Hi,

I hope I'm in the right forum now, if not, could a moderator please move this message to the correct one. Thank you.

Last week we had our yearly compliance audit and this year our QSA failed our vmware setup.

The reason is that you are not allowed to mix different security zones on the same host. eg. you need one host and separate storage per security zone.

Short about our setup:

* Esxi 5.1 and vCenter 5.1

* The hypervisor and VMs are all hardned.

* All logging and monitoring is in place

* Zones are currently segmented using VLAN Isolation, we manage the VLANS in our switches and physical firewalls.

Our QSA went on and on how unsecure vmware was and that (read PAN data) can leak between security zones and/or VMs through virtual memory. I found this very hard to belive but I could not say anything against it. He now wants a special security assesment of the virtual enviroment and how we will fix the security concerns that he has pointed out.

I have read "Payment Card Industry Data Security Standard Compliance and VMware" by Tom McAndrew and also "Architecture Design Guide for Payment Card Industry". to secure my enviroment as much as possible.

Now to my question(s):

- Have there been any documented cases of memory leakage between VMs?

- Have there been any other cases of intra VLAN security issues?

- What are the main vmware security issues (with respect to PCI) currently?

Thank for any help you can give me!