ISO Secure Computing Guidelines
The Stanford Information Security Office (ISO) recommends the Payment Card Industry Data Security Standard as practices that comprise an effective and appropriate security program for Administrative Systems and those other systems that process, store, or have access to Prohibited or Restricted data. If the systems that you are responsible for, design, administer, or use fall into these categories, please ensure that they comply with these guidelines.
NOTE: The Payment Card Industry Data Security Standards do not yet address host virtualization. Until the time that it does, the ISO, in consultation with a PCI Qualified Security Assessor, has the following recommendations as guidelines for appropriate security measures in an virtualized host computing environment.
Host Virtualization Security
- Servers must be virtualized as distinct guest systems. For example, Web and Application servers cannot be installed on the same guest system, they must be virtualized as separate guest systems.
- Web and Application guest systems can be virtualized on the same physical host. Web and Application guest systems cannot be virtualized on the same physical host with Database guest systems storing Prohibited or Restricted data.
- Development and Test guest systems can be virtualized on the same physical host. Development and Test guest systems cannot be virtualized on the same physical host with Production guest systems, even if they contain the same data as Production systems.
- Trunking may be used to offer multiple VLANs to guest systems on a physical host. However, traffic between guest systems hosted on the same physical host may not be routed internally between zones whenever the traffic crosses different firewall zones. For example, traffic between Web and Application guest systems on different firewall VLANs must be routed through the external network firewall. VLANs should have their own virtual switch or be routed directly to a single guest system. No virtual switch should carry more than one VLAN nor serve more than one type of guest system.
- ROM-based, limited-function, special purpose hardware [e.g., switches,netapps] can be used to preserve existing separation using VLANs and VFilers. VFilers used for this separation cannot share physical disks.
- If any guest system contains Prohibited or Restricted data, then all guest systems present on the physical host are in scope for compliance validation, and the physical host itself is in scope for compliance validation.
- If any guest system contains Prohibited or Restricted data, then servers that serve this and other zones are in scope for compliance validation. For example, if an authentication, or storage server services Zone 1 and Zone 2, and Zone 1 contains Restricted data, then the authentication or storage server is also in scope for compliance validation. Zone 2 is not brought into scope by its use of the in scope authentication or storage server.
- Virtualization of multiple guest systems on a single physical host does not violate the single primary function per server standard requirement.
Need More Information?
Contact the Information Security Office regarding security issues with Stanford computers or network resources.