4

I'm thinking of the mass of "single function per server" virtual machines which really do nothing in terms of memory and CPU that a PCI DSS certification entails, the NTP server, central authentication, DNS, jump host, local OS package repos etc etc,

can those be summarized in a one VMWare box with a bunch of containers on? In much the analogue way a bunch of VMWare boxes can be squeezed into a single hypervisor?

I know this stuff could end up deeply "in the eye of the beholder/QSA" area, but I'm either hoping to find out that "no, because..." or "yes, I've done it" kind of answer. Also, "I don't see why not" from someone deep into docker and with PCI experience would also be nice ^_^

UPDATE 1, Docker security docs

bbozo
  • 503
  • 5
  • 18
  • 2
    very likely not – Docker doesn't grant "strong" isolation between guests; there's been a huge discussion on the means of security that docker really offers and the canon was, if I reproduce that correctly, "it's a tool to make it easy to isolate installation problems (ie. conflicts etc), but it's not a suitable measure to isolate software on your system; that is not its purpose". – Marcus Müller Jan 19 '17 at 10:36
  • @MarcusMüller I would say that it strongly depends on what version of Docker you're talking about. on Windows, for instance, it uses "real" Virtual Machines which does provide a higher degree of isolation. That being said, I have no idea if it could pass a PCI DSS compliance test. – Stephane Jan 19 '17 at 10:39
  • 1
    also, I feel like, especially with the hell that is going on with aufs and the other docker storage file system modules, it might simply not be mature enough for PCI – Marcus Müller Jan 19 '17 at 10:40
  • 1
    For an extremist (yet surprisingly well-backed, well-explained) view on this topic, I'd recommend this [article](https://thehftguy.com/2016/11/01/docker-in-production-an-history-of-failure/) from the High Frequency Trading Guy's blog. – Marcus Müller Jan 19 '17 at 10:40
  • @MarcusMüller, do you know a PCI DSS reference of what constitutes "strong isolation" between guest and host? I added some security docs by the docker team, they seem to use a bit of a diplomatic language "quite safe" but who can blame them? They depend on the kernel for the thing to work safely, but then again so does VMWare. There's a response blog post to the HFT Guy https://patrobinson.github.io/2016/11/05/docker-in-production/ – bbozo Jan 19 '17 at 10:55
  • I know, I'm in the "I want to believe" group, but the thing is, the single function per server servers are really unused 99% of the time - their outages are inconveniences rather than a production incident, their virtualization hardly compares to the issues facing virtualization of the actual production servers doing actual work. But then again, this is not a "is docker production ready" thread, but if it's secure enough to pass any checklist a QSA can throw it's way. – bbozo Jan 19 '17 at 10:58

1 Answers1

8

A self-answer after a convo on the #docker IRC,

PCI DSS v3.2 doesn't state anything about the kind of virtualization that is required, nothing states you should use hardware instead of OS-level virtualization (somebody correct me if I'm wrong).

However, traditional (HW) virtualization is a relatively simple piece of code ~100k LOC (allegedly) which is hardware assisted and depends heavily on the guest OS to do most of the heavy lifting.

OS-level virtualization reuses the kernel-space between virtual machines, and kernel is a much more complicated piece of code, leaving a MUCH larger attack surface - basically the same thing that makes docker super-nice to stack a bunch of VMs with limited resources in a tiny bit of memory is what makes it less useful for the PCI DSS use case - kernel reuse.

So, even though there's nothing about PCI DSS at the moment preventing you from using OS-level virtualization such as what Docker provides and it would probably pass scrutiny by most QSAs, it feels like it should be prohibited as it leaves you with a more vulnerable architecture.

Then again, many people use and successfully certify software-based HSMs to store their keys (JCEKS and whatnot) even though it feels that it should be prohibited.

I guess the answer to my question would be "yes, you could do it, it would probably pass certification, but you probably shouldn't do it".

Full convo from the #docker irc channel

bbozo
  • 503
  • 5
  • 18
  • 5
    You should also be aware that the PCI SSC has taken a rough stance of "We trust virtualization, but not really, so do what you want, subject to whatever restrictions we may place upon it in the future." Makes it kind of hard to plan. – gowenfawr Jan 19 '17 at 16:49
  • @gowenfawr, indeed, but I suspect many smaller PSPs and merchants will cut corners on this, if it's an option and if it provides sufficiently motivating cost reductions in the short-medium run. PCI SSC needs to be more explicit on some issues. – bbozo Jan 21 '17 at 07:52