VMware has been listening to customers, and they have been telling us that compliance requirements are impeding their cloud initiatives.  They are spending considerable time translating standards and frameworks into actionable controls; however, they still lack certainty when it comes to getting a passing grade from auditors on which controls they should implement in their software-defined data center.

Now VMware is taking the guesswork out of compliance in the cloud with auditor-validated reference architectures encompassing both VMware and third-party products. These architectures describe the applicability of the technologies to regulatory controls, how to design a software-defined data center to incorporate them, and what an audit procedure for the controls would render.

In addition, we’re going a step further by helping customers automate these controls. Customers are implementing our reference architectures in virtualized networks, enabling them to build advanced workflows automating their network provisioning, security and compliance. This not only takes the guesswork out of compliance and readiness for audit, but also delivers the agility and speed that customers are looking for in the first place.

VMware Compliance Reference Architecture Framework

Focusing Industry Efforts on Customer Needs

As part of these efforts, VMware is rolling out the new QSA Validated Reference Architecture for PCI, which is already in use by industry-leading customers and partners. This new Reference Architecture was validated by Coalfire, a leading independent IT GRC audit/assessment services firm, QSA member, and accredited VMware Consulting and Integration Partner Program partners.

PCI is one of the most important compliance regulations in the virtual/cloud world and data centers today, and VMware is delivering comprehensive technical guidance for PCI focused on virtualized PCI workloads. While PCI is detailed in itself (consisting of 12 requirements, and 200+ technical sub requirements), the published guidance for virtualization, at least until now, has not been prescriptive enough to meet customers’ virtualization requirements.

In response, VMware has worked with the PCI Audit Community to bring clarity to our customers who are now designing and deploying software-defined data centers and network virtualization. These customers need clarity to move forward with their highly regulated workloads, which are subject to PCI as well as HIPAA/HITECH and other compliance regulations.

With a QSA-validated reference architecture now available, customers can start to implement the right controls in their virtualized infrastructures with confidence.

VMware NSX: A Network Virtualization Platform with Extensible Services Capabilities

At VMworld® in San Francisco this week, we announced VMware NSX, the platform for network virtualization. VMware NSX will deliver the entire networking and security model from L2-L7 in software, decoupled from underlying networking hardware. The VMware NSX platform sits at the core of the new reference architecture. VMware will deliver key compliance controls with business context and extensibility which enables partners to deliver additional controls. The VMware NSX Platform coupled with the QSA Validated Reference Architecture for PCI will help simplify audits, enable validation of controls, and empower IT to tune policies. Capabilities include

  • Logical Switch that provide layer 2 isolation mandated by multiple compliance regulations
  • Logical Firewall which is virtualization and identity aware, featuring kernel-enabled line rate performance
  • Data Security scans virtual workloads for sensitive data and report regulation violations so you can quickly assess the state of compliance with global regulations.
  • Activity Monitoring provides full visibility and context into user activity and network connections initiated from workloads. This accelerates troubleshooting and monitoring of end user access problems. This addresses auditor requirements for monitoring privileged user access to highly regulated data.
  • NSX Service Composer enables security services to be consumed more efficiently in the software defined data center. Organizations can apply and visualize security policies for workloads, in one place. Workloads can be automated across different services without custom integration.
  • VMware NSX Ecosystem Partners enable customers to deploy additional network services with VMware NSX network virtualization across several categories of services:
    • Application delivery:  Citrix, F5, SilverPeak
    • Network security platforms:  Palo Alto Networks
    • Security services: McAfee, Rapid 7, Symantec, Trend Micro

Robust Compliance and Security Partner Ecosystem

Customers can leverage the select group of VMware Technology Alliance Program (TAP) and Consulting and Integration Partner Program (CIPP) partners which deliver security and compliance functionality. Coupled with VMware capabilities, customers can address the majority of technical controls specified by PCI DSS 2.0. Examples of technical controls include IPS/IDS, SIEM, AV/Endpoint Protection and Identity & Access Management. These partners include audit/advisory (CIPP), Technology (TAP) and System Integrators and Service Provider (CIPP) partners to address regulatory compliance requirements across multiple industries (PCI, HIPAA/HITECH, FedRAMP). The VMware Compliance Partner ecosystem includes Catbird, Coalfire, Forsythe, HP, HyTrust, LogRhythm, McAfee, PKware, RSA, Symantec, Trend Micro, VCE and Vormetric.

Together, VMware and our partners deliver capabilities which enable continuous compliance by automating deployment/provisioning and advanced workflow automation.  By listening to customers, we are providing the reference architectures and software solutions that businesses need to achieve compliance, along with breakthrough speed, efficiency and agility in their cloud deployments.

New Guidance from VMware and PCI Council

The PCI Council is scheduled to publish PCI DSS 3.0 later this year and VMware is working closely with the PCI QSA community to deliver an updated Reference Architecture for PCI. The new guidance will incorporate the VMware NSX and other upcoming VMware product releases. This will result in a comprehensive approach designed to address customers’ PCI requirements for the cloud.

Based on preliminary information which has been released regarding the upcoming PCI DSS 3.0 standard, we can expect to see both additional flexibility, as well as an increase in the stringency required of payment industry organizations’ compliance validation programs.  VMware and Coalfire have partnered to provide guidance which will help organizations more effectively plan, implement, and validate virtualized workloads and software defined datacenter environments for organizations with PCI DSS compliance requirements. –  Noah Weisberger, Practice Director at Coalfire.


Learn More at VMworld 2013

VMware compliance solutions and reference architectures will take center stage at VMworld 2013, August 25-29 in San Francisco. Attend one of these sessions to learn more about solving your cloud compliance challenges. VMworld Networking and Security & Compliance Sessions

Additional Resources

Download the complete VMware Reference Architecture for PCI at the following links:

Download VMware Compliance Partner Solution Guides at VMware Partner Solution Guides for PCI

For more information on all VMware compliance solutions, email the VMware Compliance Solutions team at compliance-solutions@vmware.com 

Chris King, Vice President, Product Marketing

Networking and Security Business Unit