When talking to security executives, it's common to hear about major projects that have been put on hold by auditors because of concerns over virtualized environments. What applications are running on this virtual machine (VM)? If credit card information is processed on a VM, does that mean every application running on that VM is subject to PCI DSS regulations? Virtualization raises many compliance questions that have yet to be fully defined by regulatory groups.
On the other side of the coin, some organizations decide that the benefits of virtualization are necessary to stay competitive from a business perspective, so they push ahead with virtualization. Security teams must figure out how compliance in a virtualized environment will work. The cultures of security and business very rarely see eye to eye on a subject. Security wants to lock down dedicated resources, but business wants to dynamically share resources. Security wants to inspect all traffic and data for malware, but business wants to maximize throughput performance. And so on.
When dealing with the many thorny issues surrounding virtualization compliance, organizations must find a balance between security and business to be successful.
FROM THE EDITORS: MORE VIDEO PRESENTATIONS
To watch more full-length presentations, as well as screencasts and interviews, visit SearchSecurity.com's video archive page.
In this SearchSecurity.com special presentation, Eric Ogren, founder and principal analyst of the Ogren Group, discusses why achieving this balance is so important, and then provides tips on how security can make virtualization compliance work. Security must first understand the new virtualization challenges, including hypervisors, persistence and trust zones.
Regulatory guidance won't always be 100% clear on these issues, but when it is clear, security teams need to ensure that organizations are closely following the regulations. When guidance isn't clear, organizations must learn to work with auditors early and continually in the process to guarantee end-to-end compliance. Ultimately, the goal of security should be to protect the business as technology processes change, so virtualization compliance needs to be embraced for organizations to strike the necessary business balance. Ogren shows that achieving virtualization really does work for security and business.
About the presenter:
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services focusing on virtualization and security.