I have already asked this question over on Information Security but so far it has not garnered any comments. I am thinking perhaps it is more of a server infrastructure and configuration question, rather than a security question per se.
Therefore I will try to be brief:
We are PCI-DSS 2.0 compliant. PCI-DSS has the concept of in-scope and out-of-scope systems/processes/data/infrastructure etc. In-scope is under scrutiny during PCI-DSS audits, out-of-scope are considered untrusted and firewalled network segments should separate the two scopes.
Therefore it is considered a no-no if you try to mix in-scope and out-of-scope systems yet in this world of VMs the PCI-DSS council released guidelines specifically regarding mixing scopes in the virtual environment. They state that:
The level of segmentation required for in-scope and out-of-scope
systems on the same host must be equivalent to a level of isolation
achievable in the physical world; that is, segmentation must ensure
that out-of-scope workloads or components cannot be used to access an
in-scope component. Unlike separate physical systems, network-based
segmentation alone cannot isolate in-scope from out-of-scope
components in a virtual environment.
Therefore my question is, is it possible to segment VMs running on ESXi 5.5 such that the segmentation satisfies the criteria outlined in the guidelines above?
The guidlines are very prescriptive, indeed they go on to say:
Segmentation of virtual components must also be applied to all virtual
communication mechanisms, including the hypervisor and underlying
host, as well as any other common or shared component. In virtual
environments, out-of-band communications can occur, often via a
solution-specific communication mechanism, or through the use of
shared resources such as file systems, processors, volatile and
non-volatile memory, device drivers, hardware devices, APIs, and so
on.
Methods I have thought of:
- Use different physical network adapters
- Use different physical datastores
But other areas I am stuck on include how to segment processors, RAM etc.
If you are interested the complete PCI-DSS virtualisation guidelines are here.
Thanks for reading.
Update 21/11/2014:
This doc here has been passed on to me, I will read and digest. It looks like a useful title: 'PCI-DSS Compliance and VMWare'.
Best Answer
I've also seen the document you linked in your question. Unfortunately, it breaks down when VMware starts to push their vCloud design and security modules.
Can you tell us about your vSphere environment? Specifically, I'd like to understand the license tier and high level design of your vSphere infrastructure (e.g. 3-host cluster running vSphere Essentials Plus and an iSCSI SAN) This information will help guide to the right solution.
Generically, I can say: