Many people have been interested in knowing when vSphere 4 will achieve Common Criteria certification, as was the case for ESX 3.0 and vCenter 2.0 and as will be the case for ESX/ESXi 3.5 and vCenter 2.5. Common Criteria is important for government and defense customers, since it is often a requirement for many of their IT environments, but it is also valuable for other customers, since it represents an objective measure of a software product’s security. Having Common Criteria certification, especially at the higher levels, is often used by security professionals and auditors as a way to gauge whether or not a product should be considered for use in security-sensitive environments, such as credit-card transaction systems.
I am happy to report that VMware vSphere 4 has begun the Common Criteria certification process for vSphere 4.0 at EAL4+. This specifically includes: ESX 4.0, ESXi 4.0, and vCenter 4.0. We have received the letter of intent from the security consulting firm hired by VMware for the evaluation; unfortunately, we cannot post it here, but interested customers should contact their sales representatives directly if they want to see a copy of it.
As you might be aware, the journey towards final certification can be a long one, due to the extensive documentation requirements and rigorous tests that the products must undergo. We’ll provide updates at major milestones of the certification process, but the expectation is that final certification will be achieved in the 2nd half of 2010.
Those of you who went to the RSA show in April and who visited the RSA booth may have seen a proof of concept showing an integration between VMware vShield Zones and RSA's DLP product. It showed how these products working together can prevent leakage of sensitive data in email, web traffic, etc., right from within the fabric of the virtualization layer itself. There is now a video posted which was taken during the show and has VMware's Allwyn Sequeira and RSA's Magnus Nystrom going over the demo.
I will be presenting on a joint webinar with Reflex and TrustNet on PCI Compliance and Virtualization. The presentation will cover the following:
* The top challenges enterprises face when it comes to addressing PCI DSS compliance.
* The benefits of virtualization that bring reduced cost, efficient application, more business continuity and automation to organizations.
* The latest best practices for visibility, segmentation, and policy enforcement to control and audit changes in the virtual infrastructure.
One of the most exciting new features of vSphere 4 is the ability to use a virtual switch from a 3rd party networking vendor, and the first instantiation of this is the Cisco Nexus 1000V. With this in place, network administrators who are used to working with Cisco devices can now monitor and manage the virtual switches on ESX just like they would any other physical switch. They can also set security policies and configurations that they know and are used to working with. This is an important aspect of being able to use vSphere in more security-sensitive applications, such as the DMZ.
Recently, Cisco and VMware jointly released a white paper on virtualizing the DMZ with vSphere 4 and the Nexus 1000V virtual switch. From the abstract:
This paper tackles the subject of DMZ security and virtualization. It covers a number of DMZ security requirements and scenarios, presenting how vSphere users can implement the Cisco Nexus 1000V virtual switch in a DMZ.
You can download the paper here. There is also another paper which goes over the general issues of virtualization with mixed trust zones, available at this link.