Information Supplement: PCI DSS Virtualization Guidelines
This supplement is quite old, and not everything is relevant these days.
However, there is a point to be made that is still relevant to private cloud these days.
There are many reasons why it can be easier to be *compliant* in *private cloud* than in public cloud, for example because of data residency requirements. But the converse is also true. Here is what I ran into as I am digging deeper into PCI compliance for cloud.
All credit card data is in scope for PCI compliance, including the virtual machines that you process it on. But the hypervisor that runs the virtual machine could give you access to the stored credit card data, and is therefore also in scope, including all the administrator access to it. It is kind of contagious. Handling this type of data is analogous to handling highly radioactive toxic waste.
Cloud providers run hypervisors that are severely locked down in their functionality, and I have learned from auditor reports that there typically is no way in which their administrators can have access to the memory of a virtual machine. That reduces the scope of a PCI audit. On the contrary, in a private cloud this type of access is often considered a useful feature to enable forensics and troubleshooting. But it also brings a lot more of the infrastructure in scope, therefore making it seriously harder to be compliant.
I am not saying you should do one or the other, I am just pointing out some of the design tradeoffs that come into play in cloud security.
0 comments