Author Archives: George Gerchow

VMware CP&C releases two FREE HIPAA compliance checkers for VMworld!

As we are preparing for the most exciting US VMworld in history, VMware’s Center for Policy & Compliance (CP&C) is pleased to release TWO free HIPAA Compliance Checkers!

Here are some details around the checkers:

    • 19 HIPAA based rules for Linux and Windows

RHEL 5.x, 6.x or SuSE 10.x, 11.x

  • Windows 2003, Windows 2008 or Windows 2008 R2
  • Add up to 5 machines at a time for assessment
  • Get detailed rule descriptions and remediation steps

You can download the checkers here:

https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default

After downloading the checkers all you need to do is authenticate and run a compliance assessment:

 

You can then view the results and drill down into the specific rule details and remediation recommendations:

The VMware CP&C FREE Checkers are sweeter than bacon and designed to get you hooked & come back for more!

Remember, we also have FREE checkers for vSphere 4.0, 4.1, 5.0 AND for PCI 2.0 Windows & Linux.

If you have compliance concerns and need more coverage, customers can leverage the full blown rules, content, dashboards and remediation with vCenter Configuration Manager (vCM) part of the vCenter Operations Manager Suite (vC Ops).

You can hear more about the Checkers and other VMware Security and Compliance Solutions at VMworld 2k12. Here is a list of key sessions that you should register for NOW:

INF-SEC2306 – Integrating Virtual and Physical IT Controls to Support Enterprise Wide Compliance Programs

INF-SEC2850 – The Four Must-Haves for a Secure Cloud Infrastructure

EXPERTS02 – Meet the Experts

Session INF-SEC2627 – Software Defined Security, Myth Busting Data Center Security with Real-life Implementations

GD16 – Compliance with George Gerchow

INF-SEC1840 – VMware vSphere Hardening to Achieve Regulatory Compliance: Better, Faster, Stronger

INF-SEC1172 – Using VMware vCenter Networking and Security and vCenter Configuration Manager to Achieve Better that Physical Security for Business Critical Apps

EUC2792 – VMware View 5.1: Security Deep Dive

INF-SEC1759 – Appeasing Your PCI Assessor Using vCloud Networking and Security to Segment and Secure Your Virtual Data Centers

NF-SEC2813 – Beyond the Hypervisor – Three Key Areas to Consider When Securing Your Cloud Infrastructure Platform

VMWorld – SafeNet Panel Discussion Location: Solutions Exchange Theater, On Expo Floor, Moscone Center

INF-SEC1282 – Automating Security and Compliance with Disaster Recovery Using VCM, vCOps, vShield, VIN and SRM

Session ID: INF-SEC2330 – How to Enable and Host PCI Compliant Applications in a Private Cloud Environment

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

Cambio y Fuera!

George Gerchow – Director, VMware Center for Policy & Compliance

VMware CP&C releases IRS 1075 Content in vCM!

The VMware Center for Policy & Compliance (CP&C) is pleased to announce the release of IRS 1075 content in vCenter Configuration Manager. vCM, a key component in the vCenter Operations Suite. (vC Ops)

The purpose of 1075 is to protect Federal Tax Information (FTI) and secure Safeguards for Protecting FederalTax Returns and Return Information.

Introduction to IRS 1075 for Virtualization

To Utilize a Virtual Environment that receives, processes, stores or transmits FTI, the agency must meet the following mandatory notification requirements: 

Notification Requirements 

  • If the agency’s approved SPR is less than six years old and reflects the agency’s current process, procedures and systems, the agency must submit the Virtualization Notification, which will serve as an addendum to their SPR.
  • If the agency’s SPR is more than six years old or does not reflect the agency’s current process, procedures and systems, the agency must submit a new SPR and the Virtualization Notification.

 

With the IRS 1075 content in vCM, our customers will be able to get great dashboard to track their Compliance posture:

IRS.1

You can also break down the compliance results by data type to see where most of your infractions are coming from:

IRS.2

From there, you can see the individual rules behind the content that is surfaced in our dashboards. In this release we provided 5 Rule groups, 2 templates and 104 rules:

IRS.3

Keep in mind that vCM manages not only virtual enviroments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. Yes! That is right, we can also remediate non compliant results with a right click in both the virtual and physical world! vCM even has VDI (VIEW) hardening guidelines. Look for our Mobile Compliance Content coming soon… 

Also, don't forget about the VMware CP&C FREE compliance checkers! 

https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default

The IRS 1075 guidelines are available today and can be downloaded using the vCM Content Wizard.

