Defining Virtualization's Role in Regulatory Compliance

Question: How are virtualization and compliance related?Shields: Virtualization is an enabler for platforms that are required to drive the business. [In a traditional environment], what I see is all of those chassis in the racks. There is a complimentary interest in security and monitoring the action of users and administrators [for compliance]. The virtualization solutions on the market today provide a very easy and centralized way to collect data on user actions.Question: So it provides a way to track what is happening, which is valuable for compliance as well as security.Shields: Compliance demands that [authorities] know when somebody has gained access, rebooted or modified anything in any way. In the old way, if there were six different systems, there would be six different ways to [track this]. Tools that work with virtualization through a single access point will bring together otherwise separate auditable databases. Compliance requires the company to follow user actions and those actions need to be audited in a way that is protected. Some of the virtualization tools have the ability to do that.Question: So virtualization management tools can play an important part in compliance.Shields: It is not a direct impact, but there are some tools now that provide a unified entry point into this environment. There are some tools that enable you to log those activities. These tools are not implemented to fulfill a particular compliance regulation. But bringing virtualization in makes things a little easier.Question: How, precisely, does this happen?Shields: What happens is that virtualization typically can set up very easily defined role-based access that determines who gets access to a console, who creates something, who moves resources, etc. By setting that up, it helps create an environment in which people are only able to do things that are needed by their job requirements. Traditionally, you have data centers with people walking in and having greater opportunity to get into something shouldn’t. Typically, with virtualization that isn’t the case. Virtualization wraps together otherwise disparate interfaces people use to access server resources. It brings it all together into a single user interface that is user-controlled, audited and managed. That is the sweet spot right there. It unifies interfaces and it reduces the touch points.Question: Is this a primary driver of virtualization?Shields: I would not say it is a primary driver. I’d say it is secondary. Companies will say, “Gee whiz, I can use it for this too.” One circumstance, for example, is when you have quasi-trusted personnel that need access to the data center to do their job. Suppose the IT team is trusted, but suppose you have these other people who are not part of IT but are part of a job and need access. At a bank I worked for, for instance, there were people who they brought in to do check processing. The more you can eliminate the quasi- and semi-trusted, the more you increase security. When they virtualized that server, there was a remote console to the server through a virtual interface. They could do what they needed to do without having physical access to the data center.Question: In some instances, it seems that this can be quite an advantage. Is this so?Shields: For some of these regulations, companies need to log entry into the data center. There are data centers I know where there is a sheet of paper for people to sign in and out. I don’t find that to be a high-quality control. What people have found when there is a technical control such as virtualization it is much more reliable than a piece of paper. A signup sheet only keeps the honest people honest. People put in event logs, access control tools and user auditing tools to get to full compliance. They do those things to manage compliance needs. Virtualization enables those things, but doesn’t necessarily directly impact them.