As much as I try to keep Security and Compliance separate because as you know, security and compliance are two totally different things, there are exceptions. You also know, compliance can sometimes help with regard to security. The number one standard where this is true is Payment Card Industry Data Security Standards or also known at PCI DSS. Not only does this requirement focus on security ( It even says it in it’s name… Data Security Standard ) but they have developed a supplemental document focused on PCI DSS Virtualization GUIDELINES. That is right, virtualization guidelines. Some of the items it covers is
- Separation of Duties
- Dormant virtual machines
- Immaturity of monitoring solutions
- Defense in depth (when was the last time you saw a Compliant control that mentioned defense in depth?)
- Recommendations for cloud computing environments
and of course my personal favorite
- Guidance for assessing risks in virtual environments
The documentation for v2 Virtualization Guidelines is available here
There is also created a guideline for Cloud Computing. It is available here
The fact is, I could not be more happy to see the guidance that the PCI Security Standards Council put together but I am also happy to see the work that VMware has done as well. What you may or may not know is that VMware has written several documents with the help of Coalfire to help you with implementing the requirements for PCI DSS ( currently at v2 ). These documents assist you with understanding what VMware products can help you with the requirements. By ourselves, VMware can support over 50%, especially if we add in the Log Insight capabilities. The VMware documentation was written before vCloud Automation Center and vCenter Log Insight and I believe that Log Insight could assist with Requirement 10, “Track and monitor all access to network resources and cardholder data”. We believe that with the help of partners (who have also written solution guides), you can get to 100%. You see PCI DSS covers 6 procedures with 12 requirements associated with them. We break down these requirements and sub-requirements and map them to our vCloud Suite, vCloud Networking and Security Suite, vCenter Operations Management Suite, and Horizon View.
In the VMware Solution Guide for Payment Card Industry (PCI) we cover the suites and mapping at a high level. The document is available here
The VMware Architecture Design Guide for PCI breaks down the configuration and how the individual VMware products can meet the need. The document is available here
The VMware PCI DSS 2.0 Validated Reference Architecture talks about the configuration used in the testing. The document is available here
Can’t leave out vCenter Configuration Manager of course and the free PCI DSS compliance checker for vSphere… Pew Pew!!! We got you covered!