Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: September 2011

Monthly Archives: September 2011

CP&C Releases vCM PCI 2.0 Content, Combine this with vShield & WOW!

The VMware Center for Policy and Compliance is pleased to announce our latest content update for PCI 2.0 in vCenter Configuration Manager ™ (VCM).

PCI 2.0 is right around the corner 2k12 and many of you should be preparing for these audits yesterday!

Are any of you starting to prep for PCI 2.0? Please share your concerns, we want to help! Get CP&C in touch with your QSA.

Here is a sample of what has changed, for more information check out the PCI DSS v2 Summary of Changes doc.

Scope of Assessment for Compliance with PCI DSS Requirements

  • Added “virtualization components” to the definition of “system components.”  

Network Segmentation

  • Added clarifications including that segmentation may be achieved through physical or logical means 

What’s new in this package? Platform support for:

  • Windows 7,
  • Windows Vista
  • Windows XP
  • Windows 2003,
  • Windows 2008
  • vSphere/ESX

How does this help you address your compliance needs?

This is at the core of what VMware offers as part of our Trusted Cloud Solution. At VMworld, we announced our PCI self healing Virtual environment around CDE and auto segmentation of VM’s based upon data, defining relationships to those VM’s and continually applying policy & remediation to the entire environment. The Combination of vCM, vShield & VIN make for a Compliance Solution that is unmatched in the market and works for other use cases like HIPAA. (See Diagram Below)


How do you get it the new content?
Customers wishing to harden their PCI 2.0 environment can download the new content via the VCM Content Wizard

Be on the lookout for a free PCI 2.0 checker to be released by CP&C later this year!

Also, feel free to hit us up at:

George Gerchow VMware Director, Center for Policy & Compliance

What is more Secure, Virtual or Physical Environments?

All week, we have been chatting back & fourth about Mixed Mode, PCI and general questions about what is more secure, Virtual or Physical Environments?

Yesterday I got into a swell conversation during a podcast on this very topic. What is your opinion? Let me have it! 

I would argue that only way to keep a Physical Environment totally secure is UPNC. (Un Plugged Network Cable) 

Earlier this week things got a bit heated on Facebook, Twitter and this blog when I said “Mixed Mode” is ok for PCI. 

How is this for timing: 

CESG and VMware Deliver Trusted Platform for Hosting Multi-Level Environments

CESG, the UK National Technical Authority for Information Assurance, and VMware announced that VMware vSphere 4.0 has successfully completed a CESG assessment. It is now possible to host virtual machines from different impact levels on the same platform, up to Business Impact Level 3. 


Mixed Mode is not just limited to Virtual Environments, we have been running  multiple apps, db’s and business services on Physical Machines since the last time the Cubs won the World Series.

 Well, maybe somewhere between that time frame and when the Bears last won Superbowl. 

Seriously, security is usually blind in physical environments, we run VA tools that only work in broadcast domains and BTW, how much info can you get from a Physical system that is powered off?

In case you have not guessed, the answer is ZERO

How acceptable is that? Not very in my book. 

Is this the case in Virtual Environments? Check out this use case around the OVF Standard and tell me what your thoughts are: 


Basically, in some cases the metadata that I can get from the  Virtual Infrastructure makes it more Secure than Physical especially when it comes to dormant, suspended or offline systems. 

As per usual, forgive my ESL expressions, maybe I should blog in Spanish instead of Splanglish.

Gotta bounce for now but give us a holla at: 

Is Healthcare Ready for the Cloud?

Healthcare peeps, HIPAA\ HITECH has teeth and the fines handed out this year are HUGE. 

The best example was Cignet Health Center, a group of clinics based in Prince Georges County, Md., that operates a health plan, was been fined $4.3 million for failing to turn over medical records to patients who requested them and failing to cooperate with the HHS probe. (Feb 2k11) 


For my friends in EMEA, you're having issues around PHI as well. NHS Lost unencrypted devices with patient records. 


Finally, for those of you who are obsessed with Celebrities, don’t let that spill over into your job! Personally, I could care less about what Miley Cyrus is doing next, but some people just can’t help themselves.

 "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. 


So, if Healthcare IT shops can’t cut it when it comes to protecting PHI, or meaningful use around EHR, should the business turn to the Cloud? 

From what I can see, part of the problem is some OLD legacy Healthcare apps can not run on x86 and do not support Virtualization. 

