RSA, The Security Division of EMC released a new RSA Security Brief titled “Security Compliance in a Virtual World,” offering actionable best practices for organisations faced with proving compliance in virtualised environments.

As more organisations accelerate virtualisation deployments, a more critical eye is turned towards compliance programs. The new RSA Security Brief offers executives and technology practitioners some practical guidance for establishing a solid foundation to mitigate risk and address compliance with various regulations, industry standards and internal policies in the context of virtual infrastructures. Authors of the RSA Security Brief include three of the industry’s foremost security and virtualisation experts from EMC and VMware:  Bret Hartman, Chief Technology Officer for EMC’s RSA security division, Dr. Stephen Herrod, Chief Technology Officer and Senior Vice President of R&D for VMware and Dave Shackelford, Chief Security Strategist for EMC Ionix.

“EMC and VMware are in a unique position to offer sound advice for how organisations can best achieve and maintain compliance in virtualised environments," said Jon Oltsik, Senior Analyst, Enterprise Strategy Group. “Maintaining compliance in a virtualised environment requires the business to understand the impact of this new system on the overall IT risk management program.”

Enabling Executives to Communicate and Practitioners to Act

Organisations taking advantage of the benefits of virtualisation will also have to demonstrate efforts to ensure these environments are fully integrated within a broader compliance program.   Enterprises currently struggle with complex compliance environments that include the impact of local data protection laws (e.g., country level laws as part of the European Union Data Protection Directive), global industry mandates like the PCI Data Security Standard as well as regulatory requirements such as Sarbanes-Oxley and HIPAA.  In addition, many organisations must navigate the complexities associated with internal polices and agreements with business partners and customers.  Because of this, it is critical to have a complete view into how virtualisation impacts an organisations’ compliance program.

Professionals responsible for IT security, risk management and compliance programs will discover useful guidance and actionable best practices in the RSA Security Brief.  Key components include:

•Best practices for implementation – any enterprise implementing virtualization must understand and manage the impact on the compliance and risk management programs.  The Security Brief addresses key areas including platform hardening, configuration and change management, patch management, administrative access control & separation of duties, network security & segmentation and audit logging.

•A virtualisation software security assessment checklist – provides questions that organisations can pose to their vendors to better understand their providers’ capabilities to deliver secure software.

•Detailed considerations for technical practitioners – provides organisations with specific critical considerations such as how to use fine-grained access control to ensure separation of duties between an administrators’ role within the virtualised software and ensuring patch management practices extend to the virtualisation software in addition to the virtual machines.