SOC2 Compliance and Hardware

Jay asked:

Topic is SOC2 compliance relating to server hardware.

Simply put, we have a mixed bag of servers that, while perfectly suited to their job, are End of Life and End of Support with the manufacturer.

As an example, one of the servers is a Dell R710.

This server is an Hyper-V host. The VMs on the host run latest/greatest OS, including Windows 2019, CentOS 7/8, etc. Dell states that it is not supported for Windows 2016 and later.

The question is: if drivers are no longer being updated, but I can get Windows 2016/2019 installed, will this pass SOC2 (or PCI DSS)?

p.s. I have spent much keyboarding on Google, here, and elsewhere to try and understand this before posting – I assume I am just not using the right "key" phrase to find a solution.

My answer:

It depends. Where did the drivers you are actually using come from? Often, drivers for older hardware tend to get bundled into Windows itself, and get any necessary updates from Microsoft. If you got them from Dell and they are no longer updating them, then you might have a problem if a security issue is discovered in one of those drivers later. You may do as well or better with a Linux host, as all drivers bundled with Linux get security maintenance, and AFAIK all drivers this server needs are bundled with Linux.

The really important bit, though, is BIOS/firmware. There are STILL problems being found in the Spectre/Meltdown class of flaws, and still firmware/BIOS and microcode updates coming out for every new issue. If Dell has stopped providing BIOS/firmware updates for these issues, then you’ll probably have to retire the hardware, as OS mitigations for these issues often depend on corresponding BIOS/firmware/microcode support all working in tandem (though be aware that the OS distributes microcode updates).

Ultimately, though, you are going to have to show all this to an auditor. For any given security issue you need to show that appropriate updates have been applied or an alternative mitigation has been used. This is easy enough, as all updates have accompanying documents showing what security issues they address, but it’s paperwork. If the updates exist, you can do the paperwork. If they don’t, you have nothing to show, and you’ll probably fail the audit.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.