« Leo Laporte Reads My DNS Debacle Poem on Security Now Podcast... | Main | High Availability Security Virtual Appliances...Check Point Steps Up »

August 15, 2008

Virtualized Infrastructure: It's All Fun and Games Until Someone Loses An (PC)I...

Monkeys I just responded to a comment from Iben Rodriguez on one of my virtualization and PCI blog entries from a while back and posted an observation while at the same time managed to make a funny (see the title.)

I wanted to both reflect upon Iben's comment as well as chuckle a bit.

From what I extracted from his comment, Iben is suggesting that perhaps virtualization should not affect an auditor's approach or differentiate the audit process from a physical server depending upon the definition of a "server:"

Is an ESX Host a server?

It should be considered similar to the chassis holding a bunch of blade servers. 

These have management ports on separate networks, with LDAP authentication over security protocols like ssh and ssl.

And why not treat them as a hybrid device with different network switches, storage controllers, etc?

Vmware has recently removed the word "Server" from after the ESX product name...

It's not a server, it's a hypervisor.

It's not a server, it's a switch.

By defining what a server is and is not a PCI Audit should be pretty straight forward.

I think this is a messy question and one we ought to continue to address.  I need to go and check out my ISACA references to seek guidance on this matter from a, um, "higher" source ;) I do think that ultimately this is a very subjective issue, to which I responded:

The answers to your questions/suppositions are quite simple:

"It all depends upon the auditor."

Most of the folks I've spoken to recently are essentially counting upon the ignorance of the auditors and the general confusion regarding terminology and technology to glide by at this point.

Server/blade/hypervisor/switch ... it's all fun and games until someone loses a (PC)I... ;)

"As long as I put in place the same host controls I do in a physical environment and not tell the auditor it's virtualized, it's all good and what they don't know, won't hurt me."

Sad but true.

I find this practice/observation to be more and more common as the push to virtualize all infrastructure -- including externally-facing DMZ's -- starts to become more visible in the compliance and audit spaces.

Whack-a-mole!

/Hoff

Posted at 03:29 AM in Jackassery, Virtualization |

Tags: Audit, Chris Hoff, Christofer Hoff, Compliance, DSS, Iben Rodriguez, PCI, Rational Security, Rational Survivability, Virtualization, VMware

Comments

My Photo

About

Disclaimer

  • The views and opinions expressed here are those of Christofer Hoff only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else.

Archives

More...

Subscribe to this blog's feed

Recent Posts

Recent Comments

Categories

May 2009

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31