Cloud Multi-tenancy Mode

Cloud providers can use virtualized environments and can also support IT operations for more than one organization within a virtual environment. The cloud provider must ensure that the requirements of PCI DSS are met for each organization using the cloud provider services. The cloud provider must ensure the security of cardholder data and PCI compliance for the organization data as well as additional cloud provider requirements, outlined in Appendix A-Additional PCI DSS Requirements for Shared Hosting Providers in the Payment Card Industry (CPI) Data Security Standard Requirements and Security Assessment Procedures from the PCI Security Standards Council, if the cloud provider supplies services to more than one organization in a multi-tenancy environment.

In addition to the considerations outlined above in Local PCI Control Mode, there is an additional requirement to be aware of: that a breach in one organization might lead to breaches in other organizations using the same cloud provider. Thus, cloud providers supporting multi-tenancy environments must meet PCI DSS Requirement 2.4 which states Òshared hosting providers must protect each entity's hosted environment and data.

The following PCI control considerations apply to Zerto components within a cloud provider environment, whether the cloud provider is only used as a recovery site or manages both the protected and recovery sites:

Zerto Virtual Manager (ZVM): The ZVM is a Windows service that manages everything required for the replication between the protection and recovery sites, except for the actual replication of data. The ZVM is deployed on a VM running on a secure network (VLAN), preferably the same network where the VMs to be protected, and which are PCI compliant, are running. This applies whether an organization is protecting VMs to a cloud provider, or the cloud provider is protecting VMs from one cloud site to another cloud site. Access to the ZVM requires access to the Windows machine running this service. This access relies on the authentication, authorization and security mechanisms provided by Microsoft. All communication between Zerto Virtual Managers and hypervisor management tools, such as VMware vCenter Server or Microsoft SCVMM, is secure, either via HTTPS or SSH.

Zerto Virtual Replication Appliances (VRAs): VRAs are virtual machines installed on each host with virtual machines to be protected or recovered, to manage the replication of data from protected virtual machines to the recovery site. The VRAs are deployed on hosts that comply with the relevant PCI controls. The VRAs are hardened virtual appliances and must be deployed according to Zerto's hardening and security guidelines.

Virtual Backup Appliance (VBA): A Windows service that manages File Level Recovery operations within Zerto Virtual Replication.

Zerto Cloud Connectors (ZCCs): A ZCC routes traffic between the customer network and the cloud replication network, in a secure manner without requiring the cloud provider to go through complex network and routing setups, ensuring complete separation between the customer network and the cloud provider network. ZCCs are deployed, one per organization, on hosts that comply with the relevant PCI controls. ZCCs are hardened and must be deployed according to Zerto's hardening and security guidelines.

Zerto Diagnostics utility: The Zerto Diagnostics utility collects logs from Zerto components as well as hosts and hypervisor management tools, such as VMware vCenter Server or Microsoft SCVMM, where VRAs or ZVMs run. The Zerto Diagnostics utility must be compliant with section 10 of the PCI DSS that defines logging requirements. PCI compliance is fulfilled since the Zerto Diagnostics utility does not collect any data that originated from VMs in the CDE. Zerto recommends that access to the logs produced by the utility be safeguarded by storing the logs safely, for example, on the machine hosting the ZVM.

Zerto APIs and PowerShell cmdlets: Both Zerto APIs and PowerShell cmdlets are run by the ZVM and therefore have the same level of protection as the ZVM.