New data security standard clarifies language dealing with virtualization technologies, but leaves many questions about compliance unanswered
The Payment Card Industry (PCI) has released version 2.0 of the Data Security Standard (DSS), an update to its 1.2.1 version that probably would have been better labeled as a 1.3 release for its lack of any new major requirements.
Instead, PCI DSS 2.0 focuses on clarity of language for a number of key areas, including virtualization. With that, I’d like to welcome the group to 2010 and thank them for finally acknowledging the use of virtualization technologies. It’s only been around for 10 years.
[ Also on InfoWorld: VMware vSphere 4.0 achieves an EAL4+ rating from Common Criteria -- the highest-level security certification. | Keep up to date on virtualization with InfoWorld's Virtualization channel. ]
It took some time, but the addition of the virtualization concept into the standard reflects the importance of this technology and its operational impact within the PCI community, but there are still related security challenges that need to be addressed. Adding virtualization into the standard is movement in the right direction, but without any real guidance on how to ensure virtualization compliance, how effective can it be? That remains to be seen.
The PCI DSS 1.2.1 specification has a requirement that only one primary function per server be implemented, which has led to confusion for those using virtual machines in their environments. It wasn’t clear in looking at the 1.2 specification if it permitted two or more virtual machines to run on the same physical server (one of the main reasons behind using virtualization). The 2.0 specification at least seems to clarify that issue by allowing multiple VMs on the same physical hardware — that is, as long as each VM is only performing one primary task.
Specifically, requirement 2.2.1 states the following:
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.
This clarification was missing from the earlier version of the standard. Virtualization is specifically called out, so there should be no more confusion when trying to interpret the word “server.” However, it does so with limitations. PCI DSS 2.0 goes into further detail with two subsections of requirement 2.2.1: