Achieving Compliance in a Virtualized Environment
High profile information security failures resulting in the loss of cardholder data, confidential information, and personally identifiable information (PII) have substantially increased regulatory pressure. Many organizations must now comply with standards such as PCI, regulations like SOX-404 or HIPAA, and state privacy laws. Traditional IT auditors and security assessors have been focused on the physical components of the IT infrastructure. However, virtualization technologies are increasingly being used in business processes that have IT compliance requirements. The goal of this paper is to present the unique considerations that virtualization presents to regulatory and standards compliance, and then prescriptively describe how to mitigate those risks:
- Discuss the different regulatory and contractual compliance objectives.
- Explain how to achieve and demonstrate compliance.
- Take a look at secure virtualization technologies.
- Provide a detailed example of achieving and proving compliance with PCI.