3. What Led Us Here?
Growing complexity of Technology
Business Environment changing
4. What Led Us Here, cont.
Certification and Accreditation – C & A:
Internal controls
Risks are mitigated
Increased legislations as a result of various
corporate scandals (Enron, WorldCom)
5. Regulatory Rules and Standards
Sarbanes-Oxley (SOX 302 & 404)
HIPPA
California SB1386
Graham-Leach-Bliley (GLB)
Federal Info. Security Mgmt (FISMA)
Internal audits
ISO17799, ITIL
Etc., etc., etc.
6. How Does Compliance Affect You?
You have to follow regulations
Increase IT resource and cost requirements
High demands on IT organization:
Control Activities
Documentation & Maintenance
Testing / quarterly audit
7. How Does Virtualization
Streamline Regulatory Compliance?
Reduces resource & cost requirements
Unify IT Controls
Provides efficient audit trails
Reduces compliance administrative effort
9. Example 1– Access Controls
Risk: The security architecture for the
network (LAN) and servers is not
configured to properly prevent
inappropriate and/or unauthorized access
Control:
With Virtualization: Virtual machines can be
ISOLATED from each other
10. Exchange
Windows
2000
Console
NIC
CD, Floppy,
Serial, etc
Intel Processor Virtualization
Service Console
SNMP
Agent
Perl
Scripting
Remote
KVM
Security
Mgmt
Web Server
CPUCPUOther
devices
SQL Server
Windows
NT4
Apache
Red Hat
7.2
Scheduler
CPU
Memory
Mgmt.
Memory
SCSI/FC
Storage
Ethernet
Network
Other
Devices
What Is Virtualization?
11. Isolation
CPU hardware / protection
Fault, performance and
security isolation
CPU, RAM, Disk, and network
resource controls
Resource allocations can be
changed “on the fly”
Guaranteed service levels
If one virtual machine
“crashes”, it has no negative
effect on any other running
virtual machines
12. Virtualization Reduces Resource
Requirements
Your production and development instances
must be separated
Without virtualization, you would need to obtain
additional machines for each production and
development instance
With virtualization, you will have fewer physical
machines and software controls are used to
isolate machines
13. Example 2 – Change Mgmt Controls
Risks:
Incomplete, inaccurate, or unauthorized development is
introduced into the Production environment, impacting
system integrity and availability
Key business processes and/or IT assets may be
unavailable because of unauthorized changes to the
infrastructure and/or job schedules
Control:
With virtualization, events and changes are captured
automatically
14. Virtual Controls: Audit Trails
Incidents and changes must be
logged and documented accurately
Without virtualization this is a
manual process and subject to error
With virtualization events and
changes are captured automatically
Examples
Adding drive space
DB Schema changes
Adding network interface
15. Change Control Examples
Virtual network
interfaces:
Virtual NICs plug into
virtual switches
Two or more: Bonded
external links for fault
tolerance and bandwidth
aggregation
VLAN A
VLAN B
Virtual
VLAN
Switch
Uplink NIC
To physical switch
VLAN trunk ports
Uplink NIC
16. Example 3 – IT Operations Controls
Risk:
Segregation of duties – unauthorized access, shared functions
Control:
With virtualization: Minimizes discrepancies and
exceptions
17. Virtual Controls: Segregation
Separate roles for system and
database administrators, software
developers and business analysts. Use
Role Based Access Control lists to
authorize who can make what changes
Without virtualization, this requires
more training, oversight and manual
auditing
With virtualization, only members of
hardware support team can upgrade
physical hardware
18. Example 4 – IT Operations, cont.
Risk:
Backup and Recovery: Inability to recover and restore critical
business data accurately, completely and in a timely manner
in the event of a failed system or disaster.
Control:
With virtualization: Recovery time is minimized
19. Virtualization: Recovery
Many of you will leverage SOX to ensure
proper recovery plans are in place and tested
Typically standby data center and hardware
Replacement servers do not need to be
identical hardware
Virtual machines can be consolidated
during recovery
Virtual machines can be replicated, and
standby site can be brought up quickly
20. Virtualization: Encapsulation
Entire state of the virtual
machine is stored in a
computer controlled file
Administrators can now use
software and not screwdrivers
when working on machines
Virtual machine state can be
transferred through space
and time
Time: stored on a DVD-ROM
Space: Transfer over a network
22. Virtualization Simplifies Changes
Hardware upgrades
happen in virtual world.
Requires 1 - 3 hour
maintenance window
Hardware
maintenance
A few minutes with virtual
machine management
console
4 - 6 hours for migration
Service interrupted for
duration of maintenance
window
Requires days/weeks of
change management
preparation
Moving an
application to a
new server or
Repurposing a
server
A few minutes to provision
a new virtual machine.
Standard templates are
used.
3 - 10 days hardware
procurement
1 - 4 hours provisioning new
server
Provision a new
server
With Server
VirtualizationTraditional ApproachKey Task
23. Summary - Virtualization and
Compliance
Regulatory compliance is complex
Virtualization is a complex tool
Careful planning, implementation and
monitoring are essential