of virtualization the funda- mental implications of security and sustaining compliance with PCI DSS is a major concern. Cover- ing top risks of virtualization and mitigation strate- gies, the article explains various PCI Compliance challenges and ways to tackle them. www.vistainfosec.com
  • 3. The PCI DSS Virtualization Guidelines focuses on four principles for virtualization to meet PCI Standards: • If virtualization technologies are used in a cardholder data envi ronment, PCI DSS requirements must be applied. • Virtualization technologies introduce new risks that may not be relevant to other technologies. • Businesses must perform thorough due diligence to identify and document their virtualized implementations, including all interactions with payment transaction processes. • Depending upon how virtualization is used and implemented, specific controls and procedures will vary for each environment. Organizations should consult experts before adopting the technology for their digital payment environment. Understanding the implications and risk involved is critical for achieving compliance. That said, given below are some of the security and compliance challenges of implementing Virtualization. Security and Compliance Challenges of Virtualized Environment Virtualization offers a range of benefits to businesses, enabling a great level of flexibili ty, efficiency, and scalability in their IT infrastructure. However, for organiza- tions that are required to manage and secure sensitive data, virtualized environments pose a host of challenges as mentioned below. 1. Vulnerabilities in the Physical Environment Apply in a Virtual Environment Physical threats and vulnerabilities also apply to virtual implementations. Similar to the attacks and vulnerabilities that exist in physical infrastructure, virtual systems and networks are also subject to the same vulnerabilities. So, for instance, applications that have configuration flaws or vulnerabilities will also have those in the virtual implementation when installed. Another good example of this would be a poorly configured virtual firewall that can expose systems to a range of internet-based attacks which is similar to the possible threats resulting due to the misconfiguration on a physi- cal firewall. So, the even most securely configured virtual systems and networks will still need implementation of physical security controls for the protection of hardware. For these reasons, hardware systems cannot be completely off guard when it comes to securing systems and infrastructure. 2. Hypervisor creates a new attack surface The hypervisor also known as Virtual Machine Monitor provides a single point of access into the virtual environment. So, misconfigura- tion of the hypervisor can result in security failure of all virtual ma- chines hosted on it. So, no matter how secure the individual virtual ma- chines or components may be configured, a compromised hypervisor can expose systems to risk and also unauthorized access to the sensi- tive virtual system. Further, the hypervisor may also create a new attack surface and open doors to direct attacks. Any vulnerabilities in hypervisor isolation technology, access controls, security hardening, and patching can result in attackers exploiting and gaining access to VMs. So, unless appropriately configured and access is restricted to least privilege, even a secure hypervisor can potentially be exploited. 3. Increased Complexity of Virtualized Systems and Networks Virtualization can encompass both systems and networks which may involve the transmission of data through the hypervisor, or even over virtual network connections or through virtual network security like virtual firewalls. While such configurations provide operational bene- fits, but it also increases the complexity of system/network www.vistainfosec.com
  • 4. functioning. That said, it will accordingly require additional security con- trols and complex policy management to ensure appropriate imple- mentation of security at each level. Increased complexity and added potential vulnerabilities in virtual operating systems and applications, may result in misconfiguration or creating new threat surface unfore- seen by the system designers. Such vulnerabilities could result in signifi- cant compromise across the entire virtual and physical environment as well. 4. More Than One Function per Physical System In the virtual environment compromise in even one virtual system func- tion could result in compromise of other functions on the same physi- cal system. Compromised Virtual Machines may use virtualization-layer communication mechanisms to launch attacks on other Virtual Ma- chines on the same host or even the hypervisor. So, these multiple func- tions hosted on one system increase the possible scope of compromise should an attacker gain physical access to the host system. While the Virtualization technology may mitigate the risk by segregation of differ- ent functions, yet one must consider the risk associated with locating multiple functions or components on a single physical system. The lower level security control can be easily com- promised resulting in opening doors to the high- er-risk and exposure to even sensitive Virtual Ma- chines on the same system. So technically hosting Virtual Machines of different security levels on the same hypervisor or host reduces the overall security for all components. With increased risks and configuration challenges, the security and risk level associated with each Virtual Machine function should be considered when designing the virtualized system. Further systems that store cardholder data require a higher security level than the ones having non-sensitive data stored. 