Compliance regulations are designed to protect the public from wrongdoing, but they have a major impact on virtual data centers. Their effect is evident in the many regulations that have emerged over the past decade to help control and normalize IT operations for industries of all types.
In the U.S. alone, there are numerous regulations that govern all kinds of electronic information:
- The Health Insurance Portability and Accountability Act, or HIPAA, targets healthcare providers as well as their business partners. In short, it outlines a standard format for the performance of electronic transactions, system security, unique identification of patients and the privacy of patient data and other critical information.
- The Food and Drug Administration’s 21 Code of Federal Regulations Part 11 focuses on guidelines for trustworthy electronic records. It requires organizations to use procedures and controls that help ensure the authenticity, integrity and confidentiality of electronic records.
- The Financial Services Modernization Act, also known as the Gramm-LeachBliley Act, mandates that institutions establish appropriate security standards to protect private customer data and employee data from internal and external threats. This data must also be protected from unauthorized access.
- The USA Patriot Act was introduced in response to the events of Sept. 11, 2001. Although this regulation does not directly affect compliance, it gives the U.S. government the authority to regulate financial transactions, especially those that affect foreign individuals and entities.
- The Federal Information Security Management Act 2002 requires each U.S. agency to develop and implement agency-wide programs to provide security for the information and the systems that support its operations and assets. It covers the agency itself, plus other agencies or business partners with which it interacts.
- The Sarbanes-Oxley Act (SOX) has an impact on publicly traded companies and demands that they demonstrate due diligence in the disclosure of financial information. It is based on the implementation of internal controls and procedures to ensure that data is protected at all times. This includes data storage and data transmission.
- The Payment Card Industry (PCI) Data Security Standard was introduced by the Payment Card Industry Security Standards Council, a worldwide organization that controls payment card standards
This far-reaching regulation affects any organization that will hold, process or pass on cardholder information from any card with one of the included card brands. PCI requires that validation of compliance must be performed annually by each affected organization.
In the virtual world, information must be categorized and protected. IT departments must provide proof of this protection during audits, which occur at regular intervals. To do so, IT must first identify which information is controlled by which regulation and then put in place appropriate mechanisms to protect it.
In a way, this is nothing new, because information categorization is the cornerstone of any security strategy. In a model called the “Castle Defense System,” a defense in-depth system promoted by Resolutions Enterprises Ltd., information categorization is used to build a complete IT security system from the ground up. Information usually falls within one of four categories. Protection mechanisms are structured to provide more comprehensive protection for each category of information.
Another key element of compliance is documentation. All system components and structures must be fully documented, and this documentation must be maintained at all times. Unfortunately, documentation is not always the forte of technical personnel. It is, however, a must for any regulated organization.
The final cornerstone of a full compliance strategy is change management and tracking. If organizations want to be prepared for any audit, every single change must be tracked systematically without fail. During an audit, the last thing an overworked IT professional wants to do is to manually track all changes that have been performed since the previous audit.
Compliance and virtual infrastructure
Compliance has been a challenge for organizations relying on traditional IT services based on physical server implementations. The introduction of virtual infrastructures provides an additional layer of complexity for organizations that need to maintain compliance. In fact, virtual infrastructures introduce new ways of doing things that may affect compliance:
- Virtual machine (VM) movement: Because they are nothing but a set of files in a folder (see Figure 2), VMs can easily move from one host server to another through live-motion operations—operations provided by features such as VMware Inc.’s VMotion, Citrix Systems Inc.’s XenMotion or even Microsoft Hyper-V’s Live Migration. These technologies dynamically move a VM from one host system to another based on policies that are designed to ensure that a VM can access appropriate resources to meet peak demands. If a VM is moved through an automatic policy-based mechanism, it is difficult for IT to know where that VM runs at any point in time.
- VMs that rely on virtual disk drives: These special files simulate the operation of a disk to store information. This means that the information you need to protect may well be contained within a virtual disk and can, therefore, be more easily transported to unknown locations—especially if unauthorized personnel can access these virtual disks.
