Does Virtualisation Break Compliance?

Companies face a huge pressure to modernise their IT, and boost efficiency. But they also have to comply with regulations. What happens when these two forces collide?

IT cannot stand still. New and better ways to do it keep emerging, and any company that fails to keep abreast of improvements like virtualisation and mobility runs the risk of missing the benefits.

At the same time, however, accounting scandals and failures in the past have led to the creation of regulations for every industry, that specify how IT should be set up and managed. The US Sarbanes-Oxley rules, for instance, are designed to repeat scandals like Enron, and the Payment Card Industry (PCI) Data Security Standard (DSS) specifications are intended to stop credit card details leaking from shops.

Irresistable force meets immovable object?

So what happens a company has a burning desire to virtualise, but has to stick within the rules of the compliance regimes that apply to it?

This can cause problems, according to a webinar I chaired last week. “In PCI, you must implement functions on dedicated hardware,” said Sarb Sembhi, a security consultant at  Incoming Thought, “which seems to rule out virtualisation on the face of it.”

However, if you look at the situation in more detail, things should be all right, said Sembhi: “If you have the spirit of the regulations in place, I don’t think there are going to be any problems.”

In fact, the makers of compliance regimes have users’ interests at heart, and attempt to keep the physical implementation separate. Tying the regulations to a specific set of hardware implementations would be stupid, and the regulators are not that.

“Compliance can lag technology,” said Kevin Wharram, virtualisation security consultant with the ISACA Security Advisory Group. Some regulations may have been written to require users to keep resources on separate physical hardware, but these were put in before the rise of virtualisation and don’t take account of the benefits of virtualising.

In most cases, compliance auditors will look at the required results, and not impose nonsensical demands. Both Wharram and Sembhi assured me that the people making compliance regimes do their level best to address issues at a general enough level so the regulations apply to all physical architectures.

Watch for controls

In the end, compliance regulations are really about procedure and management, and the real impact of virtualisation on compliance is in that area, said Wharram: “The biggest issue around virtualisation is around processes and controls.”

By providing web-based interfaces, virtualisation environments make it easier to change the settings of servers and virtual machines. This can open the possibility of unintended consequences of those changes, and this can be the real danger of virtualisation.

Virtualisation may be a fundamental change to the way services are provided in a business, and it may introduce new security risks, but these are not deal breakers.

Auditors for the different regimes are going through the same learning curves as the user, and the real requirement is to make sure that you understand exactly what is happening in your IT, and that you can report and monitor it clearly both for your own use, and for auditors who help you check on this.

The audience agreed – in a poll, no-one said that virtualisation would prevent them being compliant, and the biggest number believed that virtualisation would actually help make their systems compliant, by increasing the reliability and manageability of their servers.

“Virtualisation is mature enough to use in a business environment,” said Sembhi, “but there is a lot we need to understand over the next few years.”

The webinar is available to listen to in recorded form.