6. Lack of Separation of Duties- In a virtualized environment having access to the hypervisor would mean gaining access to a broad range of systems, networks, and key infrastruc- ture components. This may include access to switches, firewalls, payment applications, log-aggregation servers, databases, etc. Such increased access to multiple virtual devices and functions from a single logical 5. Mixing VMs of Different Trust Levels There is always a huge risk of hosting multiple Virtual Machines with different levels of security on the same host. This needs careful evaluation because a Virtual Machine with a lower level of security controls can also impact the security of Virtual Machines with higher security controls. location or a user can result in a security collapse. This is why defining www.vistainfosec.com
  • 5. separate roles/duties is crucial in a virtual environment. But defining roles and maintaining separate authority for access can be very challeng- ing. For instance, having a separate role defined for network administra- tor and server administrator and having different access policies across the distributed virtualized environment can be very difficult. Here the risk of failing to appropriately define roles and access policies can result in a significant security compromise. 7. Dormant Virtual Machines Virtualized platforms often house dormant Virtual Machines that may no longer be in use. These dormant machines could however still have several sensitive data such as authentication credentials, encryption keys, or critical configuration information stored in them. Since the ma- chines are not in use they may often be overlooked and inadvertently left out of scope during the security procedures. Sensitive data captured in its dormant state results in unintentional storage and only gets discov- ered in an event of a data breach. Further, Inactive machines get neglect- ed and likely not be updated with the latest security patches, resulting in the system being exposed to known vulnerabilities and organizations unaware of the same. Such machines are also most likely to have not been included in the updated access policies and may also be excluded from security and monitoring procedures. Looking at this, it is clear that inactive Virtual Machines create a viable security threat. For these reasons it should be identified and tracked so appropriate security controls can be applied. 8. Virtual Machine Images and Snapshots Virtual Machine images and snapshots quickly deploy or restore virtual systems across multiple hosts within a short period. However, these VM images and snapshots may capture sensitive data present on the system at the time the image was taken, including contents of active memory. This could result in the inadvertent capture, storage, or even deployment of sensitive information through- out the environment. Moreover, if such images are not appropriately secured can result in modification, unauthorized access, and insertion of vulnerabilities or malicious code into the image. This could then further lead to deployment of vulnerabilities throughout the environment lead- ing to rapid compromise of multiple hosts. 9. Immaturity of Monitoring Solutions While virtualization offers benefits in terms of operational efficiency and management yet it falls short of technology and solutions for monitoring and logging virtual environment. The tools to monitor the virtual net- works, virtual firewalls, virtual compliance systems, etc. are not as mature as their physical counterparts. They do not provide the same level of insight or monitoring within intra-host communications or traffic flowing between Virtual Machines on a virtual network. Specialized tools for monitoring and logging virtual environments are required to capture the level of detail from multiple systems and network components, including hypervisors, management interfaces, virtual machines, host www.vistainfosec.com
  • 6. systems, and virtual appliances. 10. Information Leakage between Virtual Network Segments The potential risks of information leakage between logical network seg- ments should be understood when considering network virtualization. Information leakage at the data plane results in sensitive data existing outside of known locations, circumventing the data protection controls that would otherwise apply. Information leakage at the control plane or management plane can be exploited to enable information leakage at the data plane or to influence network routes and forwarding behavior to bypass network-based security controls. Ideally, virtualization capabili- ties at all three planes of operation in the network infrastructure should provide controls and features to secure the virtualized infrastructure at a level equivalent to individual physical devices. 