Easily achieve regulatory compliance within a virtualized environment. Our overview of the issues involved with virtualization and compliance, a comprehensive listing of partner virtualization compliance solutions, references such as white papers and recorded webcasts, and real-life examples of customers who have successfully passed compliance audits in their VMware environments will help you understand how best to achieve compliance. In addition to the PCI DSS (Data Security Standard), these resources should prove valuable for those of you looking to satisfy other regulations, such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and others.
White Papers
IT Audit for the Virtual Environment
The purpose of this white paper from the SANS Analyst Program is to help IT managers and auditors come together and understand the virtualization process and the new risk and audit areas this technology presents. It also offers guidance on developing audit review processes that can be applied to virtualization, including how to use virtualization to enhance audit process. The paper focuses on PCI DSS audit in a VMware environment.
An accompanying webcast by the white paper authors and VMware may be viewed at the SANS Webcast Archive.
Security Compliance in a Virtual World
This RSA Security Brief offers executives and technology practitioners some practical guidance for establishing a solid foundation to mitigate risk and address compliance with various regulations, industry standards and internal policies in the context of virtual infrastructures. Authors of the RSA Security Brief include many of the industry’s foremost security and virtualization experts from EMC and VMware, including Bret Hartman, Chief Technology Officer for EMC’s RSA security division, Dr. Stephen Herrod, Chief Technology Officer and Senior Vice President of R&D for VMware and other senior EMC technologists.
How Virtualization Affects PCI DSS
This white paper series is a joint effort with Foundstone that takes a pragmatic view at the different components of virtualization technologies and provides a perspective on how enterprises that are looking to deploy such technologies should think about their impact on PCI compliance initiatives.
- Part 1: Mapping PCI Requirements and Virtualization
This paper presents a mapping for the various and relevant PCI requirements and how these are impacted by virtualization. - Part 2: A Review of the Top 5 Issues
This paper highlights what we believe to be the top five issues and concerns that PCI Qualified Security Assessors (QSA’s) have about virtualization technology. For each of these we propose solutions that organizations can rely on to demonstrate compliance while deploying virtualization technology within their PCI environment.
Achieving Compliance in a Virtualized Environment
The goal of this paper is to present unique considerations that virtualization presents to regulatory and standards compliance, and then prescriptively descirbe how to mitigate those risks.
Ten Steps to Continuous Compliance: Putting in Place an Enterprise-Wide Compliance Strategy
This paper discusses the challenges faced by today’s enterprise IT departments and outlines ten steps for successful compliance. You’ll learn what organizations like yours can do to protect information and comply with regulations, while enhancing business performance.
Accelerating PCI Compliance with Log Management
This white paper discusses the challenges organizations face in complying with PCI, and how effective LMI can simplify the compliance process while helping to improve enterprise security. It also provides suggestions for how to best prepare for a PCI audit and improve your chances of achieving on-going compliance. Registration required.
Virtualization Security: A Coordinated Approach to Intrusion Detection and Prevention
Virtualization environments share many of the same security challenges faced by physical server environments. This paper explores the challenges of protecting, and the opportunities for improving the security of, virtualized environments. It outlines a Coordinated Approach for Intrusion Detection and Prevention which can be deployed today, and that is architected to take advantage of additional capabilities which virtualization vendors are adding to their platforms.
Reducing the Scope of Your PCI Audit: Innovative Network Segmentation Using Host Intrusion Defense
This white paper discusses the methods and merits of traditional approaches to network segmentation as a means to reduce the scope of the PCI audit. It introduces host intrusion defense — which includes a software firewall — as an innovative solution that will help dramatically reduce the scope and cost of a PCI audit, thereby relieving some of the ‘PCI pain’.
Webinars and Podcasts
Virtualization: Security and Compliance Considerations
Join Dave Shackleford, Director of Configuresoft's Center for Policy and Compliance (CP&C), former CTO at the Center for Internet Security (CIS) and co-author of the CIS Benchmarks for VMware ESX, as he discusses the security and compliance challenges introduced by virtualization.
Establishing and Maintaining PCI Compliance
Dan Langin, Principal - Daniel J. Langin, Attorney at Law
PCI is a credit card industry standard, not a government regulation. However, companies that don’t comply with the standard face high fines, sanctions, and more. How does a merchant or member bank avoid such penalties and maintain a high compliance posture?
In this Tripwire podcast Dan Langin, Attorney at Law, discusses what PCI means for merchants, banks, and other companies that handle credit card information.
Insights from an Auditor: Ensuring a Successful PCI Audit
Uncover the nuts and bolts of PCI audits, and what your company can do to attain and maintain cost-effective compliance.
How Can You Prove Your Virtualized Environment is PCI Compliant?
Configuresoft has brought together a panel of experts who will provide specific guidance on how to demonstrate PCI DSS compliance on both virtual and physical platforms. Please join us for this exciting webinar with Charu Chaubal, Senior architect with VMware, Dave Taylor, Research Director for the PCI knowledge base, and Dave Shackleford, Director of Center for Policy and Compliance (CP&C).
Best Practices for Achieving PCI Compliance in a Virtual Environment
This podcast brings together a panel of experts including Dave Shackleford from Configuresoft, Charu Chaubal from VMware and Dave Taylor from the PCI Knowledge Base. Download this podcast and listen to the challenges and opportunities of virtualization and how to properly implement virtualization to ensure security and compliance with the PCI DSS version 1.2 standard.
Case studies
Olan Mills meets critical PCI requirements using Reflex Virtual Security Management Solution
Utilizing Reflex Security Virtual Management Solution on VMware Virtual Infrastructure 3, Olan Mills was able to create a cost-effective, virtual computing environment AND satisfy auditors that the new environment provides strong new protection to the company’s retail customers, enabling the virtual environment to meet critical PCI requirements.
