On Tuesday, June 14, 2011, the PCI SSC released an Information Supplement regarding Virtualization Guidelines. Not only does this Information Supplement cover virtualization from a VMware and Hyper-V perspective, but also goes into cloud computing.
The supplement is broken into six sections:
- Introduction
- Virtualization Overview
- Risks for Virtualized Environments
- Recommendations
- Conclusion
- Virtualization Considerations for PCI DSS
The Introduction and Overview sections are good foundations. But if you have a good knowledge of the concepts of virtualization, I would not waste time reading these sections. The Risks section is a very good discussion of the risks presented by virtualization. However a lot of readers of this supplement are likely going to be disappointed as there is little new material covered in this section that has not been discussed before in other information sources or even my blog entries. In my opinion, the Recommendations section presents what would be expected.
The real gem in this supplement is the Appendix that provides the Virtualization Considerations for PCI DSS. This supplement takes the relevant PCI DSS requirements and provides a lot of guidance regarding what QSAs should consider when assessing virtual environments. In a number of these, there are also some additional best practices and recommendations made by the writers of the supplement. In reading these best practices and recommendations, one would think these would be common sense, but I guess you just cannot assume that any more.
Page 23 has the other great gem in a diagram that graphically represents the responsibilities of cloud customers and cloud providers regarding who is responsible for data, software, user applications, operating systems, databases, virtual infrastructure, physical infrastructure and the data center where everything resides across the three types of cloud services; IaaS, PaaS and SaaS. If you are explaining cloud computing to non-technical people, this is probably one of the best diagrams I have seen to explain responsibilities.
If I had to take the PCI SSC to task on anything, I would argue that cloud computing does not necessarily have anything to do with virtualization. Yes, a lot of cloud computing solution providers are using virtualized systems to provide their services, but not every cloud provider uses virtualization. And even if the cloud provider does use virtualization, why is that the customer’s concern? In my opinion, cloud computing should be an entirely separate document.
I have included below links to all of my prior posts on virtualization for reference.
- PCI and Virtualization
- Server Virtualization and PCI
- Cloud Computing and PCI Compliance
- More on “The Cloud” and PCI Compliance
