Tip

Put compliance management back into server virtualization

Nothing gets a business into hot water faster than the lack of communication in and around the IT department. One area in IT where this appears to be happening with increasing frequency is server virtualization. An emerging technology intended to simplify IT management, reduce costs and improve security and compliance management, server virtualization often ends up being treated as an IT-only issue, leaving out considerations for compliance management. Let me assure you: It’s not just for IT.


Kevin Beaver

Here are some common assumptions that take

    Requires Free Membership to View

virtualized servers and workstations out of the compliance management equation:

IT assumption: We’re crafting future plans, and compliance isn’t really an issue at this point.

Business reality: As with most critical IT functions, server virtualization is complex and the compliance management factor needs to be included right from the start. Otherwise, the disconnect will continue to grow and create unnecessary business risks.

IT assumption: We’re testing virtualization on only workstations and a few select servers, so there’s not much to worry about right now.

Business reality: Every system counts. Odds are, any given server in your environment and (especially) your workstations falls within the scope of information security compliance in some way. If the servers are virtualized, many factors involving compliance need to be considered.

IT assumption: Even if we told our compliance and internal audit folks about virtualization, they wouldn’t understand it anyway.

Business reality: This is a common excuse among technical folks in IT, particularly among those in charge of compliance management and oversight who aren’t very technical. IT, just like information security and compliance, is ultimately a business function that needs to be managed as such with all the right people plugged in at all the right times.

Taking the virtualization and compliance management factor a step further, you have to consider your security policies and incident response plan. Is virtualization in the scope of your policies? Have minimum standards been set for virtualization security?

Virtual systems are just like their physical counterparts, but with a little more work involved. For instance, there’s an additional management component that IT folks use to administer and monitor virtual environments. You also must have plans in place to ensure that the system is properly maintained and audited, and that there are adequate controls to prevent data breaches from within the virtual environment

You must consider the controls that are in place to assist with incident response and forensics investigations, as the incident response procedures related to virtualized servers and workstations are unique.  The same goes for data backups and restores, which are key items that must be considered. You must also ensure that your incident response plan has been updated with these factors in mind.

Finally, if your business has in-house forensics experts, make sure they are capable of thoroughly analyzing virtual systems.

I’m all for virtualization, but don’t let it be treated (and masked) as a “technical issue” that only network administrators are concerned about. As complicated as they both are, IT and compliance cannot each work in a vacuum. They have to be on the same page, even with something as seemingly benign as virtualization. Otherwise, information security compliance is merely for show and will end up doing more harm than good.

Kevin Beaver is a contributing writer based in Atlanta. Let us know what you think about the story; email editor@searchcompliance.com.

This was first published in August 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.