Home > Blogs > VMware Security & Compliance Blog


Is “Mixed Mode” acceptable in a vSphere Enviroment?

Hola Security & Compliance Peeps,

My Nombre is George Gerchow, I am the Director of the VMware, Center for Policy & Compliance.  Our charter at CP&C is “simple”, like a Cowboy’s Fans knowledge of football: 

  •  1  -Support migration of highly regulated workloads to vSphere
  • Dos –  Provide coverage of most common regulatory, industry and vendor policies
  • C – Drive Industry Thought Leadership 

As a follow on from VMworld, we are going to extend the Management Mastery series to our Secura-Nerds and give you an opportunity to discuss relevant topics that are HUGE. Bottom Line, Security and Compliance are the main inhibitor to Virtualization & Cloud Computing. VMware and other vendors have solutions that are VIRTUALIZATION aware and attack these problems head on.

With all that being said, our first topic is Mixed Mode support for PCI environments. See Section 4.2 in the Vendor Information Supplement. 4.2 Strongly recommends that VMs of different security levels are not hosted on the same hypervisor or physical host.  The fear is that a less secure VM can be used to spawn off an attack on a more secure VM. 

It is my opinion that most people are not up to speed on Virtualization Security and Compliance Solutions. If you can prove that the systems in a mixed mode are not communicating, you should be golden. If your QSA does not agree, it might be time to get a new QSA. Jkjkjkjkj, not really but… Click the link below to see what we talked about at VMworld. I was misquoted in this article, Computer World and several others. (I NEVER said QSA’s were ten years behind J ) Seriously, I have some good friends that are QSA’s and they will also be tracking this blog to help answer questions. BTW: This got heated at VMworld during our trusted cloud session. 

Y'all are going to have to excuse my Grammar and Spelling errors. I am ESL and it comes out all the time. Happy Monday and give us a shout!

http://www.csoonline.com/article/688819/vmworld-security-regulatory-concerns-still-a-challenge-in-virtualization?source=rss_news

 

9 thoughts on “Is “Mixed Mode” acceptable in a vSphere Enviroment?

  1. John Troyer

    George – two follow-up questions:
    1. For PCI and Mixed Mode in 2011, are the current standards from the PCI Security Standards Council sufficient for a reasonable auditor to be comfortable with mixed mode? Are they going to be updated to more explicitly allow Mixed Mode?
    2. Since there are many components that go into a “Trusted Cloud”, have some reference architectures emerged yet?

  2. Wade Holmes

    For those who may be wondering what exactly what “Mixed Mode” means in the context of Virtual Machine security, Mixed Mode is having a trust zone include Virtual Machines with lower trust levels on the same host or DRS cluster as Virtual Machines with higher trust levels.

  3. Chris Farrow

    George, let’s clear a few things up. First, QSA’s don’t approve PCI compliance. They assess, make recommendations and document the report on compliance (ROC), but ultimately it is the bank and card brand that will determine if risk is acceptable. Second, there are numerous organizations who have been running mixed mode with PCI and successfully worked with their QSA. Prior to PCI DSS v2.0, that work was all done on a case by case basis and covered under compensating controls. 2.0 tries to put a standard in place for all to follow, but PCI 2.0 Standards do not forbid use of mixed-mode. The virtualization supplement is merely guidance, (not the standard), and the supplement itself even states in 1D: “There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.”
    The real point is that there are best practices and appropriate technology solutions available that make it absolutely possible to securely use virtualization in a PCI CDE.

  4. George Gerchow

    Mr. Farrow,
    Great to hear from you, hope all is well. I don’t think anybody in the thread said that QSA’s approve Compliance of any sort, so I have to believe that you are supporting my comments about not letting a QSA dictate how you validate compliance. As you stated, they only recommend. Your point about mixed mode is great and actually I ran into a customer who is running mixed mode on a physical enviroment yesterday. So the leap of faith to Mixed Mode in a Virtualized Enviroment should be acceptable as long as the right tools are in place.

  5. Davi Ottenheimer (VMware)

    Chris, I don’t want to speak for all QSAs but since I am one I will speak for myself on my role and the question of mixed mode.
    1) Your comment suggests a QSA is *only* a messenger of an entity’s compliance. I understand where you are coming from, because a QSA does not always get the final call, but that does not mean the QSA is just a messenger. It’s like calling a lower court judge just a messenger because a higher court or supreme court can overrule them.
    The 2011 July assessor update to QSAs from the Security Standards Council (SSC) makes it clear that a QSA is expected to be making the difficult decisions:
    “It should always be remembered that the active QSA has the ultimate responsibility for their client’s assessment and the evidence provided in the Report on Compliance.”
    In other words the QSA ultimately is the one to determine with the entity if the risk is acceptable FIRST. Only then does a report get forwarded for review by internal QA, to verify SECOND at the QSA company level that risk is acceptable, before it is forwarded for QA review by the SSC who reviews it. By the time it gets to the SSC and card brands there should be nothing left to decide. That is why as a QSA we regularly have to be re-tested and certified. We have to demonstrate that we can determine if risk is acceptable at the first pass.
    This goes beyond PCI SSC. Auditors perform analysis to determine health. The role of an assessor does not emphasize the collect and store/forward phase. That is just the first step. It is like when a doctor collects your records and listens to your answers. They do this to make a determination. If they collect your records only, and do not make an ultimate determination on risk, then they are not a qualified assessor.
    2) You mention “solutions available that make it absolutely possible to securely use virtualization”.
    That looks like an oxymoron to me. What exactly is “absolutely possible”? Secure use of virtual technology is possible but to protect the cardholder data it takes a lot more than just technology.
    One of the flaws I see most often is from managing change. Assessments of mixed mode generally are not about the possibility of virtual environments but rather the reality of how they are managed. From that perspective there is still a lot of opportunity for better technology and practices to develop and address the many risks of mixed mode.

  6. Nick Stavros

    George, I heard you speak at the Cloud Expo West 2011 on Achieving a Trusted Cloud. I would like to get a copy of your presentation. Thanks. Nick

Comments are closed.