I am blogging from the first annual Technosium 2008 Global Conference and Expo in Santa Clara, Calif., where I have gotten some clarification on regulatory compliance, a topic that perplexes me and other virtualization managers and administrators I know.
Have we bent the rules of regulatory compliance to get virtualized systems online? With the configuration involved in putting systems on DMZ networks, Internet-facing networks, and customer or vendor networks that handle regulatory-sensitive material (like HIPAA, Sarbanes-Oxley and others) on virtualized systems, we may have created a compliance issue.
After talking to consultants and vendors, I came to the conclusion that it may be time to check and double check the regulatory compliance aspects of any work on our virtualized implementations. There’s the possibility that, from a compliance perspective, we may not have segmented all of our regulatory-protected systems adequately.
Naturally, vendors have seen the problem rearing its head and are offering automated tools. At the show today, for instance, I met with Joao Ambra, security product manager for Modulo, which specializes in IT governance, risk and compliance management. Modulo’s Risk Manager Software product assesses regulatory compliance as well as risk assessment and audit services for organizations.
Besides describing Modulo’s product, Ambra gave advice on four key areas for determining if regulatory compliance is met:
Technology: This includes the infrastructure components as the network environment, databases, servers, computers and other physical elements.
Processes: Procedures such as backup, restore, disaster recovery, password policies and internal change control management make up a processes assessment.
People: Staff training levels on the technologies used and regulations applicable to the organization are important parts of the employee inventory.
Environment: The environment consists of physical access, facilities and risks associated with physical presence of computing resources (and protected data).
According to Ambra, the key strategy to collecting data for compliance-measurable items includes identifying where virtualization fits into the components. When a virtualized system hosts critical elements or regulatory-sensitive material such as databases, access to protected healthcare data, or fixed asset systems, the virtual host and all of its elements are subject to the same scrutiny as the underlying systems. This includes the hardware, database and security configurations for the virtual environment.
Virtualization, in principle, protects from server systems running too many roles while accessing protected data. However, this is all contingent upon the implementation of the virtual environment.