As a small business we run a 100% virtualized environment and looking to migrate to a cloud, but the investment in IT to do this has been pretty substantial and for a cash strapped small business can be a many year process due to budget constraints and immediacy of other business needs. That is the key to a small business, the immediacy of business needs, but if you can step back and do a little planning, any small business can proceed along the journey from a physical environment to a software defined environment. There are many choices available to a small business depending on when they started this journey, existing investment, and where they wish to go. What choices are available now for a small business and where should we go as small business owners?
If there was any take-a-way from TakeDownCon related to virtualization, it was that the virtualization host is not the primary attack point but all the ancillary systems that touch it. These systems may not even be considered part of the virtual environment but they certainly can impact the security of the environment.
The PCI Security Standards Council published its latest PCI guidance in the form of PCI DSS 2.0, but quickly followed up with the document Navigating the PCI DSS v2.0. The Navigating document is very important to those who have virtual systems as it contains the basic guidance about virtualization while PCI DSS 2.0 does not provide anything specifically geared towards virtualization. However, there is an adjunct document that does layout PCIs thoughts on virtualization. This is stated within the Navigating the PCI DSS (v2.0) document.