- Virtual infrastructures introduce a dichotomy in the data center: One infrastructure—the physical infrastructure, often dubbed the “resource pool”— includes only host servers, storage devices and network switches. The other—virtual service offerings (VSO)— includes all the VMs that provide end user-facing services. Implementing security for both of these infrastructures may be more complex for organizations new to virtualization.
- VMs may often be in various states—running, saved or turned off: Because of this, they may have several backup copies. After all, to back up a VM, all you have to do is create a copy of the files that make it up. If unauthorized individuals gain access to these VMs and copy them for use outside your premises, these “parked” VMs can be a risk.
- Virtual infrastructures are difficult to document: Because of its dynamic nature, virtual infrastructure is more difficult to document than is physical infrastructure. Host servers can contain upward of 30 VMs each, depending on their configuration. Machines move from one host to another. Each host has multiple virtual networks and virtual network switches, all of which have different VM connections. Storage containers may run both virtual disk drives and raw or pass-through disks. VMs can have any number of disks tied to them. All these items must be documented at all times.
- Change tracking is harder to implement and maintain: Because of the volatile nature of VMs, It’s easy to generate a new VM. Just copy the files of another VM. It is also easy to destroy a VM. Just delete its files. In highly dynamic environments, VMs appear and disappear on an as-needed basis. As a result, they are harder to track.
There is no doubt that running a virtual infrastructure has an impact on maintaining compliance with the regulations that affect your organization.
Recommendations for compliance in virtual environments
So how do you maintain compliance in a virtual environment? The first step is to continue with the compliance strategies in place for your physical network. These strategies are usually quite sound. Because they are already in place, they should be extended to the virtual infrastructure.
Next, implement VM documentation tools. Several tools are already available, along with the documentation support included in the virtual management interface you run. VMware partner VKernel, for example, offers a free VM documentation tool. SnapshotMyVM provides full details on the configuration of each VM in a network. The virtualization management company Hyper9 also offers a discovery tool that can scan networks and identify orphaned files in moments. When it comes to virtual infrastructure documentation, the Hyper9 Virtualization Optimization Suite can help greatly.
Third, secure your virtual infrastructure. You already have good security practices in place for your physical network. Make sure you extend them to the virtual infrastructure you run. Note that security practices differ between the resource pool and the VSOs.
Fourth, implement a monitoring system to track all changes in your infrastructure. Many organizations use the same monitoring systems for the resource pool and the VSO network. Remember, though, that the changes you need to track in the VSO network are not necessarily the same as those you need to track in the resource pool. Because of this, you may prefer to use two different tools, or at least two different implementations and configurations of the same monitoring tool, to get the most information from each network.
Finally, standardize your IT operations. The best way to do so is to rely on an IT management system. If you’re working with Microsoft technologies, you may want to rely on the Microsoft Operations Framework, a structured system standardization guidance framework that is tailored to Microsoft technologies. Or, if you prefer to work with more generic tools, you can work with the IT Infrastructure Library (ITIL), whose guidance is prepared by the Ministry of Commerce in the U.K. and made available to the general public.
In the end, when you work with virtual infrastructures, the only way any industry can remain compliant is to use common sense. If you need to protect vital information and verify that it is protected at all times, you should standardize the way you do things, document the infrastructure that runs it and track all changes in your data center. This way, you’ll always be ready for an audit, and instead of adding on work, it will be an opportunity to shine and show your peers that you’re on top of any change in your environment—virtual or physical.
About the Authors
Danielle Ruest and Nelson Ruest are IT professionals focused on emerging technologies, particularly virtualization and continuous service availability. They are authors of multiple books, including Exam 70-652: Configuring Windows Server Virtualization with Hyper-V from MS Press and Virtualization, A Beginner’s Guide from McGraw-Hill Osborne. Contact them at firstname.lastname@example.org.
Dig Deeper on Server virtualization compliance and governance
Build a virtualized development environment with these guidelines
Considerations for creating a VM for a development environment
Cloud Compliance: Tackling Compliance in the Cloud
Q&A: Combat data center virtualization pitfalls with VMware tools