Skip Links

VMworld: Security, regulatory concerns still a challenge in virtualization

Disaster recovery as a service gets a boost with VMware's Site Recovery Manager 5.0

By , Network World
August 30, 2011 11:06 AM ET

Network World - LAS VEGAS -- While VMware users harbor little doubt about the cost savings and productivity gains brought by virtualizing their networks, security concerns still exist on many fronts, whether it's figuring out how to meet regulatory compliance with auditors, or evaluating cloud services.

Numerous regulatory regimes, such as the Payment Card Industry (PCI) guidelines for cardholder data, make it questionable whether it's possible to hold sensitive data subject to high security on the same virtual machine as non-sensitive data. The answers about so-called virtualization "mixed mode" data security could be totally different based on what any given internal or outside auditor might say, which puts network managers on the spot when trying to secure networks where server virtualization is speeding along.

VMWARE CEO: Cloud to end desktop era

"There are compliance challenges," said Paul Wallace, server administrator for GM Financial, who spoke on a panel at the VMworld Conference being held here at two side-by-side Las Vegas hotels filled to overflowing with about 19,000 attendees. Wallace said about 70% of GM Financial's server infrastructure is now virtualized based on VMware, and desktop virtualization based on View is also underway. Use of VMware vCenter Configuration Manager helps in generating reports letting auditors know how sensitive customer data is managed, but he notes it's not easy meeting the demands of the many auditors whose opinions hold sway over any technical decisions.

Susan Seidlitz, systems administrator at Geovera Insurance, pointed out that although her company, almost completely virtualized, has already licensed VMware's vShield security technology for vSphere, it can't actually be put into full use until auditors approve the way it's being deployed.

Included in vShield are ways to set up software-based firewalls or use specific third-party products, such as anti-malware or intrusion-prevention systems, in a manner designed for vSphere.

"We haven't done mixed-mode environment -- that's why we purchased vShield," Seidlitz said. But until auditors, such as those approving PCI compliance, approve how vShield will be set up, it can't be used in day-to-day production.

Today, regulations such as PCI mean "you have to have a lot of firewalls," said George Gerchow, director of VMware's Center for Policy and Compliance, which advises customers on these issues. Healthcare, with the HIPAA privacy and security rules, is also heavily regulated and can impact virtualization deployments, he added.

Gerchow acknowledges auditors are often negative about the idea of a virtualized mixed-mode security environment where more sensitive data sits in a guest operating system on the same virtual machine next to a guest OS with less sensitive data. Speaking on the panel, he expressed some frustration about it. "A lot of auditors aren't on board yet. They haven't got a clue. They're still living with technologies of 10 years ago."

At other VMworld sessions, some enterprise IT managers not subject to the same kind of strict regulation as financial services, for example, acknowledged their lot was different and they faced far fewer questions of this kind.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News