PCI DSS Virtualization Guide. Part 1
Standard: PCI Data Security Standard (PCI DSS)
Version: 2.0
Date: June 2011
Posted by: Virtualization Task Force PCI Security Standards Council
More Information: PCI DSS Virtualization Guide
PCI DSS Virtualization Guide. Part 2
PCI DSS Virtualization Guide. Part 3
Virtualization separates applications, computers, machines, networks, data and services from their physical limitations. Virtualization is an evolving concept encompassing a wide range of technologies, tools, and techniques that can lead to significant operational benefits for organizations that decide to use virtualization. As with any evolving technology, however, the risks that are often less clear than the risks associated with more traditional technologies also continue to evolve.
The purpose of this document is to provide guidance on the use of virtualization in accordance with Payment Card Data Security Standards ( PCI DSS ). For the purposes of this document, all references are provided to the PCI DSS version 2.0.
There are four simple principles associated with the use of virtualization in environments with data of bank cardholders:
This white paper is intended for wholesalers and service providers who use or are considering using virtualization technologies in their cardholder data storage ( CDE ) environment. This can also be useful for assessors who consider virtualization environments as part of the DSS assessment.
')
Note : This document assumes a basic understanding of virtualization, its technologies and principles. However, an understanding of the virtualization technology architecture is required to evaluate technical control in virtualized environments, since the nature of these environments, especially in the areas of process isolation and virtual networks, can differ significantly from traditional physical environments.
This document contains additional guidelines for the use of virtualization technologies in data processing environments for bank cardholders and does not replace the PCI DSS requirements. For specific criteria and audit requirements, virtualized environments should be evaluated based on the criteria outlined in PCI DSS .
This document is not intended to be an endorsement of any particular technology, product, or service, but rather an acknowledgment that these technologies exist and may have an impact on security with payment card data.
Virtualization is the logical separation of computing resources from physical limitations. One of the common abstractions is called a “virtual machine” or VM, which takes the contents of a physical machine and allows it to work on different physical hardware and / or together with other virtual machines on the same physical hardware. In addition to VMs, virtualization can be performed on many other computing resources, including operating systems, networks, memory, and storage systems.
The term "workload" is increasingly used to describe a large number of virtual resources. For example, a virtual machine is a type of workload (workload). While virtual machines today are the dominant way to use virtualization technology, there are a number of other workloads, including application systems, desktops, the network, and virtualized storage models. The following types of virtualization are the focus of this document.
Operating system (OS) virtualization is usually used to take resources running on an OS on a single physical server and divide them into several smaller sections, such as virtual environments, VPS , zones, and so on. In this scenario, all partitions will use the core of the same OS, but they can run different libraries, distributions, and so on.
Hardware virtualization is achieved through hardware partitioning or hypervisor technology. The hypervisor sets up access to hardware for VMs running on a physical platform. There are two types of hardware virtualization:
Network virtualization distinguishes logical networks from physical ones. For almost every type of physical network component (for example, switches, routers, firewalls, intrusion prevention systems, load balancing tools, etc.), there is a logical side available as a virtual appliance.
Virtualized data storage - when several physical storage devices are combined on a network and presented as a single storage device. This data consolidation is typically used in local area network ( SAN ) memory.
Memory virtualization consists in consolidating physical memory from several separate systems to create a virtualized memory pool, which is then divided between system components.
2.2 Virtual System Components and Scoping Guide
A hypervisor is software or firmware that is responsible for hosting and managing virtual machines. The system component of the hypervisor may also include a virtual machine monitor ( VMM ). VMM is a software component that applies and manages VM hardware abstraction and can be viewed as a management function of the hypervisor platform. VMM manages the system processor, memory, and other resources to allocate everything that the OS of each VM requires (also known as the “guest”). In some cases, it provides this functionality in combination with hardware virtualization technology.
A virtual machine (VM) is an independent work environment that behaves like a separate computer. It is also known as Guest and runs on the hypervisor.
Virtual devices can be described as a packaged software image intended for use inside a virtual machine. Each virtual device performs a specific function, and usually consists of the basic components of the operating system and one application. Physical network devices such as routers, switches, or firewalls can be virtualized and run as virtual devices.
