Containers Expo Blog Authors: Liz McMillan, Pat Romanski, Yeshim Deniz, Elizabeth White, Zakia Bouachraoui

Related Topics: Containers Expo Blog, Microservices Expo

Containers Expo Blog: Blog Post

Logs for PCI-DSS in Virtualized Environments

Virtual environments are becoming a reality

The PCI Council just released last month (June 2011) a document on PCI Compliance in Virtualized Environments...  entitled "PCI DSS Virtualization Guidelines" available at https://www.pcisecuritystandards.org/.../Virtualization_InfoSupp_v2.pdf

This is an interesting development because it confirms the evolution trend in how specific and granular PCI-DSS is becoming, from the early version of PCI-DSS' Best Practices to these new set of guidelines, the requirements are getting more precise.

Virtual Environments are becoming a reality, even in Financial Institutions, and this is fueling demand for clarification -what to do, and how, in order to demonstrate compliance to PCI-DSS.

The PCI Working Groups structure is validated to be an effective answer capable of producing guidelines to help organizations.

Now, onto the content.

In this document, the PCI Council recognizes that security is even more important and more difficult in Virtualized Environments. Because of the very nature of these nested and interrelated environments, we might be creating holes and security problems where there were none - or less - in the "simpler", true physical world.

Almost like two medications that when taken separately have innocuous side effects and when taken together are dangerous.

As such, and with the aim of keeping an even tighter eye on these infrastructures, this document particularly addresses logs in more sections than just Section 10, for example in sections 3.4 and 5.2. Specifically:

Page 18, Section 4.1.8 "Harden the Hypervisor"

- Separate administrative functions such that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs.

- Send hypervisor logs to physically separate, secured storage as close to real-time as possible.

- Monitor audit logs to identify activities that could indicate a breach in the integrity of segmentation, security controls, or communication channels between workloads.

- Send logs to separate, secured storage as close to real-time as possible.

Page 32, Section on Requirement 3.4

- Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

o One-way hashes based on strong cryptography (hash must be of the entire PAN)

o Truncation (hashing cannot be used to replace the truncated segment of PAN)

o Index tokens and pads (pads must be securely stored)

o Strong cryptography with associated key-management processes and procedures

Page 33, Section on Requirement 5.2

- Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.

Page 37, Section on Requirement 10

- Logging of activities unique to virtualized environments may be needed to reconstruct the events required by PCI DSS Requirement 10.2. For example, logs from specialized APIs that are used to view virtual process, memory, or offline storage may be needed to identify individual access to cardholder data.

- The specific system functions and objects to be logged may differ according to the specific virtualization technology in use.

- Audit trails contained within virtual machines are usually accessible to anyone with access to the virtual machine image.

- Specialized tools may be required to correlate and review audit log data from within virtualized components and networks.

- It may be difficult to capture, correlate, or review logs from a virtual shared hosting or cloud- based environment.

Additional Best Practices / Recommendations:

Do not locate audit logs on the same host or hypervisor as the components generating the audit logs.

In conclusion, it is good to see that little by little, all the ambiguous, unclear and/or left-to-interpretation aspects of PCI-DSS are being iteratively worked on as per Best Practices.

The role of logs in Compliance to PCI-DSS, and the importance of logs to bring clarity and transparency in Virtualized Environments is also outlined and validated.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...