Regardless of the regulation, rule or standard, the process of compliance requires analyzing and managing IT risks on a continuous basis. This includes when new technology or software applications introduced into the environment. Virtualization is no different. The introduction of virtualization requires an organization to evaluate how changes to IT will affect their risk posture and then to mitigate these risks by ensuring that virtualization technologies are deployed and used securely. In addition, virtualization offers the opportunity to insert controls at the virtualization layer allowing organizations to achieve better security than was possible before the introduction of virtualization.
With proper technology based solutions such as VMware vCloud Networking and Security and VMware vCenter Configuration Manager, achieving and demonstrating compliance on VMware vSphere based infrastructures is not only possible, but can often be easier than achieving the same on non virtualized environments. In general, all areas of virtualization security are important to compliance, but there are several common areas of concern that stand out from the pack.
- How do we prevent unauthorized access to protected information in a virtualized environment?
- How can we ensure that, despite the consolidation enabled by virtualization, separation of administrative duties is maintained?
- How do we isolate systems that are processing protected information? Can we trust the logical separation between virtual machines provided by virtualization software?
- How do we monitor access to protected data in a virtualized environment?
- How do we control where the protected data is being physically processed?
Compliance Best Practices
VMware in conjunction with other industry experts has been instrumental in developing best practices for security and compliance in a virtualized world. These best practices address a range of issues including how to:
- Address platform hardening
- Extend configuration and change management principles to the virtual world
- Provide effective administrative access control
- Deliver network security and segmentation
- Monitor logs from the virtual infrastructure alongside those of physical assets
Resources to Address Compliance
The Resources page provides access to a large number of whitepapers, webcasts, and customer examples for organizations seeking guidance on how to address security and compliance related concerns associated with the effective management of their virtualized infrastructure.