Everyone loves new technology that actually makes it easier keep the joint running. When a technology like virtualization comes along, which fully exploits hardware and makes scaling much simpler, people flock to it. But how many are aware they might be violating compliance requirements?
Specifically, I'm talking about the PCI DSS (Payment Card Industry Data Security Standard), probably the most stringent set of mainstream compliance regulations in effect. Though imposed by the credit card industry, not the government, PCI DSS stipulates fines for certain violations -- not to mention the far worse threat of having your authorization to process credit card transactions revoked.
[ For more on data security, see InfoWorld's iGuide to the enterprise data explosion. ]
According to Gene Kim, founder of both Tripwire and the IT Process Institute, in implementing virtualization many companies violate PCI DSS compliance without realizing it. A key sticking point is PCI DSS requirement 2.2.1, which states that you must "implement only one primary function per server." On the face of it, this seems to rule out virtualization entirely.
But fortunately, that's not the case: PCI DSS just wants you to keep cardholder data properly isolated and secure in virtual environments. According to information from Foundstone, a security consultancy (and McAfee subsidiary), running multiple guest OSes on the same hypervisor, where one of those OSes ran an application processing cardholder data, and the other ran something else, would be in violation of requirement 2.2.1. One solution is to physically separate the hosting of VMs that operate on cardholder data from those that do not. If that's not possible, Foundstone advises putting VMs with cardholder data on their own virtual networks.
Other PCI DSS requirements involve common-sense security measures that apply to any environment, such as keeping operating system patches up to date or implementing proper logging and auditing. In the latter case, however, you need to architect your virtual environment to account for the overhead of log management, which can be quite significant.
When you adopt new technology, it's easy to run afoul of regulations, since very likely those regulations were drafted before that new technology came online. When it comes to virtualization, what you don't know may come back to bite you.