Compliance GapCompanies willing to implement virtualization technologies are often facing the challenge of aligning their virtual environments’ information security with in-house security policies and/or external regulations. In the latter case, compliance is the critical showstopper for implementing this technology in a production environment. “DMZ consolidation using virtualization will be a “hot spot” for auditors, given the greater risk of mis-configuration and lower visibility of DMZ policy violation. Through year-end 2011, auditors will challenge virtualized deployments in the DMZ more than none-virtualized DMZ solutions.” Gartner, June 2009 With virtualization, meeting the compliance requirements may become a real headache. Along with physical servers, one has to ensure general virtual environment compliance as well as compliance of individual virtual machines that process sensitive information. Moreover, the virtual environment is constantly changing, as virtual machines get moved from one host to another. So, compliance cannot be a “set it and forget it” task – it should be proactively enforced and maintained. |
