posted

0 Comments

Cybersecurity Awareness Month LogoIt’s Cybersecurity Awareness Month and we’re on our third week of live talks. This week I will be talking about compliance audits and regulatory work, specifically surviving an audit. Join me at 11 AM Pacific on October 22, 2020. No registration needed, just show up!

Compliance is one of those things we, as vSphere Admins, dislike, and it’s pretty clear the auditors don’t like dealing with us, either. Why is that? First, it’s the way the regulatory frameworks are set up. PCI DSS 3.2.1, NIST 800-53, NIST 800-171, HIPAA, all of those guidelines don’t actually tell you how to meet the requirements with an actual product. That’s up to the vSphere Admins to figure out, and there’s lots of different opinions on how to do it. Second, auditors don’t know vSphere like vSphere Admins do, so there’s education and explanations and such. Who has time for that? Besides, aren’t these infosec people supposed to know what they’re doing? Spoiler: they do, but their job is different than we think. Third, there are a lot of tools out there that say they help, but we’ll talk about whether they do or whether they make the problem worse. Last, vSphere Admins don’t like the idea of someone checking their work, at least I know I don’t. All this adds up to a bad experience for everyone.

Can we make this situation better? ABSOLUTELY. Let’s talk about some ways to deal with an audit. What can we do to both improve security and reduce the pain of audits? What resources are available from VMware? Are there any specific tactics a vSphere Admin can use to make the audit easier? What do you do when an auditor gives you a big list of “findings” from a scanning tool? Why can’t VMware just give the auditor a certificate saying it’s secure and leave you in peace?

We’ll talk for 20-30 minutes live, and then answer any questions from the chat you might have. It’ll be fun!

Our first two talks were on hardening vSphere security and protecting applications and workloads. Visit our page at core.vmware.com or our YouTube channel to see the recordings of them and to get .ics files to save the date for this week and next (next week will be about identity management and is timed so that our EMEA friends can join easily).