VMware has posted a humorous blog entry on mixed mode security.

It is my opinion that most people are not up to speed on Virtualization Security and Compliance Solutions. If you can prove that the systems in a mixed mode are not communicating, you should be golden. If your QSA does not agree, it might be time to get a new QSA. Jkjkjkjkj, not really but… Click the link below to see what we talked about at VMworld. I was misquoted in this article, Computer World and several others. (I NEVER said QSA’s were ten years behind J ) Seriously, I have some good friends that are QSA’s…

One of the comments in response goes straight to the issue of a QSA’s role.

…let’s clear a few things up. First, QSA’s don’t approve PCI compliance. They assess, make recommendations and document the report on compliance (ROC), but ultimately it is the bank and card brand that will determine if risk is acceptable. Second, there are numerous organizations who have been running mixed mode with PCI and successfully worked with their QSA. Prior to PCI DSS v2.0, that work was all done on a case by case basis and covered under compensating controls. 2.0 tries to put a standard in place for all to follow, but PCI 2.0 Standards do not forbid use of mixed-mode. The virtualization supplement is merely guidance, (not the standard), and the supplement itself even states in 1D: “There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented.”

The real point is that there are best practices and appropriate technology solutions available that make it absolutely possible to securely use virtualization in a PCI CDE.

I wrote a response to this comment but it hasn’t been approved on the site yet. Here it is for reference:

…I don’t want to speak for all QSAs but since I am one I will speak for myself on my role and the question of mixed mode.

1) Your comment suggests a QSA is *only* a messenger of an entity’s compliance. I understand where you are coming from, because a QSA does not always get the final call, but that does not mean the QSA is just a messenger. It’s like calling a lower court judge just a messenger because a higher court or supreme court can overrule them.

The 2011 July assessor update to QSAs from the Security Standards Council (SSC) makes it clear that a QSA is expected to be making the difficult decisions:

“It should always be remembered that the active QSA has the ultimate responsibility for their client’s assessment and the evidence provided in the Report on Compliance.”

In other words the QSA ultimately is the one to determine with the entity if the risk is acceptable FIRST. Only then does a report get forwarded for review by internal QA, to verify SECOND at the QSA company level that risk is acceptable, before it is forwarded for QA review by the SSC who reviews it. By the time it gets to the SSC and card brands there should be nothing left to decide. That is why as a QSA we regularly have to be re-tested and certified. We have to demonstrate that we can determine if risk is acceptable at the first pass.

This goes beyond PCI SSC. Auditors perform analysis to determine health. The role of an assessor does not emphasize the collect and store/forward phase. That is just the first step. It is like when a doctor collects your records and listens to your answers. They do this to make a determination. If they collect your records only, and do not make an ultimate determination on risk, then they are not a qualified assessor.

2) You mention “solutions available that make it absolutely possible to securely use virtualization”.

That looks like an oxymoron to me. What exactly is “absolutely possible”? Secure use of virtual technology is possible but to protect the cardholder data it takes a lot more than just technology.

One of the flaws I see most often is from managing change. Assessments of mixed mode generally are not about the possibility of virtual environments but rather the reality of how they are managed. From that perspective there is still a lot of opportunity for better technology and practices to develop and address the many risks of mixed mode.

Wow! Thank you all very much for attending my Penetration Testing the Cloud sessions at VMworld 2011 in Las Vegas.

With nearly 500 people in the audience I was very thankful just to have a great turnout, but your feedback is proving to be even better. Last year I was at 4.23 out of 5 and the highest ranked speaker in the cloud track. This year’s tally is now in and my presentation was scored overall at 4.63 (4.72 for effectiveness). And many people came up afterwards to tell me in person it was the best presentation of the entire conference…your positive feedback inspires me to go all out and see how close I can get to the impossible 5.0.

I look forward to seeing you at the next event and please let me know if there is anything missing, or that you would argue with or change.

The presentation is available through the VMworld 2011 website, for registered attendees. Of course you should contact me directly if you have specific questions. I soon will be emailing everyone who gave me a card.

As I mentioned in my presentation the ultimate reward for me is to see a positive and long-term shift in the breach data. We definitely have a lot we can do as civilians to improve security and reduce the frequency and severity of breaches.

• “Excellent! Similar sessions needed,there’s a lot to cover!”
• “Need more like this.”
• “Great material, a lot too look into after session.”
• “The instructor exceeded my expectations. His knowledge of the subject was deep and his passion for it also showed. Great stuff!”
• “Excellent material. Speaker researched and developed the information exceptionally well. Extremely well presented.”
• “This had to be one of the best sessions I have had at VMworld.”
• “Very useful and applicable to my current situation.”
• “This guy was an awesome speaker.”
• “Great speaker – good use of real world examples / humor. Kept crowd engaged”
• “Great speaker. Good insights. Need more speakers with this kind of technical content.”

A US federal judge has denied a warrant request for GPS data when “not to collect evidence of a crime, but solely to locate a charged defendant”.

The warrant asked for “unlimited location data at any time on demand during a 30-day period”. The defense attorney argued that a search warrant requires proof of “a fair probability that contraband or evidence of a crime will be found in a particular place.” A suspect, in other words, does not automatically lose the right to privacy — unless there is a flight risk the data on all movement by a suspect is not sufficient on its own to justify a warrant.

The NYT reports that the US Supreme Court also is about to hear similar arguments for using GPS data to track a suspect.

In April, Judge Diane P. Wood of the federal appeals court in Chicago wrote that surveillance using global positioning system devices would “make the system that George Orwell depicted in his famous novel, ‘1984,’ seem clumsy.” In a similar case last year, Chief Judge Alex Kozinski of the federal appeals court in San Francisco wrote that “1984 may have come a bit later than predicted, but it’s here at last.”

Last month, Judge Nicholas G. Garaufis of the Federal District Court in Brooklyn turned down a government request for 113 days of location data from cellphone towers, citing “Orwellian intrusion” and saying the courts must “begin to address whether revolutionary changes in technology require changes to existing Fourth Amendment doctrine.”

The Supreme Court is about to do just that. In November, it will hear arguments in United States v. Jones, No. 10-1259, the most important Fourth Amendment case in a decade. The justices will address a question that has divided the lower courts: Do the police need a warrant to attach a GPS device to a suspect’s car and track its movements for weeks at a time?

[…]

The Jones case will address not only whether the placement of a space-age tracking device on the outside of a vehicle without a warrant qualifies as a search, but also whether the intensive monitoring it allows is different in kind from conventional surveillance by police officers who stake out suspects and tail their cars.

The ruling could also affect how warrants are applied to other location-aware technology used by large service providers. I will discuss it Tuesday in my presentation on “Trends in Cloud Forensics” at the High Technology Crime Investigation Association International Conference. Hope to see you there.