Monday, December 21, 2009

PCI compliance in the cloud (Part A)

First posted here on 12/07/2009:

The new cloud (or if you prefer hosted computing services, or IAAS) rests on top of virtualization. If we’re going to take the cloud seriously, it will have to be compliant. One of the more stringent compliance frameworks is PCI DSS. Let’s look at requirement one and start building a solution for the cloud.

PCI DSS 1.2.1, test procedure 1.1: Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete.


Deploying virtual firewalls is insufficient, as the virtual firewall must share the support structure with the virtual machines, virtual switches, and hypervisor. Technical controls must also be deployed to validate the configuration of a virtual firewall and to detect and alert if tampering occurs.


Physical firewalls are insufficient unless every virtual machine is on a unique VLAN, VLAN hopping is mitigated, and all traffic must flow through the physical firewall. Further, virtual machine mobility must be constrained and virtual machines must be subjected to the same firewall policy regardless of physical location or layer 2 connectivity.


While sufficient, the physical solution may be impractical due to the constraints it places on deployment, consolidation, and high availability.


The optimal solution will be one that allows deployment of a best practice virtualization architecture for security, integrity, and availability, which also maximizes consolidation and the virtualization return on investment.
This requires a virtualized firewall deployment with the following characteristics:

  1. Assurance of integrity for the security management framework
  2. Enforcement of separation of duties for server, network, and security operations
  3. Enforcement of least privilege
  4. Dynamic network segmentation that is independent of location, IP address, or layer 2 connectivity
  5. Integrated auditing and configuration management for virtualization layers



If that sounds like more than a firewall, you’re right.

Michael

No comments: