1. Industry Brief: Virtualization Trends
Ensuring Security for Virtual Server Infrastructure
The trend toward virtualization of IT infrastructure has been New PCI Virtualization Guidelines
primarily focused on enterprise servers, especially in data
Another factor driving secure virtualization is the increasing
centers where the resulting efficiencies represent significant cost
pressure from regulatory requirements to demonstrate effective
savings for IT organizations. Because virtualization adds layers of
protection of server infrastructures that house critical data
technology, it also necessitates changes in security management.
and applications. A good example of how security standards
Virtualization introduces a new level of complexity for information
are affecting virtualization efforts is a guidance paper recently
security teams, which are responsible for hardening virtual
published by the Payment Card Industry Security Standards
systems while also supporting increased density and dynamic
Council (PCI SSC).4 Authored by a PCI special interest group
provisioning.
consisting of more than 30 companies, including merchants,
The importance of security in such environments cannot be vendors, and Qualified Security Assessors (QSAs), the paper
overstated. Data protection on server infrastructure has been addresses the security implications of virtualization and maps
a top IT priority for some time, because it is on servers that them against the 12 main requirements of the PCI Data Security
significant data breaches are most likely to occur. In fact, Standard (PCI DSS), indicating what actions should constitute best
98 percent of compromised records are exposed on servers practice for each of the requirements.5
and online applications.¹
The PCI guidelines for the use of virtualization in cardholder data
Even as virtualization adds infrastructure layers, information environments are based on the following four principles:
security best practices remain conceptually the same. “In
a. If virtualization technologies are used in a cardholder data
general, organizations should have the same security controls
environment, PCI DSS requirements apply to those virtualization
in place for the virtualized operating systems as they have for
technologies.
the same operating systems running directly on hardware,”
according to a recent report from the National Institute of b. Virtualization technology introduces new risks that may not be
Standards and Technology (NIST).² The NIST report recommends relevant to other technologies, and that must be assessed when
that organizations secure virtual systems “based on sound adopting virtualization in cardholder data environments.
security practices, such as keeping software up-to-date with c. Implementations of virtual technologies can vary greatly, and
security patches, using secure configuration baselines, and using entities will need to perform a thorough discovery to identify
host-based firewalls, antivirus software, or other appropriate and document the unique characteristics of their particular
mechanisms to detect and stop attacks.”³ virtualized implementation, including all interactions with
In effect, Information Security must complete the same checklist payment transaction processes and payment card data.
of protections for virtual systems as for physical infrastructure. d. There is no one-size-fits-all method or solution to configure
In addition, consideration should also be given to adapting best virtualized environments to meet PCI DSS requirements.
practices to any unique requirements potentially introduced by Specific controls and procedures will vary for each environment,
the dynamic nature of the virtual server environment. according to how virtualization is used and implemented.6
NIST Secure Virtual System Checklist
1. Keep up-to-date with security patches
2. Use secure configuration baselines
1 2010 Verizon Breach Investigations Report.
3. se host-based firewalls, antivirus
U 2 Karen Scarfone, Murugiah Souppaya, and Paul Hoffman, “Guide to Security for Full Virtualization
Technologies,” National Institute of Standards and Technology (NIST), U.S. Department of Commerce,
software, or other mechanisms to January 2011, 4-1.
3 NIST, op. cit., ES-1.
4 PCI Security Standards Council, PCI DSS Virtualization Guidelines, June 2011.
detect and stop attacks 5 Ron Condon, PCI virtualisation: With new guidelines, compliance may be harder, SearchSecurity.co.uk,
14 June 2011.
6 PCI Security Standards Council, op. cit.
1 Symantec Corporation
2. The new PCI guidelines hold several important implications for
organizations that handle cardholder data. First, virtualization IT Virtual Server Security Challenges
adds a dynamic dimension to the traditional best practices
commonly used in physical infrastructures. Since there is no
• Management of administration access
“one-size-fits-all” approach, organizations will require adaptive • nbound and outbound
I
solutions that can accommodate different configurations of virtual communications
infrastructure at various points along the adoption curve. The • Interactions between systems
guidelines conclude with a recommendation that all virtualization
components, even those considered to be out-of-scope, be
• aintaining patch levels and
M
designed to meet PCI DSS security requirements, because configuration standards
exposure of one virtual machine (VM) on a host system could
lead to the compromise of other VMs on the same host. Although
they do not change the standard, the new guidelines will help introduced by virtualization, policies and controls must be
organizations ensure that the standard is enforced. modernized. In implementing such modernization, the following
capabilities should be considered.
Secure Virtualization and Private Monitor system behaviors. Virtual machines should be regularly
Cloud Computing monitored to discover potential vulnerabilities. Are there services
Cloud computing is a way to provide scalable, elastic IT on a particular VM that should not be running? Has a VM been
capabilities as services using Internet technologies. The cloud moved such that it now has the ability to communicate with new
computing model enables organizations to consume software, workloads subject to different policy requirements, like PCI audit?
platform, and infrastructure resources as services and avoid Can removable media be attached to the VM through a USB port to
the licensing, consulting, and administrative costs associated extract data or introduce malware?
with on-premise implementations. While some organizations Control application and system services. It is necessary to
adopt public cloud services available from cloud computing see which applications are running on VMs and ensure that
vendors on a multi-tenancy basis, many opt to develop their own only appropriate apps are available on any given VM. Controls
private cloud services in order to reduce total cost of ownership should include monitoring, alerts, and preventing executables as
while minimizing risks to data. Private cloud implementations appropriate.
generally involve virtualization and, therefore, require modern, Reduce the scope of virtual system interactions. In cases
adaptive approaches to security and compliance of virtual server where multiple VMs coexist on a single host, new VMs may gain
infrastructures. availability to data or applications that should be off-limits. Central
Cloud-based service enablement calls for granular control over the visibility across heterogeneous, hybrid environments is necessary
hardening of virtual systems using appropriate policy profiling. to accurately oversee behaviors and activities.
To ensure the ongoing integrity and availability of virtual servers, Protect file systems. Organizations should conduct policy-based
policies should be designed to enforce the following constraints: monitoring of all file systems on VMs, including applications,
• Limit cloud services to only those services required to support a directories, and registry keys. It is common practice for hackers to
given system’s function change registry keys to cover their tracks. When that happens, the
• Limit user accounts and privilege escalations protection systems should generate an alert and, if necessary, lock
• Control rogue behaviors such as file and configuration changes down the file to prevent changes.
• Constrain data mobility by monitoring data files Maintain OS integrity. Check to see if any changes have been
• Mitigate vulnerabilities due to inconsistent patch management made to an OS that do not conform with configuration or patch
standards. Real-time monitoring of VMs between patch windows
Only by ensuring the security of private cloud infrastructure can
can mitigate vulnerabilities and prevent malware from executing.
organizations realize the benefits in terms of cost efficiency.
Monitor and restrict privileged user access. Privileged users
of business-critical applications on VMs should be monitored to
Requirements for Virtualized ensure that their behavior and activities are within the scope of
Server Security requisite permissions and do not in any way jeopardize security
In extending protection to virtualized server infrastructures, IT or compliance posture.
Security faces a number of challenges, including management of
administrator access, inbound and outbound communications,
interactions between systems, and maintaining patch levels and
configuration standards. To adapt to the unique variables
2 Symantec Corporation