Feel free to hit us up with questions & comments at:

Hasta La Vista,

George Gerchow – Director, VMware Center for Policy & Compliance

 

 

 

VMware CP&C releases a FREE vSphere 5.0 hardening guideline compliance checker!

I am hanging out in NYC finishing Cloud Expo East where we delivered a rousing session on Cloud Audit & Control with Coalfire AND CP&C is now VERY pleased to announce the release of our FREE vSphere 5.0 compliance checker! Last week we rolled out the 5.0 hardening guidelines in vCenter Configuration Manager (vCM) making it the first product on the planet to have the 5.0 content for our customers. Today, we are giving you access to a FREE vSphere 5.0 compliance checker! How awesome is that?

It is so easy to download and use that you can run it while watching Euro Cup with the sound of GOOOOOOAAAAAALLLLLLLLL!!!!!!!!!! In the background!

 Here is how the vSphere 5.0 Compliance Checker works: 

  • The Compliance Checker runs an assessment on 5 host systems at a time! (The 1st five being managed by an instance of vCenter Server)

 

  • The assessment is based on a predefined subset of the 5.0 Hardening Guidelines Content that currently exist today in vCenter Configuration Manager (vCM) Part of the vCenter Operations Manager Suite (vCo Ps)

 

  • The results for each host includes the rules, the rule descriptions, and the success or failure of each rule

 

 Check out the following results report from the vSphere 5 Checker

ComplianceReport

All you have to do is authenticate into the vCenter box that you want to assess hosts on.

VSphereCC

The VMware Center for Policy & Compliance FREE Checkers are sweeter than bacon and designed to get you hooked & come back for more! 

Here is the link so you can get started hardening your vSphere Environment today. (Remember, we have FREE checkers for vSphere 4.0 & 4.1 AND for PCI 2.0 Windows & Linux)

http://www.vmware.com/go/free-compliance-check-for-vsphere

Next, look for CP&C to release a HIPAA Checker that will be hotter than the Miami HEAT!

Now this poses a few questions and we would love to get your feedback: 

1. Are free tools like this helpful?

2. How do you currently lock down your vSphere environment?

3. Would remediation of the non-compliance results be a good next step?

4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…) 

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum: 

 

Cambio y Fuera!

George Gerchow – Director, VMware Center for Policy & Compliance


 

VMware Center for Policy & Compliance (CP&C) releases vSphere 5.0 hardening guidelines in vCenter Configuration Manager! (vCM)

CP&C is pleased to announce the most anticipated content release to date in vCM, the VMware vSphere 5.0 hardening guidelines! As critical component of the vC Ops suite, vCM is the FIRST product in the market today to have the official GA version of the vSphere 5.0 Hardening Guidelines. This is just another significant step in our Trusted Cloud initiative in helping customers migrate tier one applications to the VMware Cloud Infrastructure Suite.

What does this mean to VMware vCM customers who want to make sure their virtual systems are compliant?

5 new rule groups and two brand new templates:

  VSphere 5.0 p1

 Brand new 5.0 hardening guideline collection filters:

VSphere 5.0 p2

Great executive compliance results and trending dashboards:

VSphere 5.0 p3

You can quickly move from Dashboards to details and see the out of compliance data classes, here is a small sample, there are so many that I cannot get a full coverage screen shot!

VSphere 5.0 p4

Add this DEEP virtualization compliance data to the rich cross platform, heterogeneous change detection, configuration\ patch management, best practices and regulatory compliance content vCM has today & you will be well on your way to successfully hardening your environment. (Yes, I did say Virtual, Physical, Windows, Linux, Servers, Desktops\ VDI…) This is better than bacon!

Whhheeeeewwwww, I ran of breath reading it back.

The guidelines are available today and can be downloaded using the vCM Content Wizard.

