Virtualization Technology News and Information
Automating Knowledge for PCI DSS Compliance in VMware Environments

Written by Warren Legg, Senior Product Developer, Runecast

The PCI Data Security Standard (PCI DSS) sets important requirements and controls designed to prevent breaches and fraud leading to serious damages for businesses and consumers alike. For businesses, achieving compliance with the standard and quickly identifying non-compliances presents many difficult challenges - especially as it is designed to be maintained continuously as Business as Usual (BAU) process.

Modern PCI environments (Cardholder Data Environments, or "CDEs") are often built in virtual (or software-defined) data centers using products such as VMware's vSphere and NSX. Such platforms offer significant capability and flexibility but this presents issues for security and compliance as these systems are inherently complex and vulnerable to change. These platforms are also situated within a fast-moving industry where exploits and breach threats are constantly emerging (think of recent examples such as L1TF, Spectre and Meltdown).

The good news is that whilst virtualized systems seem inherently less secure at first, security can actually be radically improved by fully embracing software-based technology. From automating industry knowledge and the PCI DSS security standard, vulnerabilities and non-compliances become rapidly visible enabling proactive and continuous protection of PCI CDEs.

Virtualization Technologies and PCI DSS

The importance of the virtual data center platform is recognised by the PCI Standards Council. Their specific guidance highlights that virtualized systems present new risks:

"Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments."

It is recognized that the virtualization platform has many interrelated components needing to be in scope for compliance:

"Where virtualization is implemented, all components within the virtual environment will need to be identified and considered in scope for a PCI DSS review, including the individual virtual hosts or devices, guest machines, applications, management interfaces, central management consoles, hypervisors, etc."

And it is explicitly stated that the catalogue of PCI DSS requirements must be met and evidenced throughout the virtual platform:

"If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies"

"Virtual systems and networks are subject to the same attacks and vulnerabilities that exist in a physical infrastructure... a poorly configured virtual firewall could unwittingly expose internal systems to internet- based attacks in the same way misconfiguration on a physical firewall would do."

Whilst virtual platform components must comply with PCI DSS, the compliance process poses many unique and difficult challenges because the data center is complex in its configuration and dynamic in its operational use.

Complexity is caused because virtual components (such as Virtual Machines, hosts, virtual switches, and firewalls) are each configured in software and contain many parameters forming their security posture. Components within a data center are interrelated. VMs by themselves are complex and contain many virtual hardware components. This is amplified as VMs are hosted within hypervisors which in turn have complex configurations and are themselves related to virtual networks and datastores where intricate relationships are formed and enforced in software. All this must be accounted for when assessing the complex environment.

The dynamic nature of the virtual data center leads to changes in normal operation (e.g. VM workloads are mobile by nature). Misconfigurations and non-compliances can also be introduced accidentally even within stringent change processes. It is inevitable that changes occur through upgrade cycles, as the platform software itself is changing.

In order to test for compliance in a virtual data center it is necessary to interpret the hundreds of requirements and lower-level controls in the PCI DSS standard. These cover a broad spectrum of security-related areas (e.g. physical access, business processes, and personnel) as well as the many technically-specific requirements. The requirements are written in a general sense and not specifically for virtual technologies or products. Therefore it is a difficult task to translate these requirements to technical validation checks implementable within a virtual environment.

These factors combine to produce serious challenges for businesses and technical staff needing to attest compliance to PCI DSS requirements in virtualized CDEs. Achieving this through manual processes is barely feasible; the conditions necessary to confirm compliance are in an environment of continuous change, both within the virtual environment operation and wider industry knowledge.

Through deploying intelligent and automated tooling to exploit knowledge automation, these problems can be squarely addressed and overcome.

Addressing PCI DSS Compliance with Knowledge Automation

The ability to access virtual environments through defined APIs allows effortless scanning of complex configurations to rapidly locate non-compliances to technical requirements found throughout the PCI DSS standard.

Runecast Analyzer is an application that uses automation to monitor and report on non-compliances and vulnerabilities throughout the VMware Virtual Data Center (including VMware vSphere - vCenter / ESXi, NSX-V, vSAN).

Knowledge Automation: Continuous PCI DSS Compliance Checks

Recently, the extensive set of technical requirements within the latest PCI DSS standard (v.3.2.1) have been translated and converted into many hundreds of automated checks performed by Runecast Analyzer. These form a profile making it possible to quickly view where violations are occuring against the standard.

Shown below is an example screenshot for a single PCI DSS non-compliance revealed from an automated scan. Within the interface, the relevant knowledge content from the standard itself is displayed from the related requirement and lower level control. It shows which technical check is being carried out in the virtual datacenter to detect for non-compliance and explains why the check applies to the requirement.

