| Tweet |
Hi All,
The VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of latest Center for Internet Security (CIS) and Defense Information Security Agency (DISA) Compliance toolkit packages for VMware vCenter Configuration Manager (VCM).
The highlights of this release are as below:
- CIS has new content for
- AIX 5.3-6.1 and
- RHEL 6
- DISA has new content for
- HP-UX 11.23 and 11.31
- Solaris 10
- AIX 6.1 and
- RHEL 5
| Tweet |
The VMware Center for Policy & Compliance (CP&C) is pleased to announce the release of IRS 1075 content in vCenter Configuration Manager. vCM, a key component in the vCenter Operations Suite. (vC Ops)
The purpose of 1075 is to protect Federal Tax Information (FTI) and secure Safeguards for Protecting FederalTax Returns and Return Information.
Notification Requirements
With the IRS 1075 content in vCM, our customers will be able to get great dashboard to track their Compliance posture:
You can also break down the compliance results by data type to see where most of your infractions are coming from:
From there, you can see the individual rules behind the content that is surfaced in our dashboards. In this release we provided 5 Rule groups, 2 templates and 104 rules:
Keep in mind that vCM manages not only virtual enviroments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. Yes! That is right, we can also remediate non compliant results with a right click in both the virtual and physical world! vCM even has VDI (VIEW) hardening guidelines. Look for our Mobile Compliance Content coming soon…
Also, don't forget about the VMware CP&C FREE compliance checkers!
https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default
The IRS 1075 guidelines are available today and can be downloaded using the vCM Content Wizard.
Feel free to hit us up with questions & comments at:
Hasta La Vista,
George Gerchow – Director, VMware Center for Policy & Compliance
| Tweet |
I am hanging out in NYC finishing Cloud Expo East where we delivered a rousing session on Cloud Audit & Control with Coalfire AND CP&C is now VERY pleased to announce the release of our FREE vSphere 5.0 compliance checker! Last week we rolled out the 5.0 hardening guidelines in vCenter Configuration Manager (vCM) making it the first product on the planet to have the 5.0 content for our customers. Today, we are giving you access to a FREE vSphere 5.0 compliance checker! How awesome is that?
It is so easy to download and use that you can run it while watching Euro Cup with the sound of GOOOOOOAAAAAALLLLLLLLL!!!!!!!!!! In the background!
Here is how the vSphere 5.0 Compliance Checker works:
Check out the following results report from the vSphere 5 Checker
All you have to do is authenticate into the vCenter box that you want to assess hosts on.
The VMware Center for Policy & Compliance FREE Checkers are sweeter than bacon and designed to get you hooked & come back for more!
Here is the link so you can get started hardening your vSphere Environment today. (Remember, we have FREE checkers for vSphere 4.0 & 4.1 AND for PCI 2.0 Windows & Linux)
http://www.vmware.com/go/free-compliance-check-for-vsphere
Next, look for CP&C to release a HIPAA Checker that will be hotter than the Miami HEAT!
Now this poses a few questions and we would love to get your feedback:
1. Are free tools like this helpful?
2. How do you currently lock down your vSphere environment?
3. Would remediation of the non-compliance results be a good next step?
4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…)
Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:
Cambio y Fuera!
George Gerchow – Director, VMware Center for Policy & Compliance
| Tweet |
CP&C is pleased to announce the most anticipated content release to date in vCM, the VMware vSphere 5.0 hardening guidelines! As critical component of the vC Ops suite, vCM is the FIRST product in the market today to have the official GA version of the vSphere 5.0 Hardening Guidelines. This is just another significant step in our Trusted Cloud initiative in helping customers migrate tier one applications to the VMware Cloud Infrastructure Suite.
What does this mean to VMware vCM customers who want to make sure their virtual systems are compliant?
5 new rule groups and two brand new templates:
Brand new 5.0 hardening guideline collection filters:
Great executive compliance results and trending dashboards:
You can quickly move from Dashboards to details and see the out of compliance data classes, here is a small sample, there are so many that I cannot get a full coverage screen shot!
Add this DEEP virtualization compliance data to the rich cross platform, heterogeneous change detection, configuration\ patch management, best practices and regulatory compliance content vCM has today & you will be well on your way to successfully hardening your environment. (Yes, I did say Virtual, Physical, Windows, Linux, Servers, Desktops\ VDI…) This is better than bacon!
Whhheeeeewwwww, I ran of breath reading it back.
The guidelines are available today and can be downloaded using the vCM Content Wizard.
Feel free to hit us up with questions & comments at:
Hasta La Vista,
George Gerchow – Director, VMware Center for Policy & Compliance
| Tweet |
Hola Amigos y Amigas,
Today we are going to give you access to two (That’s right, DOS!) FREE downloadable tools that help you get started on the journey to achieving PCI 2.0 Compliance.
The PCI 2.0 Compliance Checkers for Windows and LINUX are fresh off the virtual assembly line and compiled by the good folks at VMware’s Center for Policy & Compliance! (CP&C)
Here is how they work:
Check out the following results report from the LINUX Checker. Pure AWESOMENESS!
The Compliance Checkers are designed to get you hooked and come back for more!
Here is the link so you can get started hardening your vSphere and Guest Environment today. (Remember, we have FREE checkers for vSphere 4.0 & 4.1)
https://www.vmware.com/tryvmware/?p=compliance-chk&lp=default&cid=70180000000MJsMAAW
The vSphere 5.0 Checker will soon be on its way like a Tim Tebow Comeback! (Too bad his comebacks will be for the Jets, I love my Broncos but am not happy about the Manning move.) Just sayin…
Now this poses a few questions and we would love to get your feedback:
1. Are free tools like this helpful?
2. How do you currently lock down your vSphere environment?
3. Would remediation of the non-compliance results be a good next step?
4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…)
Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:
Peace Out!
George Gerchow – Director, VMware Center for Policy & Compliance
| Tweet |
As you are probably aware, back in October we unveiled the VMware vCenter Operations Management Suite designed to deliver integrated performance, capacity and configuration management for virtualized and cloud computing environments. What is less well known is that VMware vCenter Configuration Manager is the anchor for the “configuration” management capabilities within the suite. Having been part of Configuresoft for several years before it was first purchased by EMC and then sold to VMware, I feel a bit like a dad watching his baby grow up. The technology that was Configuresoft is at the heart of vCenter Configuration Manager.
With today marking the general availability of vCenter Configuration Manager 5.5, I am both excited and proud to see this one go out the door. vCenter Configuration Manager has always been a great solution for ensuring that Operating System software, whether Windows, Linux or Unix is properly configured to meet a broad range of security best practices, vendor hardening guidelines and regulatory mandates (think HIPAA, PCI, SOX etc). But with this release, vCenter Configuration Manager becomes an indispensable part of the VMware family – addressing core requirements of the Virtual Infrastructure teams looking to leverage the VMware Cloud Infrastructure Suite as the foundation for business critical workloads moving to the cloud.
The primary theme for vCenter Configuration Manager 5.5 release is “Cloud Ready”. New capabilities within this release significantly increase the ability of the Virtual Infrastructure team to ensure that their VMware Infrastructure is properly configured to meet the rigorous demands associated with virtualizing business critical workloads; including addressing requirements associated with VMware’s own hardening guidelines.
This new release dramatically increases the ability to track configuration changes and to assess configuration compliance across the VMware Infrastructure including ESX, ESXi, vCenter, vCloud Director and vShield products. There are also a substantially greater number of new configuration actions that can be executed against vCenter and ESX, ESXi configurations. These configuration actions can be executed against a single object or in bulk against multiple objects spanning multiple vCenters. They can be executed as part of an organization’s general configuration management processes or as part of a configuration compliance program.
The enhancements to vCenter Configuration Manager 5.5 put tremendous visibility and control at the fingertips of the Virtual Infrastructure team responsible for VMware Infrastructure. To help illustrate this I have included an example of how vCenter Configuration Manager can help manage configuration changes across the VMware Infrastructure (Figure 1). This particular high level dashboard is focused on the Virtual Infrastructure team and shows all changes that have occurred across the VMware Infrastructure for a specific time period.
You can quickly drill down into any of these dashboards to investigate anything of interest or concern. In this example I’ve drilled down into a specific vCenter (Figure 2) to understand a change associated with the “client.timeout.normal” setting. I can see that this setting has been changed from 60 seconds to 10 which I know is out of compliance with operational best practices for vCenter (which calls for this setting to be equal or greater than 60 seconds).
In addition to the ability to see and understand prior changes, vCenter Configuration Manager provides the ability to change configuration settings across the VMware infrastructure (Figure 3). I can do this for a single object or for multiple objects. Bulk configuration changes can be directed across objects that span vCenters.
Finally (Figure 4) I can proactively manage configurations through compliance where I create rules and templates (collections of rules) for any configurations I want to ensure are uniformly applied across my entire virtual data center or subsets of “like objects” in my data center. vCenter Configuration Manager comes with a rich set of templates out-of-the box that can be used as is or as the starting point for the development of your own internal best practices.
The new capabilities of vCenter Configuration Manager 5.5 significantly increase the value delivered to customers purchasing the vCenter Operations Management Suite Enterprise Edition where today vCenter Configuration Manager is included to address critically important use cases associated with “hardening” the VMware Cloud Infrastructure Suite.
