| Systems and System Boundaries | | | | had to re-think our definition of what a "System" is, |
| This series of white papers is presented as a public | | | | but the thought process freed us to expand our |
| service by Mindteck Consulting as part of its ongoing | | | | thoughts about exactly what constitutes a computer |
| effort to help businesses achieve a higher information | | | | system. |
| security posture. Each article is written to focus | | | | A client was looking for a pre-PCI audit. They were a |
| specifically on one topic to be as specific and useful | | | | small shop and it was obvious that they were very |
| as possible. | | | | concerned about controlling their IT costs. They ran a |
| System Auditing, Security Assessment, C&A | | | | dozen servers, all with Virtualization Software |
| and even PCI Audits have many things in common | | | | installed, so that these 12 physical servers actually |
| despite some notable differences. All these processes | | | | housed 31 different Operating Systems. The |
| start from a common point, normally a snapshot of | | | | particular server which housed the database with |
| an organization at a particular point in time. They all | | | | credit card information also had 2 additional instances |
| then evaluate the enterprise and its electronic assets | | | | of the virtualization software, thus one server |
| to arrive a final point, whether that point is a Pass | | | | actually housed 3 separate OS's. (A word of |
| Fail or a numerical score or a Risk Rating is irrelevant | | | | explanation about software virtualization is needed |
| for our purposes. A problem common to all these | | | | here. There are a bewildering array of virtualization |
| assessment methodologies is Defining Systems and | | | | products on the market that can virtualize everything |
| System Boundaries. | | | | from a single internet session to the entire Operating |
| A "System" is defined as "a regularly interacting or | | | | System. Our client used this latter type of software, |
| interdependent group of items forming a unified | | | | virtualizing two Windows XP's and one Redhat Linux |
| whole " and also as a "any network component, | | | | installation. This type of virtualization solution is called |
| server, or application included in or connected to the | | | | "native" or "full virtualization".) One of the Windows |
| ... data environment ." Using these definitions works in | | | | XP Server instances housed the client's Point of Sale |
| about 90% of instances that we are likely to | | | | (POS) software and database of credit card |
| encounter. The remaining 10% is tough. The difficult | | | | information. Access to this particular server was |
| part comes when we are faced with technology that | | | | controlled by a firewall Access Control List (ACL) as |
| introduces situations that don't easily fit our common | | | | well as 2 factor authentication by the user. The pool |
| notions of what a "System" is. And without a crystal | | | | of potential users was very small at only 3 individuals. |
| clear idea of what systems exist within a particular | | | | Initially this seemed like a very easy case and it |
| organization, it is next to impossible to define their | | | | looked like it would easily fall within the PCI DSS |
| boundaries. It is in these areas of uncertainty, or grey | | | | Standards. However, the server virtualization is the |
| areas, that we prove our worth as Information | | | | "fly in the ointment" because the PCI DSS Council |
| Security Professionals. Some examples of particularly | | | | had not yet fully addressed virtualization. We sought |
| difficult instances, along with the ways that we have | | | | some guidance from the PCI forums as well as |
| dealt with them, follow. | | | | relying on our own experience in evaluating this |
| Virtual Machines | | | | machine more closely. We audited each logical |
| There was a day not so long ago where a computer | | | | instance of a computer "system" on the server, but |
| was either a server or a workstation. One computer, | | | | tempering this evaluation with the knowledge that |
| one function (server or workstation), one OS and | | | | these logical instance do not exist in a vacuum and |
| therefore one "System". But these lines began | | | | that each one is deeply dependent on the hardware |
| blurring a few years ago with the release of | | | | and software resident on the box. |
| VMWare, Xen, Windows Virtual Machine and the like. | | | | Once we replaced our traditional ideas of "systems" |
| Now it was possible for one computer to hold | | | | equating to one physical computer, we began to |
| multiple Operating Systems each running in its own, | | | | think in terms of "logical instances". While this method |
| protected and isolated instance (or so the story | | | | of dealing with computer systems is not without |
| went). This situation posed and continues to pose | | | | problems, it has helped our practice immensely with |
| perhaps the greats problem to defining systems that | | | | our auditing assignments. |
| IS Professionals face today. For this first example we | | | | |