11. Information Leakage between Virtual Components Information leakage between virtual networks can occur when there are multiple access granted for components on the same host. One compro- mised component can result in an attacker gaining access to other com- ponents in the same host. This can result in gaining access to sensitive information from multiple components and potentially leading to fur- ther compromise. Even a misconfigured hypervisor can lead to informa- tion leakage between hosted virtual components and networks. It is therefore essential that all physical resources such as memory, CPU, net- work, are isolated to prevent information leakage between Virtual Ma- chines and other components or networks on the same host. With this, the PCI Council has provided recommendations and standards for best practices to implement for the virtual environment to ensure PCI DSS Compliance and for risk mitigation. Given below are some of the recommendations outlined in the official guide. General Recommendations for Risk Mitigation 1. Evaluate risks associated with virtual technologies- Entities should first evaluate the risks concerning the implementation of virtual technology in their environment. The technology should be only deployed after considering all the pros and cons of virtual solutions and after defining a set of effective systems, applications, data, and environ- mental controls for the same. The risk evaluation and management should be accurately documented as part of this risk assessment pro- cess to ensure that all risk areas are identified and appropriately mitigat- ed. Risk Assessment should be an ongoing annual process for Virtual- ized environments and system components. 2. Understand the Impact of Virtualization to scope of the CDE Virtualization makes systems and network configurations complicated. Consolidating the environment into one or more physical hardware plat- forms makes it difficult to determine the boundaries or scope of the Cardholder Data Environment. For these reasons, the scope of PCI DSS across virtual components must be thoroughly evaluated, verified, and documented. The environment should be evaluated using the guidance provided in the Scope of Assessment for Compliance with PCI DSS Requirements. Designing virtualized components need careful attention and consideration, taking into account even components out of scope to meet the PCI DSS security requirements. This will provide a secure base- line for the entire virtual environment and also reduce the overall com- plexity and risk associated with managing multiple security profiles. It also lowers the additional effort required to maintain and validate com- pliance of the in-scope components. So, it is technically recommended that any part or components on a single hypervisor should be consid- ered in-scope to ensure tight security measures for the environment. www.vistainfosec.com
  • 7. nel should also be a part of a defense-in-depth approach to secure the virtual environment. Adopting a defense-in-depth approach that encom- passes preventive, detective, and responsive controls is the best prac- tice for securing data and other virtual systems and networks of an orga- nization. 5. Isolate Security Functions The security features for the virtual machine should be implemented the same way as for the physical environment. In fact, it is recommend- ed that the security requirement to be enforced for the virtualized system should be stringent, especially in a way that it complicates the efforts required by an attacker to compromise multiple Cardholder Data Environment system components. There should be multiple layers of security with the level of isolation between security functions in a way that they can be considered as being installed on separate machines. For instance security controls, processes controlling network segmenta- tion, and the log aggregation function that would detect tampering of network segmentation controls should not be combined and should implement each security function in isolation. This strengthens the defense against unknown threats and makes hacking complicated for the attacker. 3. Restrict Physical Access Hosting multiple components on one physical system could greatly increase the possibility of unauthorized access to that host system. Therefore physical access controls are essential in virtualized environ- ments to strengthen the security measures and mitigate the associated risks. Entities must consider the potential risk and impact of an unautho- rized or malicious individual gaining simultaneous access to all virtual machines, networks, security devices, applications, and hypervisors on a single host. It is also important to ensure all the unused physical inter- faces are disabled, and physical or console-level access is restricted and monitored. 4. Implement Defence in Depth Implementing defense-in-depth for a virtualized environment is crucial. Appropriate security controls should be identified and implemented in a virtualized environment that provides the same level and depth of security as in a physical environment. Entities must consider implement- ing security controls to each technical layer, including physical device, hypervisor, host platform, guest operating systems, VMs, perimeter net- work, intra-host network, application, and data layers. Further, physical controls, documented policies and procedures, and training of person www.vistainfosec.com