 Feel free to hit us up with questions & comments at:

Hasta La Vista,

George Gerchow – Director, VMware Center for Policy & Compliance

 

 

 

 

 

 

 

 

 

 

 

 

 


 

VMware (CP&C) Releases PCI 2.0 FREE Compliance Checkers!

Hola Amigos y Amigas,

Today we are going to give you access to two (That’s right, DOS!) FREE downloadable tools that help you get started on the journey to achieving PCI 2.0 Compliance.

The PCI 2.0 Compliance Checkers for Windows and LINUX are fresh off the virtual assembly line and compiled by the good folks at VMware’s Center for Policy & Compliance! (CP&C)

 Here is how they work: 

  • The Compliance Checkers run an assessment on 5 Guest systems at a time!
  • The assessment is based on a predefined subset of the PCI 2.0 Content that currently exist today in vCenter Configuration Manager (vCM) Part of the vCenter Operations Manager Suite
  • The results for each guest includes the rules, the rule descriptions, and the success or failure of each rule

 Check out the following results report from the LINUX Checker. Pure AWESOMENESS! 

PCI.Checker.Linux.4.12

The Compliance Checkers are designed to get you hooked and come back for more! 

Here is the link so you can get started hardening your vSphere and Guest Environment today. (Remember, we have FREE checkers for vSphere 4.0 & 4.1)

https://www.vmware.com/tryvmware/?p=compliance-chk&lp=default&cid=70180000000MJsMAAW

The vSphere 5.0 Checker will soon be on its way like a Tim Tebow Comeback! (Too bad his comebacks will be for the Jets, I love my Broncos but am not happy about the Manning move.) Just sayin…

Now this poses a few questions and we would love to get your feedback: 

1. Are free tools like this helpful?

2. How do you currently lock down your vSphere environment?

3. Would remediation of the non-compliance results be a good next step?

4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…) 

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum: 

 Peace Out!

George Gerchow – Director, VMware Center for Policy & Compliance

 

 

vCenter Configuration Manager 5.5 is now Generally Available

As you are probably aware, back in October we unveiled the VMware vCenter Operations Management Suite designed to deliver integrated performance, capacity and configuration management for virtualized and cloud computing environments.  What is less well known is that VMware vCenter Configuration Manager is the anchor for the “configuration” management capabilities within the suite.  Having been part of Configuresoft for several years before it was first purchased by EMC and then sold to VMware, I feel a bit like a dad watching his baby grow up.  The technology that was Configuresoft is at the heart of vCenter Configuration Manager.

 With today marking the general availability of vCenter Configuration Manager 5.5, I am both excited and proud to see this one go out the door.  vCenter Configuration Manager has always been a great solution for ensuring that Operating System software, whether Windows, Linux or Unix is properly configured to meet a broad range of security best practices, vendor hardening guidelines and regulatory mandates (think HIPAA, PCI, SOX etc).  But with this release, vCenter Configuration Manager becomes an indispensable part of the VMware family – addressing core requirements of the Virtual Infrastructure teams looking to leverage the VMware Cloud Infrastructure Suite as the foundation for business critical workloads moving to the cloud.

The primary theme for vCenter Configuration Manager 5.5 release is “Cloud Ready”.  New capabilities within this release significantly increase the ability of the Virtual Infrastructure team to ensure that their VMware Infrastructure is properly configured to meet the rigorous demands associated with virtualizing business critical workloads; including addressing requirements associated with VMware’s own hardening guidelines.  

This new release dramatically increases the ability to track configuration changes and to assess configuration compliance across the VMware Infrastructure including ESX, ESXi, vCenter, vCloud Director and vShield products.  There are also a substantially greater number of new configuration actions that can be executed against vCenter and ESX, ESXi configurations.  These configuration actions can be executed against a single object or in bulk against multiple objects spanning multiple vCenters.  They can be executed as part of an organization’s general configuration management processes or as part of a configuration compliance program. 

The enhancements to vCenter Configuration Manager 5.5 put tremendous visibility and control at the fingertips of the Virtual Infrastructure team responsible for VMware Infrastructure.  To help illustrate this I have included an example of how vCenter Configuration Manager can help manage configuration changes across the VMware Infrastructure (Figure 1). This particular high level dashboard is focused on the Virtual Infrastructure team and shows all changes that have occurred across the VMware Infrastructure for a specific time period.  

