Home > Blogs > VMware Security & Compliance Blog > Tag Archives: PCI

Tag Archives: PCI

VMware CP&C releases PCI DSS 3.0 Compliance toolkit for Windows Environments in VCM!

CPC LogoThe VMware Center for Policy & Compliance (CP&C) is pleased to announce the availability of Payment Card Industry Data Security Standard (PCI DSS) 3.0 Compliance toolkit for Windows Environments in VMware vCenter Configuration Manager (VCM), a key component in the VMware vCenter Operations Suite (vC Ops) suite.

PCI DSS 3.0 comes into effect from January 1, 2014. PCI DSS 3.0 compliance toolkit for VMware vSphere based virtual environment and PCI DSS 3.0 Compliance toolkit for *NIX based environments were released earlier this year.

PCI DSS 3.0 compliance Windows toolkits are available for below environments:

Windows Server 2003 (DC and MS)
Windows Server 2003 R2 (DC and MS)
Windows Server 2008 (DC and MS)
Windows Server 2008 R2 (DC and MS)
Windows Server 2012 (DC and MS)
Windows Server 2012 R2 (DC and MS)
Windows 7
Windows 8
Windows 8.1

*Legends*
DC = Domain Controller
MS = Member Server

You can download the packages using Compliance Content Wizard tool in VCM or from VMware solution exchange and begin to use them.

Keep in mind that VCM manages not only virtual environments, but covers physical as well. It is the market leader in Configuration Audit, Change Detection, Patch Management and COMPLIANCE content. With new additions such as Scripted Remediation Framework, high level of OS patch automation with auto deploy functionality, Easy install and setup, SCAP based compliance and a new look and feel, it is better than ever before!

Come, join the journey to Start Green Stay Green!

Thanks and regards,
Pravin Goyal,
RHCE | HP-UX CSA | VCP4-DCV | MBA | CISSP | GISP | CCSK | CloudU | CompTIA CE | ITIL-F | ITSM-F

VMware (CP&C) Releases PCI 2.0 FREE Compliance Checkers!

Hola Amigos y Amigas,

Today we are going to give you access to two (That’s right, DOS!) FREE downloadable tools that help you get started on the journey to achieving PCI 2.0 Compliance.

The PCI 2.0 Compliance Checkers for Windows and LINUX are fresh off the virtual assembly line and compiled by the good folks at VMware’s Center for Policy & Compliance! (CP&C)

 Here is how they work: 

  • The Compliance Checkers run an assessment on 5 Guest systems at a time!
  • The assessment is based on a predefined subset of the PCI 2.0 Content that currently exist today in vCenter Configuration Manager (vCM) Part of the vCenter Operations Manager Suite
  • The results for each guest includes the rules, the rule descriptions, and the success or failure of each rule

 Check out the following results report from the LINUX Checker. Pure AWESOMENESS! 

PCI.Checker.Linux.4.12

The Compliance Checkers are designed to get you hooked and come back for more! 

Here is the link so you can get started hardening your vSphere and Guest Environment today. (Remember, we have FREE checkers for vSphere 4.0 & 4.1)

https://www.vmware.com/tryvmware/?p=compliance-chk&lp=default&cid=70180000000MJsMAAW

The vSphere 5.0 Checker will soon be on its way like a Tim Tebow Comeback! (Too bad his comebacks will be for the Jets, I love my Broncos but am not happy about the Manning move.) Just sayin…

Now this poses a few questions and we would love to get your feedback: 

1. Are free tools like this helpful?

2. How do you currently lock down your vSphere environment?

3. Would remediation of the non-compliance results be a good next step?

4. Do you care about regulatory compliance & vendor best practices? If so, which ones? (PCI, HIPAA, DISA, CIS…) 

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum: 

 Peace Out!

George Gerchow – Director, VMware Center for Policy & Compliance

 

 

vCenter Configuration Manager 5.5 is now Generally Available

As you are probably aware, back in October we unveiled the VMware vCenter Operations Management Suite designed to deliver integrated performance, capacity and configuration management for virtualized and cloud computing environments.  What is less well known is that VMware vCenter Configuration Manager is the anchor for the “configuration” management capabilities within the suite.  Having been part of Configuresoft for several years before it was first purchased by EMC and then sold to VMware, I feel a bit like a dad watching his baby grow up.  The technology that was Configuresoft is at the heart of vCenter Configuration Manager.

 With today marking the general availability of vCenter Configuration Manager 5.5, I am both excited and proud to see this one go out the door.  vCenter Configuration Manager has always been a great solution for ensuring that Operating System software, whether Windows, Linux or Unix is properly configured to meet a broad range of security best practices, vendor hardening guidelines and regulatory mandates (think HIPAA, PCI, SOX etc).  But with this release, vCenter Configuration Manager becomes an indispensable part of the VMware family – addressing core requirements of the Virtual Infrastructure teams looking to leverage the VMware Cloud Infrastructure Suite as the foundation for business critical workloads moving to the cloud.

The primary theme for vCenter Configuration Manager 5.5 release is “Cloud Ready”.  New capabilities within this release significantly increase the ability of the Virtual Infrastructure team to ensure that their VMware Infrastructure is properly configured to meet the rigorous demands associated with virtualizing business critical workloads; including addressing requirements associated with VMware’s own hardening guidelines.  

This new release dramatically increases the ability to track configuration changes and to assess configuration compliance across the VMware Infrastructure including ESX, ESXi, vCenter, vCloud Director and vShield products.  There are also a substantially greater number of new configuration actions that can be executed against vCenter and ESX, ESXi configurations.  These configuration actions can be executed against a single object or in bulk against multiple objects spanning multiple vCenters.  They can be executed as part of an organization’s general configuration management processes or as part of a configuration compliance program. 

