Virtualised Production / Test Environment and PCI Compliance

Simon Davidson $organization over 14 years ago

Hi,

Were slowly moving through PCI compliance, and I've come across section 6.4.1

Seperate development / test and production environments

The PCI Guidance documents guide for virtualisation states that "The implementation of a virtualised environment must meet the the intent of all requirements, such that the virtualised systems can effectively be regarded as seperate hardware..."

I thought we had pretty much done this, as our Test database server, seat server, credit card server etc are all implement as completely seperate VM's. However I recently read an article on TechTarget that gave me some worry.

Another potential problem is that you cannot share production environments with test and development environments. Virtualization makes it easy to have test and dev VMs running on the same hosts with the same storage devices as production VMs, but PCI DSS 2.0 does not allow that.

This seems to indicate that I need a seperate SAN to host my test environment or partition it off some how. As anyone else faced this problem who has virtualised their infrastructure and has anyone had any advice from a QSA?

Thanks

MJ Bavaret $organization over 14 years ago

I wonder if the storage array is partitioned, can this be considered compliant?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Simon Davidson $organization over 14 years ago in reply to MJ Bavaret

I was hoping we could partition the storage array and host the test environment seperately. But it also raises the question, do I have to implement a seperate VLAN to achieve the "adequate seperation" component. And then you could take it a step further, do I need to host it on its own AD forest with its own Domain controller that has trust setup between the main forest.

I'm hoping that example is taking it to the very extreme, and trying to find out what other people have implemented.....
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
David Frederick $organization over 14 years ago

Hi Simon,

PCI Standards Security Council published a paper in June 2011 with much more details regarding virtualization. What specifically constitutes compliance is probably going to vary from organization to organization; however, it may be helpful to read this. https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

Here is one quote that addresses SANs - this is on page 22:

Depending on the specific configuration and controls implemented, an entire SAN could potentially be in scope unless it is verified that all in-scope systems and data stores are isolated from all out-of-scope systems and data stores.

I don't know for certain, but I would assume what needs to be done is going to vary depending on the capabilities of the SAN itself and various interpretations of the PCI DSS standards.

Lastly, VMware has some useful links regarding PCI here: http://www.vmware.com/technical-resources/security/compliance/resources.html.

Thanks,
David
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel
Simon Davidson $organization over 14 years ago in reply to David Frederick

Hi David,

Thanks for the information, hopefully I will get a chance to review the information today and come up with a solution.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel