Skip to main content

VMware launches "Compliance Center"!

As regulatory compliance expands, more and more of your virtual environment will become subject to security and compliance standards, such as PCI DSS, HIPAA and SOX (GLBA). With the proper tools, achieving and demonstrating compliance on VMware Infrastructure is not only possible, but can often become easier than a non-virtual environment.

Assess the Management Control Features in a Virtual Platform

Having a secure foundation is the first step. As security threats grow and evolve, your security environment will need to be flexible and adaptable. Security standards require enterprise-grade management features in order to provide the necessary controls for achieving and demonstrating compliance. The following describes the management features that a virtual computing platform should have in order to be compliance-ready.

Start by Looking at Authentication and Authorization Capabilities

Security management starts with authentication and authorization. All virtual platform interfaces to the outside world must have authentication control as well as the ability to grant fine-grained access privileges via a flexible authorization framework. You should be able to limit the scope of these permissions to specific objects or parts of the infrastructure and grant the right access rights to the right people, without violating the principle of “least privilege.” In addition, privileges for administering virtual machines must be distinct from those for administering the hosts, as a means of limiting the scope of application owners. This critical “separation of duties” (SoD) limits the scope of possible abuse by “insiders,” such as data theft by system administrators or malicious or negligent system change by data owners.

Make Sure you Have Central Access to Configuration and Logging Parameters

To simplify platform configurations, parameters should be kept in a few, well-known locations with standard or easy-to-read formats. These configuration parameters should only be accessed and modified by those authorized to do so. In addition, there should be central access to detailed event logs for your virtual platform components and related management tools for review, analysis and controlled log retention.

Insist Upon a Single, Flexible and Well-Defined API

The virtualization platform must have a well-defined and open API to capture and view inventory, including topology. The API must also be able to control various functions and to securely extract audit data like the earlier mentioned activity logs. In addition, a well-architected system would not involve multiple, parallel API sets that are each used for different purposes—for example, one for internal components and a similar but distinct one for external integration. Having one API provides a “single source of truth,” so you can be confident that all interactions can be controlled and monitored in a reliable and consistent manner. An API with these characteristics will make satisfying regulatory compliance requirements much easier.



VMware
Labels:

Comments

Post a Comment

Popular posts from this blog

Security: VMware Workstation 6 vulnerability

vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware products as well type of vulnerability: DoS, potential privilege escalation I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially run arbitrary code with kernel privileges. The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially execute arbitrary code. Security focus
Post a Comment
Read more

Virtualization: GlassHouse hopes to cash in with its IPO!

GlassHouse Technologies Inc. on Tuesday registered to raise as much as $100 million in an initial public offering that, despite the company's financial losses, could prove a hit with investors drawn to its focus on "virtualization" technology. The Framingham, Mass., company offers consulting services for companies that use virtualization software to improve the performance of corporate servers and cut costs in their data centers. GlassHouse also provides Internet-based data storage. "Software-as-a-service," or SaaS, companies and vendors of virtualization products have proved popular among investors in recent years as corporate customers seek alternatives to conventional packaged software. GlassHouse, with roots in both sectors, will test the strength of that interest, said Peter Falvey, managing director with Boston investment bank Revolution Partners. "It will be a bit of a bell weather," he says. "It's not as though it's the 15th SaaS m...
Post a Comment
Read more