A virtual switch or router is a software component that provides routing and data switching functionality at the network level. A virtual switch is often an integral part of the virtualized server platform — for example, as a driver, module, or plug-in hypervisor. A virtual router can be used as a separate virtual device, or as a component of a physical device. Additionally, virtual switches and routers can be used to generate multiple logical network devices from a single physical platform.
Individual applications and desktop environments can also be virtualized to provide end-user functionality. Virtual applications and desktops are usually installed in central locations. They can be accessed through the remote desktop interface. Virtual computers can be configured to allow access through several types of devices, including thin clients and mobile devices, and can work using local or remote computing resources. Virtual applications and computers can be located at the point of sale, customer service, and within other forms of interaction in the payment chain.
Cloud computing is a rapidly evolving use of virtualization, which provides resources for computing as a service or utility through public, semi-public or private infrastructures. Cloud services offerings are typically provided from a pool or cluster of connected systems and provide service-based access to shared computing resources for multiple users, organizations, or tenants.
Application: The use of cloud computing causes some problems that need to be considered when defining boundaries. Organizations planning to use cloud computing for their PCI DSS environments must first ensure that they clearly understand the details of the services offered, and must also carry out a detailed risk assessment for each service. In addition, as is the case with any managed service, it is imperative that the organization and the provider clearly define and document the responsibilities assigned to each of the parties to maintain the PCI DSS requirement and any other measures that may affect the security of the bank card holders .
The cloud service provider must clearly define which PCI DSS requirements, system components and services are covered by its compliance PCI DSS program. Any aspects of the service that are not covered by the cloud computing provider should be defined and clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosting organization. The cloud service provider must provide sufficient evidence and assurances that all processes and components under their control comply with the requirements of PCI DSS .
For additional guidance on using cloud environments, see Section 4.3 Recommendations for Cloud Computing Environments.
Version: 2.0
Date: June 2011
Posted by: Virtualization Task Force PCI Security Standards Council
More Information: PCI DSS Virtualization Guide
PCI DSS Virtualization Guide. Part 2
PCI DSS Virtualization Guide. Part 3
1. Introduction
Virtualization separates applications, computers, machines, networks, data and services from their physical limitations. Virtualization is an evolving concept encompassing a wide range of technologies, tools, and techniques that can lead to significant operational benefits for organizations that decide to use virtualization. As with any evolving technology, however, the risks that are often less clear than the risks associated with more traditional technologies also continue to evolve.
The purpose of this document is to provide guidance on the use of virtualization in accordance with Payment Card Data Security Standards ( PCI DSS ). For the purposes of this document, all references are provided to the PCI DSS version 2.0.
There are four simple principles associated with the use of virtualization in environments with data of bank cardholders:
- a. If virtualization technologies are used in a cardholder data storage environment, PCI DSS requirements apply to these virtualization technologies.
- b. Virtualization technology presents new risks that cannot be applied to other technologies and which need to be evaluated when using virtualization when working with data of bank card holders.
- c. The implementation of virtual technologies can vary significantly, and organizations need to perform thorough research to identify and document the unique characteristics of their particular virtualization application, including all interactions with payment transfer processes and payment card data.
- d. There is no single method or solution for configuring virtualized environments to meet the requirements of the PCI DSS standard. The specific controls and procedures will differ for each environment, depending on how virtualization is performed and used.
1.1 Target audience
This white paper is intended for wholesalers and service providers who use or are considering using virtualization technologies in their cardholder data storage ( CDE ) environment. This can also be useful for assessors who consider virtualization environments as part of the DSS assessment.
')
Note : This document assumes a basic understanding of virtualization, its technologies and principles. However, an understanding of the virtualization technology architecture is required to evaluate technical control in virtualized environments, since the nature of these environments, especially in the areas of process isolation and virtual networks, can differ significantly from traditional physical environments.
1.2 Scope
This document contains additional guidelines for the use of virtualization technologies in data processing environments for bank cardholders and does not replace the PCI DSS requirements. For specific criteria and audit requirements, virtualized environments should be evaluated based on the criteria outlined in PCI DSS .
This document is not intended to be an endorsement of any particular technology, product, or service, but rather an acknowledgment that these technologies exist and may have an impact on security with payment card data.
