Does Virtualisation Break Compliance?

Companies face a huge pressure to modernise their IT, and boost efficiency. But they also have to comply with regulations. What happens when these two forces collide?

IT cannot stand still. New and better ways to do it keep emerging, and any company that fails to keep abreast of improvements like virtualisation and mobility runs the risk of missing the benefits.

At the same time, however, accounting scandals and failures in the past have led to the creation of regulations for every industry, that specify how IT should be set up and managed. The US Sarbanes-Oxley rules, for instance, are designed to repeat scandals like Enron, and the Payment Card Industry (PCI) Data Security Standard (DSS) specifications are intended to stop credit card details leaking from shops.

Irresistable force meets immovable object?

Listen to our webinar on Virtualisation and Compliance

So what happens a company has a burning desire to virtualise, but has to stick within the rules of the compliance regimes that apply to it?

This can cause problems, according to a webinar I chaired last week. “In PCI, you must implement functions on dedicated hardware,” said Sarb Sembhi, a security consultant at  Incoming Thought, “which seems to rule out virtualisation on the face of it.”

However, if you look at the situation in more detail, things should be all right, said Sembhi: “If you have the spirit of the regulations in place, I don’t think there are going to be any problems.”

In fact, the makers of compliance regimes have users’ interests at heart, and attempt to keep the physical implementation separate. Tying the regulations to a specific set of hardware implementations would be stupid, and the regulators are not that.

“Compliance can lag technology,” said Kevin Wharram, virtualisation security consultant with the ISACA Security Advisory Group. Some regulations may have been written to require users to keep resources on separate physical hardware, but these were put in before the rise of virtualisation and don’t take account of the benefits of virtualising.

In most cases, compliance auditors will look at the required results, and not impose nonsensical demands. Both Wharram and Sembhi assured me that the people making compliance regimes do their level best to address issues at a general enough level so the regulations apply to all physical architectures.

Watch for controls

In the end, compliance regulations are really about procedure and management, and the real impact of virtualisation on compliance is in that area, said Wharram: “The biggest issue around virtualisation is around processes and controls.”

By providing web-based interfaces, virtualisation environments make it easier to change the settings of servers and virtual machines. This can open the possibility of unintended consequences of those changes, and this can be the real danger of virtualisation.

Virtualisation may be a fundamental change to the way services are provided in a business, and it may introduce new security risks, but these are not deal breakers.

Auditors for the different regimes are going through the same learning curves as the user, and the real requirement is to make sure that you understand exactly what is happening in your IT, and that you can report and monitor it clearly both for your own use, and for auditors who help you check on this.

The audience agreed – in a poll, no-one said that virtualisation would prevent them being compliant, and the biggest number believed that virtualisation would actually help make their systems compliant, by increasing the reliability and manageability of their servers.

“Virtualisation is mature enough to use in a business environment,” said Sembhi, “but there is a lot we need to understand over the next few years.”

The webinar is available to listen to in recorded form.

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago