Setting up a vSphere infrastructure to host cloud environments is not just as simple as making sure the right hosts...
are running the right virtual machines. You’ll probably also want to conduct compliance testing to make sure that your environment is compliant with current security regulations that apply to your organization. In this article, you’ll read how VMware can help.
VMware offers free compliance testing tools that focus on two areas. There is a VMware PCI Compliance Guidelines Checker for Windows and one for Linux. This tool scans up to five Windows Servers or five Red Hat Linux Servers against the PCI DSS v2.0 requirements. Next, there are the VMware Compliance Checker for vSphere. There are separate tools for vSphere 4.0, 4.1 and 5.0. Each tool runs assessments on ESX and ESXi hosts that are managed by a vCenter Server to check if a predefined subset of the vSphere Hardening Guide rules are correctly applied. The tool can do this for the first five ESX/ESXi hosts it finds on the target vCenter Server.
Using the tools is easy, just download and install them on a Windows workstation. Next, enter up to five machine names or IP addresses you want to check and then click Assess Compliance. The checker will then perform compliance testing and show which rules have matched and which have not.
The PCI DSS 2.0 standard gives an overview of security recommendations for the platform you’re using. Some tools and services on specific platforms are known to be unsafe and these are all listed in the PCI DSS 2.0 standard. Examples include the rsh and finger services on the Linux platform, which can allow outside parties to more easily access your system and request sensitive data. You can get a complete list of the items that these tools check for from the help section in the Compliance Checker application. Once completed, the compliance checker gives an overview of all potential security problems, which allows the administrator to easily identify and fix issues.
The list of items the compliance testing checks is a result of the research conducted by the VMware Compliance Center . This center gives an overview of the research that VMware is performing to make sure that its products can maintain security in a virtual environment. In your search to optimize security and compliance, it is a good idea to look at the white papers listed on the Resources tab in the Compliance Center.
VMware believes that implementing regulatory compliance should be easier in a virtualized environment, and you can see this in some of its products. VCenter Configuration Manager makes it easier to implement the same policies on all virtual machines, which often is much harder to do on separate physical servers.
However, maintaining regulatory compliance requires diligence beyond what automated tools can do for you. It is also important to use good administrative policies and lay out protocols to describe how certain tasks need to be approached in a virtualized environment. In the VMware Compliance Center you can find all current information sources that help you in asking the right questions.