un-earthed

Yesterday, the PCI Security Standards Council published a 39-page Information Supplement offering guidance for securing virtual platforms that process cardholder data.

Here are some of the highlights:

• Network security is important for the virtual environment. Where possible, isolate virtual networks on the data, control, and management planes. Use IDS/IPS to monitor intra-VM traffic.

• You must enforce segregation of duties and least privilege in the virtual environment. Network administrators, for example, must take ownership of virtual networks.

• Hypervisor systems and cardholder data VMs are now in-scope. You must remove all unnecessary functionality and collect and review logs for all significant system activity and access to critical data.