Big Steps Toward Managing Security and Compliance for Virtual Infrastructure

Categories: Uncategorized

This week, the industry celebrates one of the most influential and explosive technologies influencing the world of information systems: Virtualization. At VMWorld 2010, the focus on virtualization across the enterprise and cloud computing highlights some of the most interesting and impactful technologies that our industry is utilizing. We have had several previous blog posts regarding the cloud computing trend in terms of Governance, Risk and Compliance. The combination of traditional physical data center structures, virtual data centers and cloud services is something that we, as GRC professionals, need to continue to expand our knowledge on. The VMWorld conference is one of those opportunities where we get glimpses into the future of information systems and are challenged with maturing our GRC processes and approaches to help our organizations leverage this exciting technology while keeping those risks inherent in all new business opportunities in check.

One of the major challenges of virtualization is in the definition of controls that are cognizant of the nuances and dimensions of the new virtual world. In conjunction with our RSA, EMC and VMware colleagues, we have just completed the documentation of technical control procedures for VMware as part of the RSA Archer eGRC Content Library. Technical control procedures for the VMware platform were developed based on the vSphere 4.0 Security Hardening Guide April 2010 and other generally accepted industry best practices. These are featured in the Q4 2010 release of the new RSA Solution for Cloud Security and Compliance announced at VMWorld this week.

The approximately 130 controls and associated Question Library content provide a comprehensive, end-to-end framework for providing a baseline secure configuration of a virtualized infrastructure and, where possible, automating and reporting upon the measurement of that configuration. This configuration baseline status monitoring may be complemented with relevant security events should the RSA enVision SIEM product be deployed also. The controls were developed by a team of platform experts from EMC, RSA and VMware. In addition to these control procedures, the team is extending the controls into automated testing scripts and other tools to drive the controls all the way through testing and verification.

The definition of technical controls—documented configuration settings and baselines—is a key part of the IT-GRC process. These controls define not only the expected configurations within the environment but also should directly guide audit, compliance and security assessments. Getting the technologists across the enterprise on the same page when it comes to technical controls is a big step toward a consistent, efficient, controlled infrastructure.

The VMware technical control procedures will be made available in the coming weeks as part of RSA’s continually growing eGRC Content Library. For more information, watch for the Content Library updates this quarter.

Steve Schlarman
Author:

Steve Schlarman is an GRC Strategist for RSA, The Security Division of EMC. With deep compliance, security, audit and IT management expertise, Mr. Schlarman is responsible for product design and architecture for RSA Archer GRC Solutions focusing on IT and Security. Prior to joining Archer, Mr. Schlarman was the Chief Compliance Strategist for Brabeion Software where he led overall product strategy, product management and content management. Before Brabeion, he was a Director in PricewaterhouseCoopers' Advisory Practice, focusing exclusively on information security consulting and auditing. Mr. Schlarman received a Bachelor of Science degree in Mathematical Sciences from Southern Illinois University-Edwardsville. He holds both CISSP and CISM certifications. Subscribe to Steve's RSS feed