Recent changes to Payment Card Industry Data Security Standards (PCI DSS) guidance for virtualization may challenge your ability to both achieve and maintain PCI compliance.
Register to download the Sourcefire Security Report to learn:
Complete the form on the right to request your free copy.
Register to download the Sourcefire Security Report to learn:
Complete the form on the right to request your free copy.
Security for Virtualized Servers: From “Nice to Have” to “Must Have”
It’s been a long time coming, but this week the Payment Card Industry (PCI) Council’s Virtualization Special Interest Group (SIG) unveiled its highly anticipated guidance related to security in virtual environments. This new criteria, which applies to all organizations that manage cardholder data, will strongly influence how qualified security assessors (QSAs) will determine the PCI compliance of a virtualized environment. Until now these assessors had no formal playbook on which to base their compliancy decisions.
With so many business managing credit card data through cloud systems, and in the face of so many public breaches, this guidance is needed more than ever. Indeed, this will force IT organizations to reprioritize their security efforts as security in virtual environments has long been viewed as a “nice to have.” Now that these requirements are becoming a “must have,” it is required that server operations, network operations and security teams emerge from their silos and work together to create more secure virtual environments.
Historically, in most organizations, security remained at the perimeter and virtual system administrators could manage their own environments without interference from security. For example, the PCI SIG guidance requires that intrusion detection and prevention systems must monitor virtual networks and/or intra-VM traffic.
In order for a company to be successfully in meeting PCI DSS compliance guidance for virtual environments it must institute a more cohesive strategy that includes both physical and virtual security considerations. The new mandates will require not only a shift in technology implementation, but also a shift in IT structure, responsibilities, and collaboration. By encouraging this interaction between virtualization and security teams and identifying solutions to address these new requirements, an organization can then be more confident in satisfying the more stringent and comprehensive PCI security audits of the future.
Security for Virtualized Servers: From “Nice to Have” to “Must Have”Author: Richard Park, Sourcefire
Contact the Author
It’s been a long time coming, but this week the Payment Card Industry (PCI) Council’s Virtualization Special Interest Group (SIG) unveiled its highly anticipated guidance related to security in virtual environments. This new criteria, which applies to all organizations that manage cardholder data, will strongly influence how qualified security assessors (QSAs) will determine the PCI compliance of a virtualized environment. Until now these assessors had no formal playbook on which to base their compliancy decisions.
With so many business managing credit card data through cloud systems, and in the face of so many public breaches, this guidance is needed more than ever. Indeed, this will force IT organizations to reprioritize their security efforts as security in virtual environments has long been viewed as a “nice to have.” Now that these requirements are becoming a “must have,” it is required that server operations, network operations and security teams emerge from their silos and work together to create more secure virtual environments.
Historically, in most organizations, security remained at the perimeter and virtual system administrators could manage their own environments without interference from security. For example, the PCI SIG guidance requires that intrusion detection and prevention systems must monitor virtual networks and/or intra-VM traffic.
In order for a company to be successfully in meeting PCI DSS compliance guidance for virtual environments it must institute a more cohesive strategy that includes both physical and virtual security considerations. The new mandates will require not only a shift in technology implementation, but also a shift in IT structure, responsibilities, and collaboration. By encouraging this interaction between virtualization and security teams and identifying solutions to address these new requirements, an organization can then be more confident in satisfying the more stringent and comprehensive PCI security audits of the future.
It’s been a long time coming, but this week the Payment Card Industry (PCI) Council’s Virtualization Special Interest Group (SIG) unveiled its highly anticipated guidance related to security in virtual environments. This new criteria, which applies to all organizations that manage cardholder data, will strongly influence how qualified security assessors (QSAs) will determine the PCI compliance of a virtualized environment. Until now these assessors had no formal playbook on which to base their compliancy decisions.
With so many business managing credit card data through cloud systems, and in the face of so many public breaches, this guidance is needed more than ever. Indeed, this will force IT organizations to reprioritize their security efforts as security in virtual environments has long been viewed as a “nice to have.” Now that these requirements are becoming a “must have,” it is required that server operations, network operations and security teams emerge from their silos and work together to create more secure virtual environments.
Historically, in most organizations, security remained at the perimeter and virtual system administrators could manage their own environments without interference from security. For example, the PCI SIG guidance requires that intrusion detection and prevention systems must monitor virtual networks and/or intra-VM traffic.
In order for a company to be successfully in meeting PCI DSS compliance guidance for virtual environments it must institute a more cohesive strategy that includes both physical and virtual security considerations. The new mandates will require not only a shift in technology implementation, but also a shift in IT structure, responsibilities, and collaboration. By encouraging this interaction between virtualization and security teams and identifying solutions to address these new requirements, an organization can then be more confident in satisfying the more stringent and comprehensive PCI security audits of the future.
Sourcefire® Security Report
New PCI Guidance Makes Security a “Must-Have” for Virtual Environments
Download your complimentary copy now:
Special Report: Satisfying New PCI DSS Virtual Security Requirements
What's Being Said: Industry Chatter
Additional Resources
About Sourcefire®
Sourcefire is transforming the way organizations and government agencies manage and minimize network security risks. The Sourcefire IPS Solutions Portfolio offers organizations with varying security requirements and network complexity a range of capabilities to enhance their protection.
What’s new inside the 39-page PCI Information Supplement
Summary of key PCI requirements affected by virtualization
Three-step process for security and virtualization teams to follow to achieve PCI compliance for virtualized platforms
Summary of key PCI requirements affected by virtualization
Three-step process for security and virtualization teams to follow to achieve PCI compliance for virtualized platforms
Quick Take guide: Working with VMware Virtual Appliances
A technical guide that walks through the process of deploying Sourcefire IDS/IPS virtual appliances on a VMware ESX host
DOWNLOAD HERE
A technical guide that walks through the process of deploying Sourcefire IDS/IPS virtual appliances on a VMware ESX host
DOWNLOAD HERE
Quick Take video: Working with VMware Virtual Appliances
A video walkthrough of the above guide on how to deploy Sourcefire IDS/IPS virtual appliances.
DOWNLOAD HERE
A video walkthrough of the above guide on how to deploy Sourcefire IDS/IPS virtual appliances.
DOWNLOAD HERE
PCI Security Standards Council Guidelines
Information Supplement: PCI DSS Virtualization Guidelines
DOWNLOAD HERE
Information Supplement: PCI DSS Virtualization Guidelines
DOWNLOAD HERE
Join council members from Citrix, VMware, and Sourcefire for an informative discussion where you will learn: How new virtualization guidance applies to key PCI requirements, recommendations for cloud computing and mixed-mode environments, technical insights from sample virtualized reference architectures
DOWNLOAD HERE
DOWNLOAD HERE
Sourcefire Webinar: Understanding PCI's New Virtualization Guidance
Datasheet: Sourcefire Virtual Appliances
Fact sheet describing the features and benefits of the Virtual 3D Sensor and Virtual Defense Center.
DOWNLOAD HERE
Fact sheet describing the features and benefits of the Virtual 3D Sensor and Virtual Defense Center.
DOWNLOAD HERE
Technology Brief: Strategies for Securing Virtualized Environments
A paper that discusses the benefits and risks of virtualization, as well as how Sourcefire can help to mitigate these risks.
DOWNLOAD HERE
A paper that discusses the benefits and risks of virtualization, as well as how Sourcefire can help to mitigate these risks.
DOWNLOAD HERE
PCI Virtualization News
Dark Reading Article
New PCI Compliance Guidelines Set New Standards For Cloud Security
New PCI Compliance Guidelines Set New Standards For Cloud Security
Security Week Article
New PCI Guidance Spells Big Changes for Virtual Environments
New PCI Guidance Spells Big Changes for Virtual Environments