Other significant enhancements to vCenter Configuration Manager in this release include:
Early feedback from customers involved in beta testing has been extremely positive. The increased ability of vCenter Configuration Manager to harden the VMware Infrastructure combined with the existing strength of the product to harden the Operating System (Windows, Linux, Unix) make vCenter Configuration Manager fundamental to clouds built on VMware technology. More information can be found by visiting the vCenter Configuration Manager page on VMware.com. Also, be sure to download the free vSphere Compliance Checker which will help you better understand the value that vCenter Configuration Manager delivers to organizations looking to move business critical workloads to the cloud.
Peace Out!
George Gerchow, Director, VMware Center for Policy and Compliance
| Tweet |
Greetings securanerds and compliance aficionados!
http://www.youtube.com/watch?v=fM6ndYZt_2o&list=UUWAJOJJM6yeRNWyyV5_swVw&index=9&feature=plpp_video
And our blog on the announcement with screen shots from the integrated Archer Demo:
http://blogs.vmware.com/alliances/2012/02/vmware_emc_rsa.html
| Tweet |
As part of VMware’s Security & Compliance Specialist team, we’re brought in to speak about a very wide range of concepts that extend from CPU architecture all the way up to the traditional tools like Firewalls, IPS’, Anti-Virus, and many others. Usually there’s some type of compliance question or concern driving the need to have a security conversation. And what most people don’t explicitly realize is that a discussion about security, whether physical or computer, always distills to the lowest common denominator being ‘trust’.
The concept of trust is an interesting notion. Trust is usually a faith or belief based emotion, and the hope that we hold for one another is that in matters of science and technology that trust is based upon some empirical evidence and well-informed reasoning. So obviously education is often our best methodology to assist customers with building that trust around our products.
Often the questions I receive are not about things like virtualized security products, like vShield, or the various API’s that have been developed. Instead the focus is most often on the vSphere platform itself. The reasoning behind this is mainly a lack of accurate information of sufficient detail available in the market. For several years VMware did a great job of building a secure architecture of vSphere but did not focus on advertising much of those design decisions, not because it wasn’t important but because it was not a topic our customers were expressing a need to have with us. Obviously as customers move through their own unique virtualization journey and move into Phase 2, Business Production, they are tackling security and compliance concerns around the more mission critical applications and data that are beginning to be virtualized. Having these conversations are also a pre-cursor of things that need to be resolved prior to a company investing in a private, public, or hybrid “cloud” solution as it all relates back to how well a company can trust the technological controls that have been put in place.
Since I am so often asked questions about vSphere, that tell me the asker does not trust vSphere, or any hypervisor platform, I am frequently having a discussion on what I call “building a pyramid of trust”. Like any structure, the foundation is the most important part because without a well-formed base, in this case with regards to knowledge, it is highly unlikely the other pieces layered on top will be stable enough to continue adding more layers. In my pyramid, my base consists of the core constructs of virtualization. These are the Core Isolation Principles that describe exactly how the hypervisor is designed to separate out itself from the virtual machines and also what keeps each VM separate from one another. Should these principles be violated, so would the isolation described by the very definition of virtualization.
To help explain the core principles I break apart the functions of the hypervisor into 4 key areas, CPU, Memory, Storage, and Networking. Each of these describe the physical functions that are abstracted into the VM’s themselves. The ways in which this abstraction occurs are very key concepts to fully grasping and understanding how we’ve developed our platform from the ground up with security in mind. It shows through in how we isolate specific CPU instructions, how our memory is layered, abstracted, and allocated, through the storage platform, and most importantly the protections guarding against remote exploit and arbitrary code execution. All of these things build defense in depth techniques that layer security in a virtualized environment.
Many security practitioners have built their careers focusing on more up leveled concepts of security, and their primary attention was never much directed to the physical hardware interfaces themselves. Much in the same way that server admins were not familiar with centralized storage and networking when we taught them how to virtualize over the last 10+ years. We are helping the security admins also break down their traditional barriers of understanding and now helping them to understand all of these other disciplines in the context of their day-to-day activities.
The interesting part is the resistance we face in educating security teams about all of these technologies and helping to build their trust in the technology. The experience thus far has shown that the typical US corporation is full of cliché terminology, which we’ve already known for years. Dilbert, The Office, SNL, all have made us laugh for hours at what we have become. Even with all this exposure to the ludicrousness of business clichés, I was taken aback a few weeks ago when an attendee at a meeting said we needed to “get out of the weeds”. It was obvious with that one statement that this person was not able to see the foundation of the pyramid being built. They were not willing to connect the dots and see how knowing the information being presented was able to answer all of their questions. Instead, they were using their pre-conceived notions that were founded on mis-information and FUD in the market to limit their ability to absorb the material in an educational context.
I don’t blame this person for their comment. In the day and age we live, time is precious and things happen so quickly it’s hard to keep up with changes in business without sacrificing too much personal time. We’re constantly being asked to make value judgments on which information is worthwhile to absorb vs deciding when it’s time to move on. For some of us, our thread of patience is stretched to the breaking point already.