  • 8. 6. Enforce Least Privilege and Separation of Duties Entities should enforce limited access controls for administrative access to the hypervisor. This should be implemented depending on the level of risk exposure evaluated in the environment. Entities should consider implementing two-factor authentication or establish dual or split-con- trol of administrative passwords between multiple administrators. Fur- ther, access controls for both local and remote access to the hypervisor and management system should be periodically assessed. For every virtual component appropriate role-based access controls (RBAC) and separation of duties must be established to prevent unauthorized access to resources. Administrative privileges should also be appropri- ately segregated or it may result in undetected tampering and data loss. As a best practice, administrative access should be restricted based on specific virtual machine functions, virtual networks, hypervisor, hard- ware, application, and data storage. 7. Evaluate Hypervisor Technologies Testing the security of the hypervisor before deployment is highly rec- ommended. There should also be appropriate patch management and other security controls in place to respond to threats and exploits. Enti- ties must identify and implement technologies that facilitate strong secu- rity practices as not all hypervisors or virtual machine management have the functionality to support appropriate security controls. 8. Harden the Hypervisor Hypervisor platforms should be deployed in a secure manner adopting the industry-d best practices and security guidelines. Careful manage- ment of virtual system configurations, patching, and change-control pro- cesses are essential to ensure that all hypervisor changes are moni- tored, authorized, fully tested, and carefully controlled. Due to the poten- tial severity of a hypervisor compromise, patches, and other mitigating www.vistainfosec.com
  • 9. • Removal of unnecessary interfaces, ports, devices, and services, • Ensure secure configuration of all virtual network interfaces and storage areas. • Limit the usage on virtual machines, and ensure hardening of operating systems and applications in a virtual machine. • Send logs to separate, secured storage as close to real-time • Validate the integrity of the cryptographic key-management operations; • Harden individual virtual hardware and containers; • Other security controls as applicable. controls should be deployed as soon as possible whenever new security vulnerabilities are discovered and include immediate testing for the vulnerability to confirm the risk has been addressed. Because the hypervisor represents a single point of failure, an unauthorized or malicious modification could threaten the integrity of all hosted sys- tems in the environment. Other additional controls recommended for the hypervisor and significant management tools include implement- ing restricted administrative functions, multi-factor authentication for all administrative functions, separate administrative functions, monitor audit logs to identify suspicious activities, separate duties 10. Define Appropriate Use of Management Tools Management tools allow administrators to perform system back-up, restore, remote connectivity, migration, and configuration changes to virtual systems. Since Management tools directly impact the security and functioning of the in-scope compo- nents they should also be considered in scope. More- over, entities should enforce limited access to management tools based on the job requirement. Segregation of roles and responsibilities is highly recommended for management tool functions, and the use of management tools should be regularly monitored and logged for enhanced security. 11. Recognize the Dynamic Nature of Virtual Machines for administrative functions, and verify securi- ty control solution support virtualization to minimize the risk of compromise to the hyper- visor. 9. Harden Virtual Machines & Other Components Every virtual machine must be installed and configured securely in accordance with the industry best practices and security guide- lines. The recommendations provided for hardening the hypervisor are also applicable to all virtual machines and components. Fur- ther, every security control implementations should be evaluated individually to confirm. Virtual Machines are data that can reside in an active state on a hypervisor or in a dormant state. Dormant VMs may possi- bly contain sensitive information and other virtual device con- figuration details. So implementing measures for access to dormant VMs should therefore be restricted, monitored, and carefully controlled. Inactive VMs should be secured equally with the same level of sensitivity and have the same safeguards as any other cardholder data store. Further, entities should evaluate migration paths of inactive VMs, take backups of VMs (active VMs, and inactive VMs) and securely delete the data when no longer needed. Implementing an effective change-management, monitoring, and alerting processes is essential www.vistainfosec.com
  • 10. to ensure only authorized VM’s are added to and removed from the envi- ronment, and all related activities are recorded and monitored. 12. Evaluate Virtualized Network Security Features Effective security measures at the data plane, control plane, and manage- ment plane should be implemented for any deployment of virtualized network infrastructure. This minimizes the possibility of direct and indi- rect vulnerability impact on all three operational planes and compromise of the virtual network devices. It is important to ensure that the underly- ing physical components are adequately isolated and secured leaving no scope or path between virtual network devices for vulnerabilities to per- colate. Entities must maintain security isolation between virtualized net- work devices in a way that virtual systems are treated as separate hard- ware. Every virtualized device should have independent access-con- trolled configurations. Further, the audit trails for virtual infrastructures should be detailed in a way that facilitates the identification of access and activities performed on every virtual component. Not just that, the access controls implemented should be the least privilege for each device and across the entire platform. 