Figure1

 

You can quickly drill down into any of these dashboards to investigate anything of interest or concern.  In this example I’ve drilled down into a specific vCenter (Figure 2) to understand a change associated with the “client.timeout.normal” setting.  I can see that this setting has been changed from 60 seconds to 10 which I know is out of compliance with operational best practices for vCenter (which calls for this setting to be equal or greater than 60 seconds).

Fig 2

In addition to the ability to see and understand prior changes, vCenter Configuration Manager provides the ability to change configuration settings across the VMware infrastructure (Figure 3).  I can do this for a single object or for multiple objects.  Bulk configuration changes can be directed across objects that span vCenters. 

Fig 3

Finally (Figure 4) I can proactively manage configurations through compliance where I create rules and templates (collections of rules) for any configurations I want to ensure are uniformly applied across my entire virtual data center or subsets of “like objects” in my data center.  vCenter Configuration Manager comes with a rich set of templates out-of-the box that can be used as is or as the starting point for the development of your own internal best practices.  

Fig 4

The new capabilities of vCenter Configuration Manager 5.5 significantly increase the value delivered to customers purchasing the vCenter Operations Management Suite Enterprise Edition where today vCenter Configuration Manager is included to address critically important use cases associated with “hardening” the VMware Cloud Infrastructure Suite. 

Other significant enhancements to vCenter Configuration Manager in this release include:

  • Ability to create machine groups within vCenter Configuration Manager based on organizational constructs (clusters, virtual datacenter, application trust zones) within vCenter, vCloud Director and vShield.
  • Support for configuration and compliance management for virtualization specific constructs such as templates and offline VMs (via VMware vCenter Orchestrator workflows delivered separate from the release)
  • The ability to snapshot a VM before making a configuration change
  • Support for the “Security Content Automation Protocol” (version 1.0) –  important to federal agencies
  • A new REST based API that will allow vCenter Configuration Manager to more fully participate in VMware and 3rd party ecosystem solutions

Early feedback from customers involved in beta testing has been extremely positive.  The increased ability of vCenter Configuration Manager to harden the VMware Infrastructure combined with the existing strength of the product to harden the Operating System (Windows, Linux, Unix) make vCenter Configuration Manager fundamental to clouds built on VMware technology.  More information can be found by visiting the vCenter Configuration Manager page on VMware.com.   Also, be sure to download the free vSphere Compliance Checker which will help you better understand the value that vCenter Configuration Manager delivers to organizations looking to move business critical workloads to the cloud.

Peace Out!

George Gerchow, Director, VMware Center for Policy and Compliance

 

RSA Conference San Francisco 2K12 – Back to the Golden Age

Greetings securanerds and compliance aficionados! 

The RSA Conference has made a HUGE come back this year in Tim Tebow\ Jeremy Lin-Sanity "like" fashion and secured it's rightful place as the largest & best security conference on the planet.
Art Coviello got things started with some HEAT as he preached the "Hack Back" message. The Buzz at RSA was intense and fresh as new privacy initiatives and cloud computing are driving life back into the security space along with compliance. The sessions and expo floor were simply PACKED! It was great to see the usual security Titans displaying their knowledge & goods along with up and comers like HyTrust who had their brand on the back of every badge.
 
For VMware Center for Policy & Compliance (CP&C) , it was immediate action from day uno as we were busier than a one-toothed man in a corn-on-the-cob eating contest! (No offense to my single fanged friends, it is just the truth 🙂
We started off with announcing our upcoming release of vCenter Configuration Manager (vCM) 5.5 part of the vCenter Operations Manager Suite (vCOPS), the best vSphere, Cloud Infrastructure Suite & Config\ Compliance Management Tool in the industry. You will hear more about vCM 5.5 when it goes GA on March 15th but I must give you a sneak peak, 5.5 may be sweeter than Crispy Bacon!
vCM 5.5 Example report showcasing  vCenter and vCD Permissions: 
    Providing a single view of permission levels across vCenters and vCDs that can be filtered by User, Group, Object, etc. 
    NOBODY else in the systems management space today can do this except for vCOPS & vCM!

