Nothing gets a business into hot water faster than the lack of communication in and around the IT department. One area in IT where this appears to be happening with increasing frequency is server virtualization. An emerging technology intended to simplify IT management, reduce costs and improve security and compliance management, server virtualization often ends up being treated as an IT-only issue, leaving out considerations for compliance management. Let me assure you: It’s not just for IT.
Here are some common assumptions that take
IT assumption: We’re crafting future plans, and compliance isn’t really an issue at this point.
Business reality: As with most critical IT functions, server virtualization is complex and the compliance management factor needs to be included right from the start. Otherwise, the disconnect will continue to grow and create unnecessary business risks.
IT assumption: We’re testing virtualization on only workstations and a few select servers, so there’s not much to worry about right now.
Business reality: Every system counts. Odds are, any given server in your environment and (especially) your workstations falls within the scope of information security compliance in some way. If the servers are virtualized, many factors involving compliance need to be considered.
IT assumption: Even if we told our compliance and internal audit folks about virtualization, they wouldn’t understand it anyway.
Business reality: This is a common excuse among technical folks in IT, particularly among those in charge of compliance management and oversight who aren’t very technical. IT, just like information security and compliance, is ultimately a business function that needs to be managed as such with all the right people plugged in at all the right times.
Taking the virtualization and compliance management factor a step further, you have to consider your security policies and incident response plan. Is virtualization in the scope of your policies? Have minimum standards been set for virtualization security?
Virtual systems are just like their physical counterparts, but with a little more work involved. For instance, there’s an additional management component that IT folks use to administer and monitor virtual environments. You also must have plans in place to ensure that the system is properly maintained and audited, and that there are adequate controls to prevent data breaches from within the virtual environment
You must consider the controls that are in place to assist with incident response and forensics investigations, as the incident response procedures related to virtualized servers and workstations are unique. The same goes for data backups and restores, which are key items that must be considered. You must also ensure that your incident response plan has been updated with these factors in mind.
Finally, if your business has in-house forensics experts, make sure they are capable of thoroughly analyzing virtual systems.
I’m all for virtualization, but don’t let it be treated (and masked) as a “technical issue” that only network administrators are concerned about. As complicated as they both are, IT and compliance cannot each work in a vacuum. They have to be on the same page, even with something as seemingly benign as virtualization. Otherwise, information security compliance is merely for show and will end up doing more harm than good.
Kevin Beaver is a contributing writer based in Atlanta. Let us know what you think about the story; email firstname.lastname@example.org.
This was first published in August 2010