2. Compliance to best practice and industry standards is challenging for new technologies like virtualization Compliance in Virtualized Environments Compliance Standards Assurance of Control Objectives Prescription of Control Implementations
3. New technologies introduce new components and processes causing conflict with existing control prescriptions Each server must only have one primary function.[§ 2.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008, v1.2] Key components should be protected by segregating the critical applications from the other applications and information.[CI2.1.4(a), The Standard of Good Practice for Information Security] Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed.[§ 11.5.4, ISO/IEC 27002-2005 Code of practice for information security management] Compliance in Virtualized Environments
4. Security boundaries within process and technical domains are still being defined and designed for virtualization What consistent best practice exists for virtualized image management? Are there varying levels of granularity regarding access control within different virtualization technologies? Compliance in Virtualized Environments
5. Virtualized PCI Application Domain Model Relationship Scenarios S1. Untrusted users publicly enter PCI information S2. / S2a. Servers transfer PCI info to provider (S2a. Telephone) S3. Remote locations access applications containing PCI Information S6. Staff access PCI application from LAN/WAN S7. Staff access management interfaces of physical and virtual guests and hosts S9.Staff access management interfaces of the routers/switches S11. Data is transferred between the Web-facing PCI Servers and internal PCI database servers
6. What do we want to be compliant with? HIPAA, PCI, SOX, GLB, NERC, CFR Do the high level objectives of the compliance standard conflict with virtualization? Does the regulating body allow for interpretation of the standards? Who has the regulating body assigned to attest to the compliance of the standards? Compliance in Virtualized Environments
7. What specific control objectives are impacted by virtualization? (Improved?) Process and environment classification (NERC CIP-003-1 R4.2) Extension of information asset classification(HIPAA 164.308(a)(7)(ii)(E)) Log Monitoring & Tracking (PCI 4.2 (v1.1)) System boundary definition (NIST 800-53) Are there specific control implementations in conflict? Least Privilege implementation issues Lockout Procedure By-pass Compliance in Virtualized Environments
8. What design & service management issues in virtualization are related to compliance? Business Continuity Management Security Audit & Assurance Levels Change Control Implementations Security Domain / Boundary Control Access Control & Privilege Administration Security Operation Schedule Management Compliance in Virtualized Environments
Compliance to best practices and industry standards is often difficult for new technologies and service approaches. Although compliance control objectives or control descriptions should remain flexible regarding the specific control implementation, over time some have become too specific regarding technology implementations with little guidance regarding how new technologies or approaches should align.Often new technical components are added to design and new process are added to service management when implementing new technologies leaving many unanswered questions regarding the Scope and Intent of compliance (i.e. Financial Control Compliance VS IT Value for Money)Example of control prescription conflict in virtualization
What do we want to be compliant with?HIPPA, PCI, SOX, NERC, CFR?Do the high level objectives of the compliance standard conflict with virtualization trust domains or controls available?Does the regulating body allow for interpretation of control objectives to an environment and technology? - Do they dictate whether or not virtualization can be used as a technology?Who has the regulating body assigned to attest to compliance? Who is accountable for assuring control implementations meet control objectives required by compliance? - Are you allowed to self-attest? - What experience does the third party auditor have with Virtualization? - Will the third party help or hinder (Compliance or Intent?)http://www.thewisdomjournal.com/Blog/wp-includes/images/negotiation.jpg
What specific control objectives are impacted or influenced by virtualization?Understanding the control objectives related to virtualization and your service management model is key to creating a comprehensive compliance strategy.Prioritizing the identified control objectives and determining if explicit controls (physical) and control implementations (component) are prescribed by the compliance standard and regulating body.If explicit implementations are not aligned can we be compliant?
What design and service management issues in virtualization are related to compliance with your required objectives?Core Themeshttp://www.icranium.com/blog/wp-content/uploads/2008/12/sabsa_logo.gif
What real world issues exist with compliance initiatives in virtualized environments? - Design and service management is maturing at a high rate in relation to virtualization architecture - Experts disagree on effectiveness of controls and implementations - Virtualization allows people and entities to quickly create boundary less service environments where traceable control implementations may become impossibleWhat SLAs exist for core controls and/or infrastructure/data supporting controls?Do contractual agreements allow system risk to be managed or improved?
How do I approach a compliance review or gap analysis in my environment?Understand your compliance governance structure - Who regulates compliance? - Who attests to what level? - What type of assurance controls enable compliance?Understand your virtualization environment security architecture - What entities are inManage and compensate for real world management and maintenance issues - Ensure to promote awareness of the need for on-going assurance vs static compliance