Thursday, July 10, 2008

Issue That Virtually Everybody and Their Dog Is Confused About

Here is an issue that everybody and their dog (and, likely, their dog's fleas :-)) is confused about:

What does PCI DSS Requirement 2.2.1 ("Implement only one primary function
per server (for example, web servers, database servers, and DNS should
be implemented on separate servers)") mean in virtualized environments?

Is it "one function per VM instance" or "one function per physical server?"

I've heard reports of QSA interpreting it either way, which means that millions of dollars of IT investments might be at stake.

Here are some arguments that I've heard about:
  • "VM instance is NOT a server" - thus physical separation is required.
  • "VM IS a different machine, might be different OS, etc" - thus it IS sufficient separation.
  • "VM is like a VLAN" - thus VM separation IS adequate separation. Then again: some say VLANs are not sufficient separation either.
I hereby call upon the unholy wisdom of Hoff to answer this little bugger...

Dr Anton Chuvakin