Skip to main content

Compliance challenges while virtualizing

Chris @ Fortisphere writes:

Here are five challenging aspects of IT compliance when dealing with virtualisation:

  1. Discovery and inventory: You can't measure what you can't see (or for that matter, don't even know exists). Determining which virtual machines (VMs) are active, which are abandoned or dormant and what data they are accessing is a fundamental part of defining your scope of compliance and applying the appropriate IT controls. Perhaps of a greater concern is how organisations cope with unapproved or rogue VMs.

  2. Chain of custody: Can you provide an audit trail for critical VMs as they move from development to testing to production? Are only approved changes occurring and are they made by the appropriate personnel? Due to the dynamic and mobile nature of virtualisation, keeping track of where the VMs are, who touched them and what changed is key for audit documentation and a true lifesaver in incident response scenarios.

  3. Separation of critical assets (especially in a hosted environment): How do you know that customer A VMs are properly segregated from customer B VMs? Are low risk, non-critical VMs being hosted on the same box as high risk, mission critical VMs? Add features like VMotion and DRS in plus some modern storage solutions and there is good chance that things are not so cleanly separated. Having the ability to make VMs aware of their risk profile and location is going to be critical as more organisations adopt virtualisation.

  4. Software license violations: Push-button provisioning has become a huge contributor to virtual sprawl and major corporate licensing violations. This one seems simple but take the case of a software development shop. The vendor tools make it quick and easy to build a server for coding or testing purposes but then you can clone it, copy it and move it and before long there are numerous copies of the OS, applications and development tools floating around. Software inventory and metering will have to learn some new tricks in the context of products like VMware's Lab Manager.

  5. Subject Matter Expertise (SME): Virtualization is being rolled out faster than IT audit staff is being trained. IT compliance and audit professionals have just not had the training and time they need to appropriately understand the role virtualization plays in regulatory compliance. This is an area that can be solved but it will take effort from the vendor community working alongside organisations like ISACA, ISSA, IIA and SANS.
Maybe its time to checkup with John at Fortisphere and ask how they've been faring.

More news here


Popular posts from this blog

Redhot Future Of IT Part I :Marketing yourself as IT professional

I had promised about the "RedHot IT Future Series" and so we discuss here how you should market yourself EFFECTIVELY as an IT professional in this new (and dangerous) web age! Web is the place where you're a hero today and villain tomorrow. While there are lots of professionals who are active on the web, not all are enjoying a good reputation as they got "personal" with others and got into a cockfight. The passive IT professional has nothing to lose but nothing to gain at all!

I know "marketing" might seem as a greasy term but the idea is to have the truth about you out there. You know you're a good person and your family knows that you're really smart person but the rest of the world doesn't!

So the question is how do I market myself on the web as a true "nouveau IT professional". A guy who companies will be tempted to pick up the phone as say "Hey, we wanna talk with you. Can you fly over to Palo Alto (or Guatemala or Johan…

Redhot Future Of IT Part 2 :Virtualized Workplaces

Click on the title to hear what I have to say, alternatively click here to listen to what I have to say here.

So what is a virtualized workplace? Does it mean it does not exist? That it's virtual? Well in a certain way YES. This is where the future of our workplace is going to be. Well it is already a reality in some countries.

OK lets start by asking ourselves these questions:
Do you really bond with your colleagues? (think Team cohesiveness)
Do you spend great amount of hours talking about great things that you will do together? (think collaboration)
Do you really feel that you give 100% at work? (think effectiveness)
What do you really miss at your desk? (think personalization)
Is your desk comfortable enough? (Again think optimizing personalization, OK you have done your best to make it your place)Does it really matter to your employer that you are there for him/her? (think commitment)
Or do you get micromanaged over petty issues? (think mismanagement)
Do you see your employees perfor…

A Collection of Threnodies : Part 1

Whale Fall

Dress me up in my new threads
clasp my greasy palms
grease my hair
I'm ready for the fall

Watch at all the decadence
watching the avalanche
I'm slipping down
losing my buoyancy

What's become of us
where have we come
this far, this close
close to the doors

I hear them, sublimal chants
I'm on the run
I race through the human sea
I am the king!

I'm the slave
to my own undoings
I'm the jester in my courtyard
We jest as we run

We're strolling on that thin rope
we grope as we rope
we're true heros
we're the survivors

we're the scavengers
we're the friends
we're the lovers
we're the unbred

Soon awaiting the fall
we're lurking on us
we're osedaxing us
we're soon going to be done
we'll soon be arrested

*osedax(bone devourer, newly discovered marine genus) feeds on a fallen(sunken) whale carcass(which is also called a whale fall). Read more here