Virtualization is seen as a major cost saver, yet does it make compliance (generally seen as a major headache) still harder?
Can a virtualized environment be compatible with regulatory compliance? It's question rarely raised, but one that's important to address because non-compliance can be serious -- not to mention costly.
In October last year the PCI Security Standards Council (PCI SSC) published the PCI Data Security Standard (PCI DSS) v2.0, and for the first time it was explicitly stated that you could use virtualization technologies and be PCI-DSS compliant. Before that it was up to the auditor to decide if server virtualization -- or any other form of virtualization for that matter -- was acceptable at all, and conservative ones could simply rule it out.
But saying you can use virtualization really opens a can of worms. A recent Ponemon Institute study found that PCI-DSS is widely regarded as a higher priority than all other regulations including HIPAA, the EU Privacy Directive, Sarbanes-Oxley and United States state laws for data breach, as well as the most difficult set of regulations to comply with. Given how hard it is to be in compliance with PCI-DSS at the best of times, what chance do organizations really have of getting auditors to sign them off as being compliant with a virtualized infrastructure?
The good news is that help is at hand in the form of 39 pages of PCI DSS Virtualization Guidelines, published earlier this month by the Virtualization Special Interest Group of the PCI SSC.
Read the rest about compliance and virtualization at ServerWatch.