The Analyzer highlights specifically which components (e.g. VMs, Hosts) and settings are involved in the failure. It provides technical staff with detailed instruction from the appropriate industry knowledge to resolve the issue:


The example shows knowledge automation being used to provide a full audit trail from the PCI DSS standard to the specific non-compliance in the virtual data center configuration. Also to be noted is the opportunity to use the PCI "Prioritized Approach" milestones, enabling businesses to accelerate effective remediation by tackling higher risk non-compliances first.

Many PCI DSS requirements can be addressed using the hundreds of specific configuration checks implemented within the profile (such as the example above). There are also other important areas of PCI DSS including risk assessment and vulnerability management that benefit hugely from proactive knowledge automation.

Knowledge Automation: Vulnerability Management for PCI DSS

PCI DSS sets requirements for businesses to perform vulnerability management and risk assessment activities in BAU process. When implementing these processes, businesses must take full account of the ever-changing landscape of security threats emerging within the industry as reported from vendors and other industry sources. For a specific example, see the Requirement 6.1:

"Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as "high," "medium," or "low") to newly discovered security vulnerabilities.

Examine policies and procedures to verify that processes are defined for the following:

  • To identify new security vulnerabilities
  • To assign a risk ranking to vulnerabilities that includes identification of all "high risk" and "critical" vulnerabilities.
  • To use reputable outside sources for security vulnerability information."

The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked.

The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities."

The Runecast Analyzer continuously scans the configuration and logs from virtual environments to compare them with known vulnerabilities identified by the VMware knowledge base (KB), Security Advisories (including CVEs), the user community, reputed social networks, and other industry sources. The process for capturing continual additions and updates to industry knowledge from multiple sources is itself automated using web-crawling technologies and natural language processing.

For all detected issues the Analyzer provides their criticality and sources, and identifies which objects are vulnerable. The following screenshot from Runecast Analyzer illustrates how this requirement is met for the virtual datacenter in continuous operation:


When drilling down into each issue, the Analyzer provides full detail for each vulnerability by supplying the relevant industry knowledge source (e.g. a VMware Security Advisory) in the user interface. It also provides the vendor's best-practice remediation procedures to resolve. This example shows exposure to, and resolution for, the recent L1TF vulnerability:


The specific objects (e.g. Hosts, VMs) that are at risk from the vulnerability in the environment are shown in the interface:


These examples show how knowledge automation is used to fulfill the PCI DSS requirement and intent, giving businesses the ability to quickly identify and proactively circumvent emerging security risks.

Whilst there is only limited room available in this article to show two specific examples, the following table shows the list of technical requirements within the PCI DSS standard that benefit from knowledge automation and can be addressed within business as usual process by Runecast Analyzer: 



The examples given in this article illustrate how knowledge automation provides businesses with a transformative capability to monitor and report on their VMware virtualized Cardholder Data Environments within PCI DSS requirements. The table above shows the extent of coverage where this approach can be employed continuously to offer major benefit for compliance.

Virtual data centers are complex in their configuration; they are also extremely dynamic and flexible - which appears to make them less secure. This is because they are complex and software-defined, they lack transparency and so it is barely feasible to assess their security posture manually. Additionally, industry knowledge is ever-changing and new threats emerge continuously.

However, using the software-based knowledge automation available in Runecast Analyzer overcomes these significant challenges. VMware virtual data centers actually become more secure as they can be scanned rapidly to identify and locate non-compliances and vulnerabilities. Non-compliances to requirements and controls within the PCI DSS standard are detected and raised in business-as-usual operation. Immediate reporting is available to quantify these risks within the data center and record historical compliance results over time. Furthermore, leveraging industry knowledge empowers businesses as it combines the latest security information with technical information to proactively manage vulnerabilities and quickly remediate according to best practice.

Start Using Knowledge Automation Today 

Runecast offer a free trial for the Runecast Analyzer, which you can install and start assessing your environment against PCI DSS in minutes. Full functionality (including industry knowledge) is available completely offline to support operations in secure PCI DSS Cardholder Data Environments. The trial version is available here:

For VMblog readers, Runecast are offering an exclusive promotion where you can have 7 days' access to the full (non-trial) application. The offer is available until 15th September. Use the promo code VMBLOG to activate.

For further information on Runecast Analyzer and PCI DSS specifically, please reach out to the Runecast team who are always happy to provide advice and assistance:


About the Author


Warren Legg, Senior Product Developer

vExpert, VCAP-DCA, VCP-DCV 3, 5, 6, 6.5, VCA-NV 6

Warren has been working with VMware technologies for well over a decade. In that time he has created software to automate and protect some of the most sensitive virtual data centers in the World. Warren was proud to join the innovative Runecast team 18 months ago because he believes proactive knowledge automation is a #musthave for keeping modern SDDCs safe.

Published Friday, August 24, 2018 9:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2018>