Virtualization Guidelines | – Cloud assurance compliance

Virtualization Guidelines

The Virtualization Guidelines, a PCI publication, is an enhancement to the current PCI-DSS2.0 standard. The standard adds virtualization recommendations to the 12 existing PCI requirements, referring to the listed risks.

Link to document (local mirror)

The document describes in it’s conclusion:

In a virtual environment, each and every individual component needs to be secured, as the insecurity of one VM or component on a host system could lead to the compromise of other VMs on the same host

What is interesting is that this requirement, which is detailed in section 4.2 (Recommendations for Mixed-Mode Environments), conflicts with the nature of public cloud services. One of the essential cloud characteristics is resource pooling: the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model. PCI does not seem to place a lot of trust in the segregation that virtualisation technologies can provide. It would be beneficial for the hosting industry if PCI would get comfortable with hypervisor security.