The enhancements to vCenter Configuration Manager 5.5 put tremendous visibility and control at the fingertips of the Virtual Infrastructure team responsible for VMware Infrastructure.  To help illustrate this I have included an example of how vCenter Configuration Manager can help manage configuration changes across the VMware Infrastructure (Figure 1). This particular high level dashboard is focused on the Virtual Infrastructure team and shows all changes that have occurred across the VMware Infrastructure for a specific time period.  

Figure1

 

You can quickly drill down into any of these dashboards to investigate anything of interest or concern.  In this example I’ve drilled down into a specific vCenter (Figure 2) to understand a change associated with the “client.timeout.normal” setting.  I can see that this setting has been changed from 60 seconds to 10 which I know is out of compliance with operational best practices for vCenter (which calls for this setting to be equal or greater than 60 seconds).

Fig 2

In addition to the ability to see and understand prior changes, vCenter Configuration Manager provides the ability to change configuration settings across the VMware infrastructure (Figure 3).  I can do this for a single object or for multiple objects.  Bulk configuration changes can be directed across objects that span vCenters. 

Fig 3

Finally (Figure 4) I can proactively manage configurations through compliance where I create rules and templates (collections of rules) for any configurations I want to ensure are uniformly applied across my entire virtual data center or subsets of “like objects” in my data center.  vCenter Configuration Manager comes with a rich set of templates out-of-the box that can be used as is or as the starting point for the development of your own internal best practices.  

Fig 4

The new capabilities of vCenter Configuration Manager 5.5 significantly increase the value delivered to customers purchasing the vCenter Operations Management Suite Enterprise Edition where today vCenter Configuration Manager is included to address critically important use cases associated with “hardening” the VMware Cloud Infrastructure Suite. 

Other significant enhancements to vCenter Configuration Manager in this release include:

  • Ability to create machine groups within vCenter Configuration Manager based on organizational constructs (clusters, virtual datacenter, application trust zones) within vCenter, vCloud Director and vShield.
  • Support for configuration and compliance management for virtualization specific constructs such as templates and offline VMs (via VMware vCenter Orchestrator workflows delivered separate from the release)
  • The ability to snapshot a VM before making a configuration change
  • Support for the “Security Content Automation Protocol” (version 1.0) –  important to federal agencies
  • A new REST based API that will allow vCenter Configuration Manager to more fully participate in VMware and 3rd party ecosystem solutions

Early feedback from customers involved in beta testing has been extremely positive.  The increased ability of vCenter Configuration Manager to harden the VMware Infrastructure combined with the existing strength of the product to harden the Operating System (Windows, Linux, Unix) make vCenter Configuration Manager fundamental to clouds built on VMware technology.  More information can be found by visiting the vCenter Configuration Manager page on VMware.com.   Also, be sure to download the free vSphere Compliance Checker which will help you better understand the value that vCenter Configuration Manager delivers to organizations looking to move business critical workloads to the cloud.

Peace Out!

George Gerchow, Director, VMware Center for Policy and Compliance

 

Is “Mixed Mode” acceptable in a vSphere Enviroment?

Hola Security & Compliance Peeps,

My Nombre is George Gerchow, I am the Director of the VMware, Center for Policy & Compliance.  Our charter at CP&C is “simple”, like a Cowboy’s Fans knowledge of football: 

  •  1  -Support migration of highly regulated workloads to vSphere
  • Dos –  Provide coverage of most common regulatory, industry and vendor policies
  • C – Drive Industry Thought Leadership 

As a follow on from VMworld, we are going to extend the Management Mastery series to our Secura-Nerds and give you an opportunity to discuss relevant topics that are HUGE. Bottom Line, Security and Compliance are the main inhibitor to Virtualization & Cloud Computing. VMware and other vendors have solutions that are VIRTUALIZATION aware and attack these problems head on.

With all that being said, our first topic is Mixed Mode support for PCI environments. See Section 4.2 in the Vendor Information Supplement. 4.2 Strongly recommends that VMs of different security levels are not hosted on the same hypervisor or physical host.  The fear is that a less secure VM can be used to spawn off an attack on a more secure VM. 

It is my opinion that most people are not up to speed on Virtualization Security and Compliance Solutions. If you can prove that the systems in a mixed mode are not communicating, you should be golden. If your QSA does not agree, it might be time to get a new QSA. Jkjkjkjkj, not really but… Click the link below to see what we talked about at VMworld. I was misquoted in this article, Computer World and several others. (I NEVER said QSA’s were ten years behind J ) Seriously, I have some good friends that are QSA’s and they will also be tracking this blog to help answer questions. BTW: This got heated at VMworld during our trusted cloud session. 

Y'all are going to have to excuse my Grammar and Spelling errors. I am ESL and it comes out all the time. Happy Monday and give us a shout!

http://www.csoonline.com/article/688819/vmworld-security-regulatory-concerns-still-a-challenge-in-virtualization?source=rss_news

 

Ensuring a Secure and Compliant Virtualized or Cloud Computing Environment with VMware

Join us tomorrow for this webinar on VMware security solutions for Virtualization and Cloud. Rob Randell and I will kick it with folks & chat about how some of our customers are attacking Security Best Practices & Compliance. You know mixed mode & PCI 2.0 will come up!

For more info, click on the registration link below:

https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=326322&sessionid=1&key=FFD7805B6954B7637718E01C737BF278&sourcepage=register