After a few days had passed, the meeting organizer came back to me and said how grateful they were to have the conversation. They said the discussions that were sparked both during our meeting and in the days following has caused some very positive decisions to be made, mostly because of the comment made by that one individual to “get out of the weeds”. That was a key indicator for many other attendees that their co-worker was resistant to change and to use another cliché “unable to see the forest for the trees”.
This is not an all-too unique situation for us. In fact, it’s become more of a norm for our team to have initial education meetings followed a week or two later by another meeting to review the information again. The reason is that we’ve got to come back and reinforce and inspect that foundation of the pyramid so our audience fully builds their trust of our solution. We’re having great success in this education endeavor and we look forward to meeting with you and your teams in the future.
–
Rob
Rob Babb is a Senior Systems Engineer on the Security and Compliance Specialist team at VMware.
| Tweet |
The VMware Center for Policy and Compliance is pleased to announce our latest content update for PCI 2.0 in vCenter Configuration Manager ™ (VCM).
PCI 2.0 is right around the corner 2k12 and many of you should be preparing for these audits yesterday!
Are any of you starting to prep for PCI 2.0? Please share your concerns, we want to help! Get CP&C in touch with your QSA.
Here is a sample of what has changed, for more information check out the PCI DSS v2 Summary of Changes doc.
Scope of Assessment for Compliance with PCI DSS Requirements
Network Segmentation
What’s new in this package? Platform support for:
How does this help you address your compliance needs?
This is at the core of what VMware offers as part of our Trusted Cloud Solution. At VMworld, we announced our PCI self healing Virtual environment around CDE and auto segmentation of VM’s based upon data, defining relationships to those VM’s and continually applying policy & remediation to the entire environment. The Combination of vCM, vShield & VIN make for a Compliance Solution that is unmatched in the market and works for other use cases like HIPAA. (See Diagram Below)
How do you get it the new content?
Customers wishing to harden their PCI 2.0 environment can download the new content via the VCM Content Wizard
Be on the lookout for a free PCI 2.0 checker to be released by CP&C later this year!
Also, feel free to hit us up at:
Adios,
George Gerchow VMware Director, Center for Policy & Compliance
| Tweet |
Healthcare peeps, HIPAA\ HITECH has teeth and the fines handed out this year are HUGE.
The best example was Cignet Health Center, a group of clinics based in Prince Georges County, Md., that operates a health plan, was been fined $4.3 million for failing to turn over medical records to patients who requested them and failing to cooperate with the HHS probe. (Feb 2k11)
http://www.ama-assn.org/amednews/2011/03/07/bisb0307.htm
For my friends in EMEA, you're having issues around PHI as well. NHS Lost unencrypted devices with patient records.
http://www.itpro.co.uk/634225/nhs-laptop-with-8-6-million-medical-records-missing
Finally, for those of you who are obsessed with Celebrities, don’t let that spill over into your job! Personally, I could care less about what Miley Cyrus is doing next, but some people just can’t help themselves.
"The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification.
http://thunderfeeds.com/reader/news/ucla-hospital-hit-with-hipaa-fine-on-celeb-records
So, if Healthcare IT shops can’t cut it when it comes to protecting PHI, or meaningful use around EHR, should the business turn to the Cloud?
From what I can see, part of the problem is some OLD legacy Healthcare apps can not run on x86 and do not support Virtualization.
So, maybe a few things need to happen:
o http://www.readwriteweb.com/cloud/2010/11/3-mobile-healthcare-apps-that.php
o Approximately 60% of all doctors today use IPADS or similar devices (IDC)
o And… ported back of course J
o http://www.informationweek.com/news/healthcare/EMR/231601342
o BTW: A lot of these orgs are adopting HITRUST as a certification process to meet HIPAA\ HITECH Compliance
The main concern is Trust, will Large Healthcare Organizations “Trust” cloud providers with Medical Records?
My guess is yes, they will in time. At VMware we are working on Trusted Cloud Solutions with other vendors to build an eco system that will let Consumers move their workloads with confidence to the cloud. The key will be if the Providers will allow the Consumers to validate that “Trust”. The Consumer holds the power, as my colleague and active QSA Davi Ottenheimer says, “If a service provider refuses to give you the log services or compliance support you need, it may be time to find another provider.”
When it comes to Healthcare, yes, the complexity of how regulated the vertical is when it comes to compliance could make it difficult for a Provider to offer those services. However, if we are really going to make the Journey to the cloud, Providers need to bake in cost efficient Security & Compliance solutions for consumers as part of their offering and open the kimono to let the Consumer Validate what is happening with their assets.
We would love to get your feedback on the comments above, hit us up here or:
As usual, please forgive me for any spelling and grammar errors. Spanish is my first language and like the rest of us, I am still learning.
Peace out…