So, maybe a few things need to happen:  

  • Assess the risk of apps that can no longer be maintained and will not meet compliance standards, versus the ease of migrating at least the front end of the legacy systems to a virtual platform
  • There are a ton of healthcare apps that are cloud ready and work on mobile devices

o   http://www.readwriteweb.com/cloud/2010/11/3-mobile-healthcare-apps-that.php

o   Approximately 60% of all doctors today use IPADS or similar devices (IDC)

  • VMware has the infrastructure to support those apps and allow IT shops to build private cloud services that can be moved to public providers during periods of high demand

o   And… ported back of course J

  • For some small Healthcare Organizations, they are moving their services and patient data to Cloud Providers like NaviSite

o   http://www.informationweek.com/news/healthcare/EMR/231601342

o   BTW: A lot of these orgs are adopting HITRUST as a certification process to meet HIPAA\ HITECH Compliance 

The main concern is Trust, will Large Healthcare Organizations “Trust” cloud providers with Medical Records? 

My guess is yes, they will in time. At VMware we are working on Trusted Cloud Solutions with other vendors to build an eco system that will let Consumers move their workloads with confidence to the cloud. The key will be if the Providers will allow the Consumers to validate that “Trust”.  The Consumer holds the power, as my colleague and active QSA Davi Ottenheimer says, “If a service provider refuses to give you the log services or compliance support you need, it may be time to find another provider.”

When it comes to Healthcare, yes, the complexity of how regulated the vertical is when it comes to compliance could make it difficult for a Provider to offer those services. However, if we are really going to make the Journey to the cloud, Providers need to bake in cost efficient Security & Compliance solutions for consumers as part of their offering and open the kimono to let the Consumer Validate what is happening with their assets. 

We would love to get your feedback on the comments above, hit us up here or: 

As usual, please forgive me for any spelling and grammar errors. Spanish is my first language and like the rest of us, I am still learning.  

Peace out…

VMware’s CP&C releases another free Compliance Checker!

Buenos Dias,

I'm George Gerchow, Director of VMware's Center for Policy & Compliance. I'll be here all week to talk about Compliance in the Cloud and answer your questions. 

Today we are going to give you access to a FREE downloadable tool that helps you get started on the “Trusted Cloud” ride. 

It is the vSphere 4.1 Compliance Checker fresh off the virtual assembly line and compiled by the good folks at CP&C!

 Here is how it works: 

  • The Compliance Checker runs an assessment on ESX/ESXi hosts managed by vCenter
  • The assessment is based on a predefined subset of 29 of the vSphere 4.1 Security Hardening Guide rules and is run against the first 5 ESX/ESXi hosts found on the target vCenter
  • The results for each host include the rules, the rule descriptions, and the success or failure of each rule

At VMware, we like to call the Compliance Checkers “Crack” for IT as it get’s ya hooked and you will come back for more! 

Here is the link so you can get started hardening your vSphere Environment today: 


Now this poses a few questions and we would love to get your feedback: 

  1. Are free tools like this helpful?
  2. How do you currently lock down your vSphere environment?
  3. Would remediation of the non-compliance results be a good next step?
  4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…) 

I will be rollin’ into Denver today like Tom Brady rolled over the Miami Secondary last night but will be online waiting to hear from you. (FYI, IN Denver, I am giving a Keynote at a Healthcare seminar on Trusted Cloud)

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum: 

Here is a sneek peek of what the Checker looks like:


Thanks and have a great day from all of us at CP&C and VMware!

Is “Mixed Mode” acceptable in a vSphere Enviroment?

Hola Security & Compliance Peeps,

My Nombre is George Gerchow, I am the Director of the VMware, Center for Policy & Compliance.  Our charter at CP&C is “simple”, like a Cowboy’s Fans knowledge of football: 

  •  1  -Support migration of highly regulated workloads to vSphere
  • Dos –  Provide coverage of most common regulatory, industry and vendor policies
  • C – Drive Industry Thought Leadership 

As a follow on from VMworld, we are going to extend the Management Mastery series to our Secura-Nerds and give you an opportunity to discuss relevant topics that are HUGE. Bottom Line, Security and Compliance are the main inhibitor to Virtualization & Cloud Computing. VMware and other vendors have solutions that are VIRTUALIZATION aware and attack these problems head on.

With all that being said, our first topic is Mixed Mode support for PCI environments. See Section 4.2 in the Vendor Information Supplement. 4.2 Strongly recommends that VMs of different security levels are not hosted on the same hypervisor or physical host.  The fear is that a less secure VM can be used to spawn off an attack on a more secure VM. 

It is my opinion that most people are not up to speed on Virtualization Security and Compliance Solutions. If you can prove that the systems in a mixed mode are not communicating, you should be golden. If your QSA does not agree, it might be time to get a new QSA. Jkjkjkjkj, not really but… Click the link below to see what we talked about at VMworld. I was misquoted in this article, Computer World and several others. (I NEVER said QSA’s were ten years behind J ) Seriously, I have some good friends that are QSA’s and they will also be tracking this blog to help answer questions. BTW: This got heated at VMworld during our trusted cloud session. 

Y'all are going to have to excuse my Grammar and Spelling errors. I am ESL and it comes out all the time. Happy Monday and give us a shout!