VMworld: Security, regulatory concerns still a challenge in virtualisation

Until auditors, such as those approving PCI compliance, approve how vShield will be set up, it can't be used in day-to-day production.

LAS VEGAS: While VMware users harbor little doubt about the cost savings and productivity gains brought by virtualizing their networks, security concerns still exist on many fronts, whether it's figuring out how to meet regulatory compliance with auditors, or evaluating cloud services.

Numerous regulatory regimes, such as the Payment Card Industry (PCI) guidelines for cardholder data, make it questionable whether it's possible to hold sensitive data subject to high security on the same virtual machine as non-sensitive data. The answers about so-called virtualization "mixed mode" data security could be totally different based on what any given internal or outside auditor might say, which puts network managers on the spot when trying to secure networks where server virtualization is speeding along.

VMWARE CEO: Cloud to end desktop era

"There are compliance challenges," said Paul Wallace, server administrator for GM Financial, who spoke on a panel at the VMworld Conference being held here at two side-by-side Las Vegas hotels filled to overflowing with about 19,000 attendees. Wallace said about 70 per cent of GM Financial's server infrastructure is now virtualized based on VMware, and desktop virtualization based on View is also underway. Use of VMware vCenter Configuration Manager helps in generating reports letting auditors know how sensitive customer data is managed, but he notes it's not easy meeting the demands of the many auditors whose opinions hold sway over any technical decisions.

Susan Seidlitz, systems administrator at Geovera Insurance, pointed out that although her company, almost completely virtualised, has already licensed VMware's vShield security technology for vSphere, it can't actually be put into full use until auditors approve the way it's being deployed.

Included in vShield are ways to set up software-based firewalls or use specific third-party products, such as anti-malware or intrusion-prevention systems, in a manner designed for vSphere.

"We haven't done mixed-mode environment -- that's why we purchased vShield," Seidlitz said. But until auditors, such as those approving PCI compliance, approve how vShield will be set up, it can't be used in day-to-day production.

Today, regulations such as PCI mean "you have to have a lot of firewalls," said George Gerchow, director of VMware's Center for Policy and Compliance, which advises customers on these issues. Healthcare, with the HIPAA privacy and security rules, is also heavily regulated and can impact virtualization deployments, he added.

Gerchow acknowledges auditors are often negative about the idea of a virtualized mixed-mode security environment where more sensitive data sits in a guest operating system on the same virtual machine next to a guest OS with less sensitive data. Speaking on the panel, he expressed some frustration about it. "A lot of auditors aren't on board yet. They haven't got a clue. They're still living with technologies of 10 years ago."

At other VMworld sessions, some enterprise IT managers not subject to the same kind of strict regulation as financial services, for example, acknowledged their lot was different and they faced far fewer questions of this kind.

"I make lipstick. I don't have a PCI or a HIPAA," said David Giambruno, senior vice president and chief information officer at Revlon. He said Revlon over a two-year period has saved about $70 million through server virtualization based on reduced costs for hardware, support and other factors such as cutting data center power costs by 72%.

Revlon can move applications about at will across its enterprise through virtualization, a capability that served well in being able to quickly restore application services when a fire not long ago struck a Revlon facility in Venezuela, he noted.

With its recent Site Recovery Manager 5.0 and vSphere Replication products in vSphere 5.0, VMware is making it possible to automate recovery processes between sites and replicate files between sites. This is winning plaudits from service providers that work closely with VMware, including FusionStorm, iLand, and VeriStor, that offer cloud-based services for disaster recovery and business continuity.

Executives from these cloud-based disaster-recovery service providers yesterday touted new services at VMworld. But the question is, since the VMware SRM 5.0 software only supports VMware-based virtualized environments, what can customers with non-VMware environments expect?

VeriStor and, for instance, said they didn't offer virtualization-based continuity services for non-VMware environments. But VeriStor can offer more traditional disaster-recovery services as it's done for the past decade. And iLand would be able to provide some support for Microsoft Hyper-V and Citrix with specialized equipment from Akronis. vice president of engineering Matt Ferrari said his firm expects to support Microsoft Hyper-V systems in the future under a project now in the works with Microsoft.

Read more about wide area network in Network World's Wide Area Network section.