Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Enterprises get new guidance on PCI compliance in virtual environments

Jaikumar Vijayan, Computerworld | June 15, 2011
Enterprises got some much needed clarification on the implementation of PCI requirements in virtualized environments on Tuesday.

The guidance document should sort out some of the prevailing confusion surrounding the applicability of PCI in virtual settings, said Jim Huguelet, an independent PCI consultant.

"This is the best document that the PCI Security Standards Council has written to date in terms of really thinking about the breadth of the [issue] and then providing specific recommendations and best practices," Huguelet said.

The clarifications surrounding hypervisors and mixed-mode environments are particularly useful because of the uncertainty that has surrounded both topics for sometime, he said.

"Traditionally there's been a fair degree of ambiguity as to how PCI applied to virtual environments," added Richard Park, product manager at Sourcefire. "The guidelines make it more explicit how PCI is applicable to virtualization."

As examples, Park pointed to sections in the guidance document that spell out how firewalls need to be used to provide segmentation between different workloads and how specialized intrusion detection and intrusion prevention tools might sometimes be needed to monitor traffic in virtual environments.

Also key are recommendations on how companies need to separate server administration and security administration tasks in virtual environments to ensure appropriate segregation of duties.

"Virtualization was one of the biggest areas left untouched [by PCI rules]," said Avivah Litan, an analyst with Gartner. "It was unknown territory for a lot of people."

"This is one of the more helpful documents," Litan said. "This really fleshes things out."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.