It’s Cybersecurity Awareness Month and we’re on our third week of live talks. In fact, the third one starts in just a few hours. Join me at 11 AM Pacific on October 22, 2020 as we talk about surviving compliance audits in a vSphere environment. No registration needed, just show up over in our YouTube channel.
Compliance is one of those things we, as vSphere Admins, dislike, and it’s pretty clear the auditors don’t like dealing with us, either. Why is that? First, it’s the way the regulatory frameworks are set up. PCI DSS 3.2.1, NIST 800-53, NIST 800-171, HIPAA, all of those guidelines don’t actually tell you how to meet the requirements with an actual product. That’s up to the vSphere Admins to figure out, and there’s lots of different opinions on how to do it. Second, auditors don’t know vSphere like vSphere Admins do, so there’s education and explanations and such. Who has time for that? Besides, aren’t these infosec people supposed to know what they’re doing? Spoiler: they do, but their job is different than we think. Third, there are a lot of tools out there that say they help, but we’ll talk about whether they do or whether they make the problem worse. Last, vSphere Admins don’t like the idea of someone checking their work, at least I know I don’t. All this adds up to a bad experience for everyone.
Can we make this situation better? ABSOLUTELY. Let’s talk about some ways to deal with an audit. What can we do to both improve security and reduce the pain of audits? What resources are available from VMware? Are there any specific tactics a vSphere Admin can use to make the audit easier? What do you do when an auditor gives you a big list of “findings” from a scanning tool? Why can’t VMware just give the auditor a certificate saying it’s secure and leave you in peace?
We’ll talk for 20-30 minutes live, and then answer any questions from the chat you might have. It’ll be fun!