Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Standards &
Compliance
Niranjana.S.Karandikar
MSc II
Sem 4
Contents
Introduction
Need
Standards
Compliance
PCI DSS and Virtualization
Risks in Virtual Environments
PCI DSS Requirements
Virtualization
Logical abstraction of computing
resources
Work load equivalent to physical
machine
Same threats
Need
Increased use of VMs
VMs are movable
Handling of sensitive Data
Single point of Compromise
Standards
DMTF(Distributed Management Task
Force)
OVF (Open Virtualization Format)
VMAN(Virtualization Management
DMTF
2007
simplify and provide ease-of-use for
the virtual environment by creating
an industry standard for system
virtualization management.-Winston
Bumpus, President , DMTF
DMTF initiated the availability of the
OVF standard for delivering VMs, and
the new VMAN.
OVF
Virtualization platformindependent
Supports a full range of current virtual
hard disks and is extensible to deal
with future formats
Not reliant on the use of any specific
host platform, virtualization platform, or
guest operating system.
OVF is a portable format that allows
deployment of any supporting
hypervisor.
VMAN
The management lifecycle of a virtual
environment is addressed in DMTFs
VMAN
Standardized approach to VM:
Deployment
Discovery and inventory
Lifecycle management
Creation, deletion, and modification
Health and performance monitoring
Compliance
The ability to act according to an
order, set of rules or request
Eg: ISO, SOX, HIPAA
PCI DSS
A set of comprehensive requirements for
Enhancing payment account data security.
Developed by the founding payment
brands of the PCI SSC, including American
Express, Discover Financial Services, JCB
International, MasterCard Worldwide, and
Visa Inc. International,
To help facilitate the broad adoption of
consistent data security measures on a
global basis.
Contd.
PCI DSS is a group of principles and
PRINCIPLES
a. If virtualization technologies are used in a
CONTD.
6. Develop and maintain secure systems and
applications.
7. Restrict access to cardholder data by
business need to know.
8. Assign a unique ID to each person with
computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network
resources and cardholder data
CONTD.
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security for all personnel
Requirement A.1:
Shared hosting providers must protect
the CDE
REFERENCES
Virtualization_InfoSupp_v2.pdf
Virtualization and Forensics By Diane
Barrett, Greg Kipper
Virtualization Security Protecting virtualized
environment By Dave Shackleford
http://searchvmware.techtarget.com/HowPCI-DSS-20-affects-virtualization-compliance
THANK
YOU