IT Jedi Knight: These are not the servers you are looking for.
Auditor: (To other auditor) These are not the servers we are looking for.
IT Jedi Knight: There is no need to audit the hypervisor.
Auditor: We do not need to audit the hypervisor.
IT Jedi Knight: Now move along.
Auditor: (To IT Jedi Knight) Move along!
This very scenario is playing out in IT shops across the country and to a lesser degree this is exactly what is happening. Chris Hoff posted a blog about this topic a week ago and I just came across it. In it he tries to answer the age old question of–“Is this in scope?” He also gets the answer exactly right–It is up to the auditor.
I have talked with a lot of customers about PCI since many companies buy Tripwire for PCI compliance and like a good sales engineer I ask them about ESX and PCI. I am still amazed that my customers are telling me the auditor is not poking around the ESX Server. PCI is designed to protect the consumer’s credit card information so I cannot understand why someone would not want to audit the security of the ESX machine considering it may have several machines that are involved in the credit card transaction.
In general, the audit community is behind a couple of years in terms of technical knowledge and published checklists (what they use for their audit). Enjoy your peaceful time now because it is a matter of time before you start hearing questions like, “Is this server virtualized?” or better yet “How are you segmenting the traffic of your administrative network in ESX?”
As I mentioned above, I do ask my customers what are they using to monitor their ESX hosts today and I ALWAYS (eventually this will change) hear they are not monitoring them today. Then many of my customers do decide to monitor this infrastructure for the inevitable day when their auditor does start asking questions.
So my advice to you–Use your Jedi mind tricks on the auditors now because the day is coming when they are going to laugh like Jabba the Hutt and tell you these tricks will not work on them.