2 Virtualization Overview
2.1 Conception and Virtualization Classes
Virtualization is the logical separation of computing resources from physical limitations. One of the common abstractions is called a “virtual machine” or VM, which takes the contents of a physical machine and allows it to work on different physical hardware and / or together with other virtual machines on the same physical hardware. In addition to VMs, virtualization can be performed on many other computing resources, including operating systems, networks, memory, and storage systems.
The term "workload" is increasingly used to describe a large number of virtual resources. For example, a virtual machine is a type of workload (workload). While virtual machines today are the dominant way to use virtualization technology, there are a number of other workloads, including application systems, desktops, the network, and virtualized storage models. The following types of virtualization are the focus of this document.
2.1.1 Operating System
Operating system (OS) virtualization is usually used to take resources running on an OS on a single physical server and divide them into several smaller sections, such as virtual environments, VPS , zones, and so on. In this scenario, all partitions will use the core of the same OS, but they can run different libraries, distributions, and so on.
In the same way, application virtualization separates individual application instances from the main operating system, providing discrete applications — a working environment for each user.
2.1.2 Equipment / Platform
Hardware virtualization is achieved through hardware partitioning or hypervisor technology. The hypervisor sets up access to hardware for VMs running on a physical platform. There are two types of hardware virtualization:
- Type 1 Hypervisor — The Type 1 hypervisor (also known as native or naked) is a piece of software or firmware that runs directly on the hardware and is responsible for coordinating access to hardware resources, as well as hosting and managing the VM.
- Type 2 Hypervisor - The Type 2 hypervisor (also known as "hosted") works as an application on an existing operating system. This type of hypervisor emulates the physical resources needed by each virtual machine, and is considered just another application, just like the main OS.
2.1.3 Network
Network virtualization distinguishes logical networks from physical ones. For almost every type of physical network component (for example, switches, routers, firewalls, intrusion prevention systems, load balancing tools, etc.), there is a logical side available as a virtual appliance.
Unlike other stand-alone hosts (for example, a server, a workstation, or another type of system), network devices operate in the following logical “planes”:
- Data Plane: Forwards message data between nodes on the network.
- Management Plane: Manages traffic, network information, and routing information; including communication between network devices related to network topology, status, and routing.
- Control Plane: Handles messages addressed directly to the device itself for device control purposes (for example, for configuration, monitoring, and maintenance).
2.1.4 Data Storage
Virtualized data storage - when several physical storage devices are combined on a network and presented as a single storage device. This data consolidation is typically used in local area network ( SAN ) memory.
One of the advantages of virtual storage - the complexity of the storage infrastructure is hidden from the eyes of users. However, it is also an important task for organizations that want to document and manage their data warehouses, since a specific data set can be stored in several locations at the same time.
2.1.5 Memory
Memory virtualization consists in consolidating physical memory from several separate systems to create a virtualized memory pool, which is then divided between system components.
Similar to virtualized data storage, combining several physical memory resources into one virtual resource can add levels of complexity in terms of mapping and documenting the location of data.
2.2 Virtual System Components and Scoping Guide
This section contains some of the more common virtual abstractions or components of a virtual system that may be present in a variety of virtual environments, and provides guidance for each of them.
Please note that the definition of tasks specified in this section should be considered as additional to the basic principle that PCI DSS extends to all system components, including virtualized data, included in or connected to the environment of cardholder data. Determining whether to consider a separate virtual component of the system in the field of tasks will depend on the specific technology and how it will be carried out in the environment.
2.2.1 Hypervisor
A hypervisor is software or firmware that is responsible for hosting and managing virtual machines. The system component of the hypervisor may also include a virtual machine monitor ( VMM ). VMM is a software component that applies and manages VM hardware abstraction and can be viewed as a management function of the hypervisor platform. VMM manages the system processor, memory, and other resources to allocate everything that the OS of each VM requires (also known as the “guest”). In some cases, it provides this functionality in combination with hardware virtualization technology.
Scope: If any virtual component connected to (or hosted on) the hypervisor is in the PCI DSS domain, the hypervisor itself will always be in scope. For additional guidance on the presence and inbound and out of scope of the VM on the same hypervisor, see section 4.2 Recommendations for mixed-mode environments.
Note: The term “mixed mode” refers to a virtualization configuration in which both incoming and non-scope virtual components run on the same hypervisor or host.