Check it:
VCM 5.5 Effective Permissions Report

 

Next was an interview at the RSA booth on EMC Live TV going over our combined integration with VMware, EMC & RSA into Archer (eGRC) solution to deliver "Compliance Across the Stack" bringing together technical controls with policy enforcement. The demo showcases Server, Network and Storage Compliance results in Archer! This is a LARGE step in our Trusted Cloud initiative "Meeting Customers Compliance Requirements to Migrate Tier 1 Apps to vSphere and Cloud Environments".
Here is the Video:   

http://www.youtube.com/watch?v=fM6ndYZt_2o&list=UUWAJOJJM6yeRNWyyV5_swVw&index=9&feature=plpp_video

And our blog on the announcement with screen shots from the integrated Archer   Demo:

 http://blogs.vmware.com/alliances/2012/02/vmware_emc_rsa.html

We kept the vibe alive as our honorary CP&C member Davi Ottenheimer "The Flying Penguin http://www.flyingpenguin.com/"  threw some deep knowledge at folks during his Sessions:
    CLD-108 Lightning Round: Data Confidentiality and Integrity in the Cloud
    DAS-302: Message in a Bottle – Finding Hope in a Sea of Security Breach Data

I hope you got a chance to see him in action, if not you can catch Davi live in Vegas singing Sinatra at the Venetian Showroom. (Seriously http://davisingssinatra.com/)
Finally we started wrapping things up with the VMware communities podcast #177 covering the conference with my RSA pal Mike Foley:
Switching gears a bit, we also saw blatant displays where policy & technology could not prevent human action from putting the environment at risk. There were several people who made their way into sessions by telling the door staff "We are with the Speaker". In all cases, the hoodlums were welcomed without any identified credentials, verification from the speaker or proof of having a delegate badge. It just goes to show you that visibility, training and accountability are key ingredients to a securing an infrastructure in a compliant fashion. (Next year just buy a full conference badge people!)
Last but not least and to get your weekend started with a laugh, check out the following HILARIOUS video on VMware security and compliance solutions for the Cloud:
Feel free to hit us up with questions & comments at:
Have a great weekend, snow is falling all over the west so hit the slopes if you can!
Please excuse any typos or grammar mistakes, after all I am ESL and will lean on that as long as possible. 
Peace Out!
George Gerchow – VMware Director, Center for Policy & Compliance

 

VMware CP&C announces major content release for VCM!

The VMware Center for Policy and Compliance (CP&C) is pleased to announce our latest content update for FISMA, GLBA, HIPAA, and SOX in vCenter Configuration Manager ™ (VCM). 

Based off DISA’s last major release, we have now updated critical compliance requirements across several verticals.

How does this help you address your compliance needs?

Healthcare sector is a main area of focus for CP&C and VMware. With our updated templates, Healthcare Organizations can now leverage this content to prepare for upcoming audits in 2k12. With these templates and VCM’s automated patching solution, Healthcare organizations that use Hitrust as a source of guidance will also be able to apply these new rules, dashboards and content for audit requirements. CP&C also updated SOX, FISMA and GLBA templates as well helping folks out in D.O.D, Federal Government and Finance sectors with Continuous Compliance. VMware CP&C is also pleased to announce that we now cover the full spectrum of auditing settings for Vista, W7, and 2k8, and 2k8 R2. 

What’s new in this package? DISA Platform support for:

  • Windows 2003 version 6.1.22
  • Windows 2008 v6.1.15
  • Windows 2008 R2 V1 Rel 1
  • Windows 7 Ver1.5
  • Windows Vista 6.1.22
  • Windows XP 6.1.22

Check out the HIPAA Dashboard below covering virtual, physical, Unix, Linux and Windows results! You can quickly determine where your non compliant settings are and easily remediate them.

HIPAA.DB.1.2.11

Right Click Fix, or set an exception!

HIPAA.Rem.1.2.12

Last but not least ,Audit settings!

Audit.DISA.1.2.11

How do you get it the new content?
Customers wishing to harden their DISA, SOX, HIPAA, FISMA and GLBA environment can download the new content via the VCM Content Wizard.

