« Catalyst EU Update - VMware and Citrix Express Interest in Working Together
Free Virtualization Seminar December 3rd in Atlanta »

VMware Launches Site for Security and Compliance Auditors


For the past two years I have been listening to security and compliance auditors who routinely complain that they need help with effectively auditing for compliance (e.g., regulatory, security policy) in virtualized environments. During that span, I’d often hear auditors tell me the following:

I don’t know where to start.

What within the virtual infrastructure constitutes a trusted security boundary?

Are the vendors in the virtualization space and the standards bodies (e.g. PCI) doing anything to help?

That being said, I have taken auditor feedback (both general and specific) to the major virtualization vendors and asked them if they could push the ball forward and throw the auditors a life line. Unfortunately, a senior executive at one prominent vendor told me:

Auditing is an internal issue that is unique to all organizations, and we have no place in this area.

When the executive made that statement, I told him why I disagreed and tried to clarify my position, again stating that the virtualization vendors needed to take the ball to the engage the standards bodies and also to provide the clarity that the auditors required. He still disagreed.

Hope is not lost for the auditing community, as VMware today announced that it is joining the PCI standards council as a participating organization, and the launch of the VMware Compliance Center Web site. The Compliance Center includes a very nice list of white papers that I think auditors will find  helpful. VMware - great job. With this announcement, I think Christmas just came early for many in the auditing community. Now for VMware’s competitors, I’m once again going to repeat my request to you - please get serious about providing guidelines and clarity for security auditors. They want your help. Without it, some will inevitably revert to enforcing full physical isolation within their organization’s virtual infrastructure, something which reduces consolidation density and undermines your TCO arguments. What do you say? If you’re serious about being a production-class virtualization platform, you need to publicly demonstrate how you are serious about security and compliance. The ball’s in your court.

Note: Originally posted to Burton Group’s Data Center Strategies blog.

This entry was posted on Wednesday, November 12th, 2008, 12:19 pm and is filed under Security, Server Virtualization, VMware, Virtualization Management. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by Karen Hepner - December 5th, 2008 at 13:43

    This is fantastic! You don’t know how many times I’ve run into retailers, hoteliers, etc., who are actually holding off on virtualization because they have no idea whether or not they would stay PCI compliant in a virtual environment. The recommendations from auditors can be all over the map, which until now is because the auditors themselves had no guidance. It’s great to see VMware taking responsibility with this. And I expect we’ll see further adoption of virtualization in PCI-affected industries because of it.

    Quote
(will not be published)
  1. No trackbacks yet.