Have any of you been through PCI certification using Vmware infrastructure?
If so, did the auditors insist that ESX ran AV? The standard states that AV is require on all system components where appropriate, but the scope in not really defined.
Current the VMs all have AV, but not ESX, and I'd like to keep it that way if possible.
Were there any other issues regarding PCI certification with ESX?
I've looked through them and mostly they talk about AV on VMs.
It does mention requiring AV on management partition on Windows or Unix, but does this apply to ESX?
I'm hoping someone who's been through an audit can give me a definte yes or no.
Keyworrds are 'where appropriate'.
If your management network is on a different subnet, and all computers on that subnet have AV protection, then it is not appropriate.
Hello,
Moved to Virtualization Security forum.
PCI is working on the correct guidance for VMs now. So you may wish to check directly with PCI with respect to PCI compliant virtualization hosts/VMs. I am sure there will be a combination of items required. AV being the least concern.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]