One way to get the spidey sense of a savvy security professional tingling is to mention the use of “Mixed Mode” virtualization in some kind of IT initiative related to compliance. Companies are trying to figure out how to build security into their virtualized environments in a way that will cover themselves from both a security and compliance perspective, and the industry in general is quite divided over this issue.

channel mixer, by billaday

Mixed mode, in the context of this post, is a term used to describe a virtual infrastructure that hosts both guests with PCI DSS data on them, and those without.

Before we delve into the issues associated with the security concerns here, let’s levelset. PCI DSS, in it’s purest sense, is NOT a general security standard. It’s a compliance initiative meant to bring a baseline of security into payment card handling. For that reason, QSAs should not delve into theoretical attacks that MAY be possible like stack smashing, host-based driver attacks into their review of a virtualized system. If we did that, any system that had Flash or Acrobat or a browser on it should instantly be considered non-compliant.

Just as assessors do not ask to do a code review of Cisco IOS (they ask to look at the config), Assessors shouldn’t assess virtualized environments based on the security merits of the model, but on the configuration of the systems. Its your choice from a security perspective if you want to enable your IT systems to use mixed mode. If you choose to use it for PCI DSS, then the underlying infrastructure is what must comply. That’s where we look at the functionality of the hypervisor.

The questions QSAs should ask is “Does this hypervisor, by feature/function and configuration, meet Requirement X.Y?” If it does, and the guests do as well, I argue we have a system that is acceptable to run in a PCI DSS governed environment. Does it require some investment from the QSA to learn the technology so they can make this call? Absolutely. QSAs not versed in an underlying technology need to get an understanding of it before they make the call on that ROC.

Remember, you have to separate the security (should you do it) and compliance conversations (can you do it).

This post originally appeared on