I noticed that a few web hosting companies out there recommend that you lease two servers when trying to reach PCI compliance. Which leaves me wondering, how can a small business afford to even be PCI compliant if this is a requirement?
PCI DSS compliance requires that "only one primary function is performed per server" (2.2.1). Because "primary function" can be interpreted different ways, on-site auditors (QSAs) will sometimes require 2 servers (one for the web servers and one for the database). The logic is that there is an increase risk for data breaches if there are multiple services on one box, giving a potential hacker multiple avenues of attack.
As a side note, many interpret "one primary function" to mean one collective function (e.g., one server is used for payments and thus can have a web server and database server to achieve this collective function). Moreover, you may be able to mitigate the danger of running too many services by never storing sensitive data in the first place (this is my recommendation).
So how is a small business supposed to do business online if a QSA happens to require 2 or more dedicated servers? A couple of cheap dedicated servers would run you about $300 a month.
I've not run this past a QSA but I wonder, why not use virtualization software like XenServer? Chuvakin and Williams, in their book PCI Compliance, talk about how virtualization can be effectively used to separate sensitive environments from other websites. With virtualization you can create multiple virtual machines (VM) on one server. Each VM acts as a separate server, completely isolated and contained. Each VM has its own resources and cannot take more than its share of CPU or memory. Because of this, for the purposes of PCI compliance, each VM could be considered an isolated server. Each VM could be used for separate tasks and they would be kept entirely isolated. It seems to me that this would be an acceptable solution for everyone involved.
Update: Stumbled across this article about virtualization and PCI compliance. Looks like they are working towards clearing up this area of the PCI DSS. Also, this PCI DSS expert believes that, "just like virtualization, running logical partitions that are segmented from each other doesn't violate what the council is trying to prevent" in requirement 2.2.1. Lastly, this QSA states that "Virtual machines need to be treated just like physical machines when assessing them for PCI
compliance" (pg 7).
Showing posts with label small business. Show all posts
Showing posts with label small business. Show all posts
Wednesday, March 31, 2010
Monday, March 15, 2010
Terms of Service - Don't Add This
Because I run a small business, I have to do everything – marketing, accounting, IT security, legal – on top of the real work of making the web site or application for my clients. When it comes to the big, confusing or time-intensive tasks, though, I am willing to pony up and pay the professionals (like when I do my taxes). Today I decided I should put on one of my many hats and take a look, once more, at my company's Terms of Service (TOS).
Interestingly, I came across this very helpful blog entry about including the famous "we can change this whenever we want and you have to check this website everyday for changes" clause that many businesses add to the top of the TOS. I always wondered about this. It doesn't seem quite fair – is it really legal? Well Eric Goldman argues that it can pretty much make your TOS invalid. Read here for more.
Interestingly, I came across this very helpful blog entry about including the famous "we can change this whenever we want and you have to check this website everyday for changes" clause that many businesses add to the top of the TOS. I always wondered about this. It doesn't seem quite fair – is it really legal? Well Eric Goldman argues that it can pretty much make your TOS invalid. Read here for more.
Subscribe to:
Posts (Atom)