2.2.2 Virtual Machine
A virtual machine (VM) is an independent work environment that behaves like a separate computer. It is also known as Guest and runs on the hypervisor.
Scope: An entire VM will be in scope if it stores, processes or transmits data about cardholders, or if it connects to or provides an entry point to CDE . If a VM is in scope, then the host system and hypervisor at its base will also be in scope, since they are directly connected and have a fundamental impact on the functionality and security of the VM.
2.2.3 Virtual device
Virtual devices can be described as a packaged software image intended for use inside a virtual machine. Each virtual device performs a specific function, and usually consists of the basic components of the operating system and one application. Physical network devices such as routers, switches, or firewalls can be virtualized and run as virtual devices.
A virtual security appliance ( VSA or SVA ) is a virtual appliance consisting of a hardened operating system and a single application. VSAs typically have a higher level of trust than regular virtual devices ( VAs ), including privileged access to the hypervisor and other resources. In order for the VSA to perform the functions of managing the system and the network, it usually has increased visibility in the hypervisor and in any of the virtual networks running on the hypervisor. Some VSA solutions can be connected directly to the hypervisor, providing additional security to the entire platform. Examples of hardware systems that have virtual applications include firewalls, IPD / IDS, and antivirus software.
Scope of application: Virtual devices used to connect or to provide services to system components within the scope of application are also considered to be within the scope of application. Any VSA / SVA that may affect CDE will also be in scope.
2.2.4 Virtual Switch or Router
A virtual switch or router is a software component that provides routing and data switching functionality at the network level. A virtual switch is often an integral part of the virtualized server platform — for example, as a driver, module, or plug-in hypervisor. A virtual router can be used as a separate virtual device, or as a component of a physical device. Additionally, virtual switches and routers can be used to generate multiple logical network devices from a single physical platform.
Scope: Networks configured on a hypervisor-based virtual switch will be included in the scope of coverage if they have a component included in the scope of coverage, or if they provide services or are connected to a component included in the scope. Physical devices that host virtual switches or routers will be considered to be in scope if any of the components placed are connected to a network in scope.
2.2.5 Virtual Applications and Desktops
Individual applications and desktop environments can also be virtualized to provide end-user functionality. Virtual applications and desktops are usually installed in central locations. They can be accessed through the remote desktop interface. Virtual computers can be configured to allow access through several types of devices, including thin clients and mobile devices, and can work using local or remote computing resources. Virtual applications and computers can be located at the point of sale, customer service, and within other forms of interaction in the payment chain.
Scope: Virtual applications and computers will be covered if they are involved in processing, storing or transferring bank card holders, or providing access to CDE . If a virtual application or desktop is allocated on the same physical host or hypervisor as a component within the scope, the virtual application / desktop will also be covered, unless adequate segmentation is applied, which isolates all components covered by the scope. from not entering. For additional guidance on the presence of both inbound and out-of-scope components on the same host or hypervisor, see section 4.2 Recommendations for mixed-mode environments.
2.2.6 Cloud Computing
Cloud computing is a rapidly evolving use of virtualization, which provides resources for computing as a service or utility through public, semi-public or private infrastructures. Cloud services offerings are typically provided from a pool or cluster of connected systems and provide service-based access to shared computing resources for multiple users, organizations, or tenants.
Application: The use of cloud computing causes some problems that need to be considered when defining boundaries. Organizations planning to use cloud computing for their PCI DSS environments must first ensure that they clearly understand the details of the services offered, and must also carry out a detailed risk assessment for each service. In addition, as is the case with any managed service, it is imperative that the organization and the provider clearly define and document the responsibilities assigned to each of the parties to maintain the PCI DSS requirement and any other measures that may affect the security of the bank card holders .
The cloud service provider must clearly define which PCI DSS requirements, system components and services are covered by its compliance PCI DSS program. Any aspects of the service that are not covered by the cloud computing provider should be defined and clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosting organization. The cloud service provider must provide sufficient evidence and assurances that all processes and components under their control comply with the requirements of PCI DSS .
For additional guidance on using cloud environments, see Section 4.3 Recommendations for Cloud Computing Environments.
Source: https://habr.com/ru/post/230965/
All Articles