13. Clearly define all Hosted Virtual Services In cases where entities use shared hosting where the service providers virtualize their offerings, provisioning separate workloads to customers rather than provisioning separate physical systems, the entities should ensure there is an enforcement of administrative, process, and technical segmentation to isolate every hosted entity’s environment. This isolation should include the implementation of all PCI DSS controls, including but not limited to segmented authentication, network and access controls, encryption, and logging. It is also critical to ensure that all responsibilities for maintaining controls that could affect the security or integrity of sensi- tive data or that could impact the entity’s PCI DSS compliance should be well-defined and documented in a formal agreement. www.vistainfosec.com
  • 11. Conclusion Entities need to understand that there is no specific solution for securing data in a virtualized environment. However, as outlined in the PCI DSS standard guidelines, it is a mandate to implement all the 12 require- ments including the use of firewalls, encryption, prohibition of direct public access to the Internet, system hardening, deploying antivirus, and two-factor authentication for remote access, logging, and intrusion-pre- vention systems in the virtual and cloud environments. Neglecting these requirements will result in heavy penalties such as fines, increased trans- action fees, or even losing the right to access a payment card network’s resources. The process may seem quite complicated for entities to imple- ment PCI compliance in a virtual environment. So, it is highly recom- mended that entities obtain professional guidance to make it a has- sle-free process. An experienced professional can perform a PCI gap assessment that addresses specific requirements for application, net- work, physical, and database compliance and accordingly guide entities in implementing security measures and achieve PCI compliance for virtu- al and cloud environment. 14. Understand the technology Virtualized environments are very different from the traditional physical environment. So entities must understand the virtualiza- tion technology to effectively evaluate and secure their environ- ment. Entities must also be aware of the industry best practice and guidelines for securing virtualized environments. Entities must take guidance from insightful resources and publication like The Center for Internet Security (CIS), International Organization for Standardization (ISO), ISACA (formerly the Information Sys- tems Audit and Control Association), National Institute of Stan- dards Technology (NIST), SysAdmin Audit Network Security (SANS) Institute to name a few for effective implementation of security controls and standards. www.vistainfosec.com
  • 12. VISTA lnfoSec is a Global Cyber Security Consulting firm offering exceptional Cyber Security Consulting & Audit Service, Regulatory & Compliance Consulting Services and Infrastructure Advisory Solu- tions. With strong industrial presence since 2004, we have been serving clients from across the world with our robust, end-to-end security services and solutions. We are a 100% vendor neutral company with strict no out- sourcing policy and built on our core values of strict code of ethics, transparency and professionalism. About Us www.vistainfosec.com
  • 13. OUR SERVICES OFFERINGS www.vistainfosec.com Compliance & Governance • SOC 1 Consulting & Audit • SOC 2 Consulting & Audit • PCI DSS Advisory and Certification • PCI PIN Advisory and Certification • PA SSF Advisory and Certification • ISO 27001 Advisory and Certification • • ISO 20000 Advisory and Certification Business Continuity Management (ISO22301) • Cloud Risk CCM / CStar / ISO27017 • lnformation Security Audit • Software License Audit • ATM Security Assessment Regulatory And Compliance • GDPR Consulting and Audit • HIPAA Consulting and Audit • CCPA Consulting and Audit • NESA Consulting and Audit • MAS-TRM Consulting and Audit • NCA ECC Compliance • SAMA Compliance Managed Service • Adaptive Security Managment Pro gram • DPO Consultancy Services • CISO Advisory • Managed Compliance Services • Managed Security Services IT Audit & Advisory • Infrastructure Audit • Infrastructure Design & Advisory • Datacenter Design & Consultancy Services Training & Skill Development • Training & Skill Development Technical Assessment • Vulnerability Assessment • Penetration Testing • Web App Security Assessment • Mobile Security Assessment • Thick Client Application Security Assessment • Virtualization Risk Assessment • Secure Configuration Assessment • Source Code Review
  • 14. OUR OFFICES SINGAPORE INDIA UK USA VISTA INFOSEC LLC 24007 VENTURA BLVD SUITE 285 CALABASAS CA 91302 +1-415-513-5261 USSALES@VISTAINFOSEC.COM SGSALES@VISTAINFOSEC.COM SALES@VISTAINFOSEC.COM UKSALES@VISTAINFOSEC.COM VISTA INFOS EC PTE. LTD 20 COLLYER QUAY #09-01 20 COLLYER QUAY SINGAPORE (049319) VISTA INFOSEC PVT. LTD 001, NORTH WING, 2ND FLOOR, NEOSHINE HOUSE, LINK ROAD, ANDHERI (W) MUMBAI - 400053 6 AMBER COURT GOLDSMITH CLOSE HARROW, GREATER LONDON UNITED KINGDOM HA20EZ +65-3129-0397 +91 99872 44769 +447405816761 +91-22-26300683 www.vistainfosec.com
  • 15. CONTACT US US Tel: +1-415-513-5261 | SG Tel: +65-3129-0397 | IN Tel: +91 73045 57744 W: www.vistainfosec.com| E: info@vistainfosec.com You can reach us on Top Risks and Mitigation Webinar : PCI DSS & Virtualization