Virtualization Standards and Compliance

Virtualization
Standards &
Compliance
Niranjana.S.Karandikar
MSc II
Sem 4
Contents
Introduction
Need
Standards
Compliance
PCI DSS and Virtualization
Risks in Virtual Environments
PCI DSS Requirements
Virtualization
Logical abstraction of computing
resources
Work load equivalent to physical
machine
Same threats
Need
Increased use of VMs
VMs are movable
Handling of sensitive Data
Single point of Compromise
Standards
DMTF(Distributed Management Task
Force)
OVF (Open Virtualization Format)
VMAN(Virtualization Management
DMTF
2007
simplify and provide ease-of-use for
the virtual environment by creating
an industry standard for system
virtualization management.-Winston
Bumpus, President , DMTF
DMTF initiated the availability of the
OVF standard for delivering VMs, and
the new VMAN.
OVF
Virtualization platformindependent
Supports a full range of current virtual
hard disks and is extensible to deal
with future formats
Not reliant on the use of any specific
host platform, virtualization platform, or
guest operating system.
OVF is a portable format that allows
deployment of any supporting
hypervisor.
VMAN
The management lifecycle of a virtual
environment is addressed in DMTFs
VMAN
Standardized approach to VM:
Deployment
Discovery and inventory
Lifecycle management
Creation, deletion, and modification
Health and performance monitoring
Compliance
The ability to act according to an
order, set of rules or request
Eg: ISO, SOX, HIPAA
PCI DSS and Virtualization

PCI DSS and Virtualization make a
good combination as
Many monetary transactions are
being carried out on a virtual
environment.
The PCI Security Standards Council
(SSC) is international.
VMware has joined the PCI SSC
PCI DSS
A set of comprehensive requirements for
Enhancing payment account data security.
Developed by the founding payment
brands of the PCI SSC, including American
Express, Discover Financial Services, JCB
International, MasterCard Worldwide, and
Visa Inc. International,
To help facilitate the broad adoption of
consistent data security measures on a
global basis.
Contd.
PCI DSS is a group of principles and
accompanying directives organized into 12

requirements in the following six categories:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
PRINCIPLES
a. If virtualization technologies are used in a
cardholder data environment, PCI DSS

requirements apply to those virtualization
technologies.
b. Virtualization technology introduces new risks
that may not be relevant to other technologies
c. Implementations of virtual technologies can vary
greatly
d. There is no one-size-fits-all method or solution to
configure virtualized environments to meet PCI
DSS requirements.
Risks for Virtualized

Environments
1. Vulnerabilities in the Physical Environment Apply in a
Virtual Environment
2. Hypervisor Creates New Attack Surface
3. Increased Complexity of Virtualized Systems and Networks
4. More Than One Function per Physical System
5. Mixing VMs of Different Trust Levels
6. Lack of Separation of Duties
7. Dormant Virtual Machines
8. VM Images and Snapshots
9. Immaturity of Monitoring Solutions
10.Information Leakage between Virtual Network Segments
11.Information Leakage between Virtual Components
PCI DSS REQUIREMENTS

1. Install and maintain a firewall
configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for
system passwords and other security
parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data
across open, public networks.
5. Use and regularly update anti-virus
software or programs.
CONTD.
6. Develop and maintain secure systems and
applications.
7. Restrict access to cardholder data by
business need to know.
8. Assign a unique ID to each person with
computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network
resources and cardholder data
CONTD.
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security for all personnel
Requirement A.1:
Shared hosting providers must protect
the CDE
REFERENCES
Virtualization_InfoSupp_v2.pdf
Virtualization and Forensics By Diane
Barrett, Greg Kipper
Virtualization Security Protecting virtualized
environment By Dave Shackleford
http://searchvmware.techtarget.com/HowPCI-DSS-20-affects-virtualization-compliance
THANK
YOU

Virtualization Standards and Compliance

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Virtualization Standards and Compliance

Caricato da

Copyright:

Formati disponibili

Virtualization

PCI DSS and Virtualization

accompanying directives organized into 12

cardholder data environment, PCI DSS

Risks for Virtualized

PCI DSS REQUIREMENTS

Potrebbero piacerti anche