Also, feel free to hit us up with questions & comments at:

Happy New Year from VMware & CP&C!

George Gerchow – VMware Director, Center for Policy & Compliance

Announcing General Availability of VCM 5.4.1 release

We are pleased to announce the general availability of vCenter Configuration Manager 5.4.1(VCM), a key component of the vCenter Operations Management Suite. VCM has always detected all changes even if they were done outside of the change management process. With this release we take a major step towards delivering integrated performance and configuration management by correlating configuration changes to the performance events and non compliant results. In addition, the new release also works together with the VMware Cloud Infrastructure Suite to discover and manage VMs that run in vCloud Director based cloud deployments.

Here are the major highlights of this release:

  • Integration with vCenter Operations Manager 5.0
    • The integration of VCM with vCenter Operations Manager enables IT operations to quickly identify health and performance issues that may be caused by configuration changes on the managed machines. It also provides launch in context to change log in VCM, where you could remediate changes.
  • Integration with vCloud Director
    • Using VCM, you can discover and manage virtual machines that are running in vCloud Director based clouds. This release supports VMs that are either directly connected (no NAT) or behind 1:1 NAT configuration
  • OS Provisioning Enhancements
    • Support for custom ISOs and Linux disk partition configuration
    • OS provisioning support for RHEL 5.6 and 6.0 (32 and 64-bit)
  • New Platforms Support
    • Managed Platforms Additions: ESX/ESXi 4.1 Update 1, ESXi 5.0, RHEL 5.6 and 6.0, Mac OS X 10.6
    • Collector Platform Support: Windows 2008 R2 SP1 & SQL Server 2008 R2 SP1
    • Installing VCM Server on a non-English operating system is also now supported. See release notes for more details on this.
  • Addition of the New Content Architecture (NCA) for UNIX & Linux Patching
    • UNIX and Linux patching has been updated to support NCA changes for assessment, deployment, repository synchronization, and content downloading and importing.
  • New and updated compliance content to support the following standards:
    • vSphere 4.x Hardening Guidelines
    • PCI 2.0
    • Basel III

Check out more details about this release:

To close out, here's a quick screenshot from vCenter Operations Manager 5.0 showing correlation with vCenter Configuration Manager change events. You can click on these events to launch VCM in context to quickly understand and remediate performance issues arising from configuration changes and non compliant results. After all, it is usually changes that at the root of compliance deviation.

VCOPS&vCM.11.2.11

 

VMware’s Center for Policy & Compliance is pleased to announce the release of BASEL III Content for vCenter Configuration Manager ™ (VCM).

Hej, virtualization Nerds, 

Like Danish Dynamite, we are going to blow it up this week at VMworld Copenhagen! 

IT Control Objectives for Basel III provides a framework for managing operational and information risk and extends the VMware content family that is used to achieve a Trusted vCloud solution.

These deep technical  rules will help reduce time to audit by providing immediate analysis of Compliance Assessment, Automated Remediation & Evidence based verification. 

Platforms covered include:    

  • ESX, ESXi, vCenter
  • Guest Windows & LINUX
  • Non x86  AIX, HPUX 

    • 

Center for Policy & Compliance (CP&C) built the out of the box Basel III rules by cross referencing ISO standards and leveraging the CobiT Framework.  

Here is a BASEL III Heterogeneous, Comprehensive Dashboard Example from vCM.

BASEL III Dashboard

These deep technical  rules will help reduce time to audit by providing immediate analysis of Compliance Assessment, Automated Remediation & Evidence based verification.

BASEL III Sample Rule violations and remediation:

BASEL III Rules

CP&C built the out of the box Basel III rules by cross referencing ISO standards and leveraging the CobiT Framework. We also started accounting for enhancements in Windows Server 2008 R2 and Windows 7 that allow administrators to connect business rules and audit policies within the vCM Compliance Engine.  

Here is a BASEL III Heterogeneous, Comprehensive Dashboard Example from vCM. 

Look for more EMEA based content in the future from CP&C along with free tools like a BASEL III & PCI 2.0 compliance checkers.

Peace Out or fred ud!

George Gerchow – VMware Director, Center for Policy & Compliance