Easily achieve regulatory compliance within a virtualized environment. Our overview of the issues involved with virtualization and compliance, a comprehensive listing of partner virtualization compliance solutions, references such as white papers and recorded webcasts, and real-life examples of customers who have successfully passed compliance audits in their VMware environments will help you understand how best to achieve compliance. In addition to the PCI DSS (Data Security Standard), these resources should prove valuable for those of you looking to satisfy other regulations, such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and others.
As regulatory compliance expands, more and more of your virtual environment will become subject to security and compliance standards, such as PCI DSS, HIPAA and SOX (GLBA). With the proper tools, achieving and demonstrating compliance on VMware vSphere is not only possible, but can often become easier than a non-virtual environment.
Assess the Management Control Features in a Virtual Platform
Having a secure foundation is the first step. As security threats grow and evolve, your security environment will need to be flexible and adaptable. Security standards require enterprise-grade management features in order to provide the necessary controls for achieving and demonstrating compliance. The following describes the management features that a virtual computing platform should have in order to be compliance-ready.
Start by Looking at Authentication and Authorization Capabilities
Security management starts with authentication and authorization. All virtual platform interfaces to the outside world must have authentication control as well as the ability to grant fine-grained access privileges via a flexible authorization framework. You should be able to limit the scope of these permissions to specific objects or parts of the infrastructure and grant the right access rights to the right people, without violating the principle of “least privilege.” In addition, privileges for administering virtual machines must be distinct from those for administering the hosts, as a means of limiting the scope of application owners. This critical “separation of duties” (SoD) limits the scope of possible abuse by “insiders,” such as data theft by system administrators or malicious or negligent system change by data owners.
Make Sure you Have Central Access to Configuration and Logging Parameters
To simplify platform configurations, parameters should be kept in a few, well-known locations with standard or easy-to-read formats. These configuration parameters should only be accessed and modified by those authorized to do so. In addition, there should be central access to detailed event logs for your virtual platform components and related management tools for review, analysis and controlled log retention.
Insist Upon a Single, Flexible and Well-Defined API
The virtualization platform must have a well-defined and open API to capture and view inventory, including topology. The API must also be able to control various functions and to securely extract audit data like the earlier mentioned activity logs. In addition, a well-architected system would not involve multiple, parallel API sets that are each used for different purposes—for example, one for internal components and a similar but distinct one for external integration. Having one API provides a “single source of truth,” so you can be confident that all interactions can be controlled and monitored in a reliable and consistent manner. An API with these characteristics will make satisfying regulatory compliance requirements much easier.
Achieving and Demonstrating Compliance
Most regulations organizations cover a wide range of preventive, detective and other controls. For example, PCI DSS makes direct references to the following technologies:
- Firewalls
- Anti-virus and other anti-malware technologies
- Network intrusion detection and prevention
- File integrity checking
- Log management
- Vulnerability management
- Web application firewalls
Many other technologies and security processes are implied as requirements of the standard. Among these technologies and processes are security policy development, risk assessment process, security awareness programs and penetration testing.
Regardless of the compliance objective, certain fundamentals always apply. Controls can be divided into three categories.
| Control | Examples |
|---|---|
|
Preventative controls: prevent errors, omissions, or security incidents from occurring. |
access controls, separation of duty, configuration standards and settings, organizational policies, firewalls and network segregation, vulnerability management program |
|
Detective controls: detect errors or incidents that occur. |
detecting unauthorized and untested changes, and other monitoring and measurement, intrusion detection, vulnerability scanning |
|
Corrective controls: quickly correct errors and restore normal operations |
procedures and technologies to remove unauthorized users, unauthorized changes and restore service |
By using the above framework, you can construct a strategy to bring virtual machine environments in compliance with government laws, industry mandates and “best practices” frameworks as well as local security policies and procedures.
