Bill Roth, Ulitzer Editor-at-Large

Bill Roth

Subscribe to Bill Roth: eMailAlertsEmail Alerts
Get Bill Roth via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, Virtualization Magazine, VMware Journal, Cloudonomics Journal, CIO/CTO Update, Sarbanes Oxley on Ulitzer, Java in the Cloud

Blog Feed Post

PCI Compliance in Virtualized Environments

By Gorka Sadowski, European Cloud Evangelist


The PCI Council released a document on PCI Compliance in Virtualized environments. This plays really well with LogLogic’s VMware strategy and some of our upcoming technology.

Turns out that PCI recognizes that:

  • Logging in even more important but difficult in virtualized environments
  • Logs are important in more sections than just Section 10, for example 3.4 and 5.2

For example:

Page 18:

  • Section "Harden the Hypervisor"
    • Separate administrative functions such that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs.
    • Send hypervisor logs to physically separate, secured storage as close to real-time as possible.
    • Monitor audit logs to identify activities that could indicate a breach in the integrity of segmentation, security controls, or communication channels between workloads.

Page 33:

  • Requirement 5.2
    • Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.

Page 32:

  • Requirement 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
    • One-way hashes based on strong cryptography (hash must be of the entire PAN)
    • Truncation (hashing cannot be used to replace the truncated segment of PAN)
    • Index tokens and pads (pads must be securely stored)
    • Strong cryptography with associated key-management processes and procedures

Page 37:

  • Logging of activities unique to virtualized environments may be needed to reconstruct the events required by PCI DSS Requirement 10.2. For example, logs from specialized APIs that are used to view virtual process, memory, or offline storage may be needed to identify individual access to cardholder data.
    • The specific system functions and objects to be logged may differ according to the specific virtualization technology in use.
    • Audit trails contained within virtual machines are usually accessible to anyone with access to the virtual machine image.
    • Specialized tools may be required to correlate and review audit log data from within virtualized components and networks.
    • It may be difficult to capture, correlate, or review logs from a virtual shared hosting or cloud- based environment.
  • Additional Best Practices / Recommendations:
    • Do not locate audit logs on the same host or hypervisor as the components generating the audit logs.


These requirement clearly cry out for LogLogic’s solutions. Please feel free to leave your comments.

Categories: Cloud Computing, Gorka, PCI

Read the original blog entry...

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.