For the past two years I have been listening to security and compliance auditors who routinely complain that they need help with effectively auditing for compliance (e.g., regulatory, security policy) in virtualized environments. During that span, I’d often hear auditors tell me the following:
I don’t know where to start.
What within the virtual infrastructure constitutes a trusted security boundary?
Are the vendors in the virtualization space and the standards bodies (e.g. PCI) doing anything to help?
That being said, I have taken auditor feedback (both general and specific) to the major virtualization vendors and asked them if they could push the ball forward and throw the auditors a life line. Unfortunately, a senior executive at one prominent vendor told me:
Auditing is an internal issue that is unique to all organizations, and we have no place in this area.
When the executive made that statement, I told him why I disagreed and tried to clarify my position, again stating that the virtualization vendors needed to take the ball to the engage the standards bodies and also to provide the clarity that the auditors required. He still disagreed.
Hope is not lost for the auditing community, as VMware today announced that it is joining the PCI standards council as a participating organization, and the launch of the VMware Compliance Center Web site. The Compliance Center includes a very nice list of white papers that I think auditors will find helpful. VMware - great job. With this announcement, I think Christmas just came early for many in the auditing community. Now for VMware’s competitors, I’m once again going to repeat my request to you - please get serious about providing guidelines and clarity for security auditors. They want your help. Without it, some will inevitably revert to enforcing full physical isolation within their organization’s virtual infrastructure, something which reduces consolidation density and undermines your TCO arguments. What do you say? If you’re serious about being a production-class virtualization platform, you need to publicly demonstrate how you are serious about security and compliance. The ball’s in your court.
Note: Originally posted to Burton Group’s Data Center Strategies blog.