Virtualization and PCI standard - can we do better?

The wheels are turning for another version of the PCI standard. And this time virtualization security is a big focus in the development of the standard. Commendable, I say. Virtualization will become a bigger deal (more than it is today) and almost all organizations will have some form of virtual environments setup.

However, are we prone to repeat the same mistakes? We still seem to be stuck in the legacy world of protecting infrastructure - security professionals have no time to look beyond the normal, staple, security diet of anti-malware, IDS/IPS, firewalls etc, to where the more active threats are.

How do we bring the security world (as well as the business world) forward to rethink how to enable secure business? I have strong opinions on this - I believe an information-centric security approach is vital and imperative in virtualized environments. In fact, I can go so far as to say that this is the only logical and enforceable method, that enables virtualization to be all-it-can-be - so that business can be all it can be!

Let not PCI be a reflection of the past threats - let it become what we need now and prepare us for the future. This is the only way it can stay relevant and useful.