1. Virtualization StreamlinesRegulatory ComplianceKacee Bui: Sr. Manager, IT Complianceand Governance, VMwareIben Rodriguez: Technical Operations,VMware

2. This presentation may containVMware confidential information.Copyright 2005 VMware, Inc. All rights reserved.All other marks and names mentioned herein may be trademarksof their respective companies. 3. What Led Us Here?Growing complexity of TechnologyBusiness Environment changing 4. What Led Us Here, cont.Certification and Accreditation C & A:Internal controlsRisks are mitigatedIncreased legislations as a result of variouscorporate scandals (Enron, WorldCom) 5. Regulatory Rules and StandardsSarbanes-Oxley (SOX 302 & 404)HIPPACalifornia SB1386Graham-Leach-Bliley (GLB)Federal Info. Security Mgmt (FISMA)Internal auditsISO17799, ITILEtc., etc., etc. 6. How Does Compliance Affect You?You have to follow regulationsIncrease IT resource and cost requirementsHigh demands on IT organization:Control ActivitiesDocumentation & MaintenanceTesting / quarterly audit 7. How Does VirtualizationStreamline Regulatory Compliance?Reduces resource & cost requirementsUnify IT ControlsProvides efficient audit trailsReduces compliance administrative effort 8. Examples 9. Example 1 Access ControlsRisk: The security architecture for thenetwork (LAN) and servers is notconfigured to properly preventinappropriate and/or unauthorized accessControl:With Virtualization: Virtual machines can beISOLATED from each other 10. ExchangeWindows2000ConsoleNICCD, Floppy,Serial, etcIntel Processor VirtualizationService ConsoleSNMPAgentPerlScriptingRemoteKVMSecurityMgmtWeb ServerCPUCPUOtherdevicesSQL ServerWindowsNT4ApacheRed Hat7.2SchedulerCPUMemoryMgmt.MemorySCSI/FCStorageEthernetNetworkOtherDevicesWhat Is Virtualization? 11. IsolationCPU hardware / protectionFault, performance andsecurity isolationCPU, RAM, Disk, and networkresource controlsResource allocations can bechanged on the flyGuaranteed service levelsIf one virtual machinecrashes, it has no negativeeffect on any other runningvirtual machines 12. Virtualization Reduces ResourceRequirementsYour production and development instancesmust be separatedWithout virtualization, you would need to obtainadditional machines for each production anddevelopment instanceWith virtualization, you will have fewer physicalmachines and software controls are used toisolate machines 13. Example 2 Change Mgmt ControlsRisks:Incomplete, inaccurate, or unauthorized development isintroduced into the Production environment, impactingsystem integrity and availabilityKey business processes and/or IT assets may beunavailable because of unauthorized changes to theinfrastructure and/or job schedulesControl:With virtualization, events and changes are capturedautomatically 14. Virtual Controls: Audit TrailsIncidents and changes must belogged and documented accuratelyWithout virtualization this is amanual process and subject to errorWith virtualization events andchanges are captured automaticallyExamplesAdding drive spaceDB Schema changesAdding network interface 15. Change Control ExamplesVirtual networkinterfaces:Virtual NICs plug intovirtual switchesTwo or more: Bondedexternal links for faulttolerance and bandwidthaggregationVLAN AVLAN BVirtualVLANSwitchUplink NICTo physical switchVLAN trunk portsUplink NIC 16. Example 3 IT Operations ControlsRisk:Segregation of duties unauthorized access, shared functionsControl:With virtualization: Minimizes discrepancies andexceptions 17. Virtual Controls: SegregationSeparate roles for system anddatabase administrators, softwaredevelopers and business analysts. UseRole Based Access Control lists toauthorize who can make what changesWithout virtualization, this requiresmore training, oversight and manualauditingWith virtualization, only members ofhardware support team can upgradephysical hardware 18. Example 4 IT Operations, cont.Risk:Backup and Recovery: Inability to recover and restore criticalbusiness data accurately, completely and in a timely mannerin the event of a failed system or disaster.Control:With virtualization: Recovery time is minimized 19. Virtualization: RecoveryMany of you will leverage SOX to ensureproper recovery plans are in place and testedTypically standby data center and hardwareReplacement servers do not need to beidentical hardwareVirtual machines can be consolidatedduring recoveryVirtual machines can be replicated, andstandby site can be brought up quickly 20. Virtualization: EncapsulationEntire state of the virtualmachine is stored in acomputer controlled fileAdministrators can now usesoftware and not screwdriverswhen working on machinesVirtual machine state can betransferred through spaceand timeTime: stored on a DVD-ROMSpace: Transfer over a network 21. Recovery ExampleArchitectureHypervisorAppOSArchitectureHypervisorVirtualization LayerAppOSAppOS 22. Virtualization Simplifies ChangesHardware upgradeshappen in virtual world.Requires 1 - 3 hourmaintenance windowHardwaremaintenanceA few minutes with virtualmachine managementconsole4 - 6 hours for migrationService interrupted forduration of maintenancewindowRequires days/weeks ofchange managementpreparationMoving anapplication to anew server orRepurposing aserverA few minutes to provisiona new virtual machine.Standard templates areused.3 - 10 days hardwareprocurement1 - 4 hours provisioning newserverProvision a newserverWith ServerVirtualizationTraditional ApproachKey Task 23. Summary - Virtualization andComplianceRegulatory compliance is complexVirtualization is a complex toolCareful planning, implementation andmonitoring are essential 24. Questions