PCI DSS and Virtualisation

jfish · 6 Nov 2015 at 09:58

Anyone done with on PCI DSS Compliancy and virtualisation

if say I have a host (Windows Server 2012 R2 HyperV) and a VM/Guest (Windows 2008 R2) - how do I prevent data being leaked between host and guest

My idea was to have the Host on a seperate LAN and the guest on a DMZ network traffic between the host and guest will go thru the firewall but was wondering if any traffic between host and guest can bypass the firewall.

bigredshark · 6 Nov 2015 at 15:36

Well, if you're question is 'what do you need to be compliant?' then that depends heavily on how clued up your QSA is and what they'll accept (PCI DSS has only a limited amount to do with real security and a lot to do with checking boxes).

The technical issue here is that the host OS / hypervisor can in theory read the memory of any guest running on it (after all, the guests memory is just a section of its own memory). There are some measures against that but against capable attackers you need to assume anybody who can compromise the host OS / hypervisor can compromise all the guests running on it.

What this means for PCI is...

- The host OS / hypervisor must be compliant if you want any guest running on it to be compliant

- You can't generally run a PCI compliant guest (some exceptions, depends on the level of compliance) on a public cloud platform / hypervisor you don't control.

zoomee · 6 Nov 2015 at 15:46

seems to be a good read: https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

There is no one-size-fits-all method or solution to configure virtualized environments to meet
PCI DSS requirements. Specific controls and procedures will vary for each environment,
according to how virtualization is used and implemented.

In other words you could get one assessor one day saying something and another assessor saying something else the next day - awesome, just as clear as all the other security 'advice' we normally get.

nox_uk · 8 Nov 2015 at 22:42

Preventing data leaking between host and guest is microsofts job. Making sure you don't enable sharing you don't need is your job

. You can even configure the nics to be visible to the guest and invisible to the host.

Nox

Caged · 8 Nov 2015 at 23:51

Presumably they want to hear about a patching strategy for your hosts and guest OSes, how you separate network traffic (PCI guest, non-PCI guest, host management), how you audit access to make changes on the hypervisor, in the guest, and to the network, and how you secure it all physically. Don't forget about your storage as well.

It will still be luck of the draw and down to what the auditor understands, but I can't see how you can do more than the above.

nox_uk · 9 Nov 2015 at 08:21

i seem to remember a pci dss checker ova/ovf for vmware a while back. might be worth looking into to see if there's a hyper-v equivalent or if converting them is viable.

Nox

img · 10 Nov 2015 at 20:22

Passed for last few years using vmware. Look at vmware hardening doc, make sure logs are there and patching policy. Not that hard really after first visit