I was on a compliance panel at VMworld last week. It was well-attended and followed by a bunch of good questions from the audience. One of the most common questions was “Is VMware PCI compliant?”
The answer is “No. VMware is not inherently ‘compliant’ with PCI or any other regulation.” Why? Because technology is not a silver bullet when it comes to compliance, and virtualization is no exception.
Compliance is about your organization’s policies and controls – and whether you can demonstrate that you are adhering to them consistently. Therefore, the biggest obstacle to compliance is generally not the technology you use; it’s the people involved in defining, implementing, monitoring, and enforcing your controls.
Sure, some technologies make it easier to achive and demonstrate compliance. Virtualization, for example, can make it easier for service providers to segregate customer data so they don’t mingle data from different clients. But you still need to understand your risks, and create controls that enable you to manage and mitigate those risks.
Someone asked me what the biggest obstacles to compliance were. In my experience, it usually boil down to one of the following problems:
- inadequate “tone at the top” – no management-level commitment;
- lack of clearly defined processes, roles, and risks;
- insufficient communication of expectations to staff and stakeholders;
- lack of documentation (policies, processes, roles, etc.);
- inadequate detective controls, meaning you can’t systematically detect when policies and processes are circumvented;
- lack of defined and enforced consequences (i.e. people break the rules, but nothing happens).
If you are subject to compliance and you’re adopting virtualization, I’ve got good news – there is now a VMware Compliance Center availble to you, and it’s filled with some excellent materials to help you get there faster. Click here to check it out – you’ll be glad you did.