Where governance is concerned, virtualization brings about changes in separation of duties and policy definition.

In traditional IT environments, distinct teams with specialized skill sets manage and operate various pieces of the infrastructure. Network engineering and administration teams manage routers and switches, Windows systems admins manage Windows servers, etc. With virtualization technologies, all of these functions are collapsed into a generally cohesive management structure, such as VMware’s vCenter Server.

This leads invariably to challenges with “who manages what” – many IT shops tend to put the burden of managing VMware solutions on Windows admins, for example. These admins now manage the virtual machines, the underlying hypervisor platforms, the virtual networks, storage connections, etc. All of these can be regarded as separate disciplines, and having one team manage them all flies in the face of proper separation of duties.

Along with this problem comes the definition of policies governing the use and oversight of these technologies – who drafts the policies, and which teams are the policy owners?

The overall risk landscape changes dramatically with virtualization, too.

Many of the risks are similar to those we understand today, but are present in a somewhat different form. The lack of proper change management and configuration management programs are still viable risks that can lead to innumerable security issues, but they’re compounded by the operational nuances of virtualization technologies themselves. For example, the act of creating and provisioning systems is simplified immensely – keep a template, generate a new virtual machine from it, move the VM to a host platform, and flip the switch.

Without ensuring that a) the template configuration is patched and up to date, and b) the VM provisioning has gone through change control, the risk of having a new system online that has OS or application-specific vulnerabilities is exponentially higher. Threat vectors change, too – if the hypervisor platform is compromised by an attacker, the entire group of virtual machines hosted on that platform is immediately at risk, which tells us that new risks inherent in hypervisors hold much greater impacts than single-system risks that we’ve managed before this, potentially.

On the compliance front, there is a considerable amount of grey area around how virtualization plays a role. On the one hand, most compliance mandates (SOX, HIPAA, GLBA) are vague enough to leave the interpretation open to both auditors and auditees alike. Herein the issue lies, however – compliance mandates open to subjective interpretation are bad, since potentially unsafe practices may be considered acceptable by different auditors and organizations who don’t understand the risks, technologies, or both.

Even more prescriptive regulations like the PCI DSS don’t specifically address virtualization, which has led to a number of issues around interpretation. For example, PCI DSS section 2.2.1 mandates that all servers involved with payment card data should only have a single function, such as a dedicated Web server or database server. What about virtualization hosts like VMware ESX, though? It’s a single server, but runs VMs that perform a variety of different functions. Although a Virtualization Special Interest Group (SIG) has worked on this, there’s no clear timeframe for integrating their work into the standard. In addition, many auditors just don’t understand virtualization technology, and default to the most restrictive possible implementation methods “just to be safe” – any “knee jerk” reactions of this type are probably a bad thing, in either direction.

Virtualization can help organizations reduce operating costs, and many feel that it’s a key component to “Green IT” strategies aimed at reducing energy consumption. However, despite popular belief, it actually makes the IT environment more rather than less complex, and a number of new processes and approaches are needed to ensure that security and risk management keep pace with its adoption.

Dave Shackleford, Director of Security Assessments and Risk & Compliance at Sword & Shield Enterprise Security, is also a SANS Analyst, instructor, course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of regulatory compliance, security, and network architecture and engineering. He’s worked as CSO for Configuresoft, CTO for the Center for Internet Security, and has also worked as a security architect, analyst, and manager for several Fortune 500 companies.

There are roughly 40 states that have some sort of “data-breach” law or bill being considered that force notification of a company’s security breach (or suspected breach) to their consumers. These laws were enacted as a way to force companies to disclose the possibility that individuals personal information was compromised and that they could potentially become victims of identity theft.

Over the coming months, we’ll spend some time exploring how the different states are handling these statutes. When you peel the layers back a bit, and consider them from different angles, we can learn some interesting elements – useful to us from individual and organizational perspectives.

Even with these new laws in effect, it seems that there is little a person can due to hold a company liable for a data-breach based on their weak security standards. Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect.

This is a serious issue that has implications for everyone involved – and ultimately requires clear definitions, mutual understanding and will take years to sort through. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.

Minnesota PCI Legislation
Effective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).

The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data. The new legislation is intended to target retailers who continue to store data in violation of PCI standards. The bill also makes it a violation for retailers to a credit card holder’s PIN number longer than 48 hours after authorization of their transaction. Similar bills are pending in Texas, Illinois, Connecticut, and Massachusetts.

The significant of this legislation is important in light of recent ruling by courts that have dismissed class action suits against companies following data-breaches. On August 23, 2007, the US Court of Appeals for the 7th Circuit held that identity-theft monitoring costs paid for by the plaintiffs were not compensable damages under Indian’s security breach notification statute. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.

Consequences for the Courts
As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information.

Federal and state courts will feel much more comfortable in their decision to expand their legal theories of liability when supported by statutes that explicitly creates private actions for security breaches. In this context, it is much more likely that Courts will not follow the ruling in Pisciotta until after states pass legislation similar to Minnesota. In other addition, plaintiffs might also receive some relief if a recent bipartisan bill in the U.S. Senate gets passed. The bill, known as the Identity Theft Enforcement and Restitution Act of 2007, was introduced on October 16, 2007 and would give victims the ability to seek restitution for the loss of time and money as a result of identity theft. Such federal legislation could prove to be effective in jurisdictions with no state identity-theft laws.

Consequences for Businesses
Meanwhile, the retail lobby continues to argue against laws that would hold them liable by arguing that these laws would be too costly and burdensome, especially for small businesses. This apparently was the argument that convinced Governor Schwarnenegger to veto a California law that would have mandated the retail industry comply with PCI requirements. While this may be true, legislation in Minnesota limits this burden by exempting businesses with few than 20,000 transactions from their statute. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners.

While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches. TJX is currently being sued by several banks
who seek compensation for having to re-issue credit cards and credit monitoring to thousands of their customers as a result of a massive security breach earlier this year. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).

Preparing for the change
As a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion. Individuals and businesses will most likely be able to get their day in court for incurred damages a result of security breaches by a third-party. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information. While the process is slow, it appears to be inevitable.

This isn’t doom and gloom.

Many of us have already begun to prepare for these changes by improving and writing security policies that make sense and can be understood, improving the process of protecting information and working to involve users in solution through training and awareness. Focus on the fundamentals of information protection and you’ll be less likely to be the test case.