Good catch by Eric Siebert over at the Server Virtualization Blog: the Payment Card Industry’s data security standards (PCI DSS), requirements set forth by the major credit card players – Visa, Mastercard, American Express and Discover in order to protect credit card data, apparently don’t have any virtualization-specific requirements put into practice so far.
“Having just survived another annual PCI compliance audit, I was again surprised that the strict standards for securing servers that must be followed contain nothing specific concerning virtual hosts and networks. Our auditor focused on guest virtual machines (VMs), ensuring they had up-to-date patches, locked-down security settings and current anti-virus definitions. But ironically, the host server that the virtual machines were running on went completely ignored. If the host server was compromised, it wouldn’t matter how secure the VMs were because they could be easily accessed. Host servers should always be securely locked down to protect the VMs which are running on them.”
Read the rest of the blog post here.