The PCI DSS requires that an organization have configuration standards for devices that make up their infrastructure such as firewalls, routers, load balancers, switches and servers. That includes devices that exist virtually as well as those that exist physically.
For virtual infrastructure such as that which is in The Cloud, an issue that we run into is that the organization is relying on the Cloud provider to have that configuration standard. For software as a service (SaaS), that might be the case (you would need to check your responsibility matrix), but for all other Cloud instances, it is always the responsibility of the customer to have that standard. As a result the assessor typically finds that the organization does not have configuration standards for virtual devices.
This gets worse when the assessor asks for configuration standards for the hypervisor environment. Whether it is VMware, Xen, VM Server or Hyper-V, the PCI DSS requires a configuration standard for the software that creates the virtual environment. While this is covered by all Cloud providers in their PCI assessments, it is the in-house virtual environments where assessors need configuration standards. It is not unusual for assessors to find that the in-house hypervisor environment does not have a configuration standard that was followed in deploying the hypervisor.
The next issue an assessor encounters is that there are standards, but they are only for new devices, not the older devices the organization also uses. It is not unusual for configuration standards to be available for the current release of Cisco IOS, Windows Server or Red Hat Enterprise Linux, but the standards for older versions are no longer stored. As a result, it is impossible for the assessor to determine if older versions are configured to the last configuration standard used for those versions.
The lessons learned here is before you go through your PCI assessment:
· Do not get rid of those configuration standards for older devices and systems until the last one goes out the door, and
· Make sure you have all the configuration standards for every type and version of infrastructure in use, not just current types and versions.
For more information or questions on Configuration Standards or PCI DSS, contact Auditwerx today!