I just responded to a comment from Iben Rodriguez on one of my virtualization and PCI blog entries from a while back and posted an observation while at the same time managed to make a funny (see the title.)
I wanted to both reflect upon Iben's comment as well as chuckle a bit.
From what I extracted from his comment, Iben is suggesting that perhaps virtualization should not affect an auditor's approach or differentiate the audit process from a physical server depending upon the definition of a "server:"
Is an ESX Host a server?
It should be considered similar to the chassis holding a bunch of blade servers.
These have management ports on separate networks, with LDAP authentication over security protocols like ssh and ssl.
And why not treat them as a hybrid device with different network switches, storage controllers, etc?
Vmware has recently removed the word "Server" from after the ESX product name...
It's not a server, it's a hypervisor.
It's not a server, it's a switch.
By defining what a server is and is not a PCI Audit should be pretty straight forward.
I think this is a messy question and one we ought to continue to address. I need to go and check out my ISACA references to seek guidance on this matter from a, um, "higher" source ;) I do think that ultimately this is a very subjective issue, to which I responded: