Achieving Compliance in a Virtualized Environment

Achieving Compliance in a Virtualized Environment

High profile information security failures resulting in the loss of cardholder data, confidential information, and personally identifiable information (PII) have substantially increased regulatory pressure. Many organizations must now comply with standards such as PCI, regulations like SOX-404 or HIPAA, and state privacy laws. Traditional IT auditors and security assessors have been focused on the physical components of the IT infrastructure. However, virtualization technologies are increasingly being used in business processes that have IT compliance requirements.

The goal of this paper is to present the unique considerations that virtualization presents to regulatory and standards compliance, and then prescriptively describe how to mitigate those risks:

  • Discuss the different regulatory and contractual compliance objectives.
  • Explain how to achieve and demonstrate compliance.
  • Take a look at secure virtualization technologies.
  • Provide a detailed example of achieving and proving compliance with PCI.


Charu Chaubal Senior Architect in Technical Marketing, Vmware Charu is a Senior Architect in Technical Marketing at VMware, where he enables customer adoption and drives key partnerships for datacenter virtualization. His areas of expertise include virtualization security and compliance and infrastructure management. Charu has been responsible for defining and delivering VMware’s prescriptive guidance on security hardening and operations. Previously, Charu worked at Sun Microsystems, where he had over seven years experience designing and developing distributed resource management and grid infrastructure software solutions.
Anton Chuvakin Chief Logging Evangelist, LogLogic Dr. Anton Chuvakin is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic's product vision and strategy to the outside world, conducting logging research and influencing company vision and roadmap.
Gene Kim CTO and Co-founder, Tripwire Gene Kim, CISA, is the CTO and founder of Tripwire, Inc. In 1992, he co-authored Tripwire while at Purdue University with Dr. Gene Spafford. In 2004, he wrote the Visible Ops Handbook and co-founded the IT Process Institute. Recently, Gene was honored as one of the "Top 4 CTOs to Watch" by InfoWorld magazine due to his "forward-thinking and leading-edge activities. Gene is certified on both IT management and audit processes, possessing both ITIL Foundations and CISA certifications. Chris Richter VP and General Manager of Security Products Chris is VP and general manager of security products and services at SAVVIS, a leading network, hosting and security services provider, where he is responsible for the managedsecurity line of business, strategy and product portfolio. He leads the effort behind implementing standardized control frameworks and risk management processes across SAVVIS’ dedicated and cloud-based services. He also is in a leadership role in working on the company’s “IT Utility,” a virtualized hosting services platform with products currently in use by thousands of enterprises worldwide.
Sean Sherman With more than 22 years in IT, Sean has been involved in the development of complex IT systems for a variety of industries. He holds a number of technical certifications including CISSP, CISA, PMP and MCSE. He is active in a number of organizations and is currently a board member for a local ISACA Chapter. Sean’s background includes Developer, Management of IT, Manager of Consulting Services, Program and Project Management, Senior Consultant and Practice Leader for Classified Information Services.
Tripwire, Inc.
25 Sep 2008
19 Sep 2008
11 Page(s)
White Paper
Already a Bitpipe member? Login here

Download this White Paper!