I was privileged to speak at the 3rd Annual South Florida ISACA WoW! Event with Robert Stroud, Alan Shimel, and other great speakers. What I discovered from this conference is something I have feared for quite a number of years. Compliance actions are not continuous but often only enacted when the auditor shows up at the door. Secondly, very few auditors raised their hand when I asked if they are working with Virtualization or have customers that virtualize, this was quite a surprise. Several things pop to mind when talking about Compliance after the ISACA WoW! Event:
- Auditors may not actually know virtualization is in use
- Auditors do not have much guidance on virtualization
- Compliance is not Security, Security is not Compliance
- Continuous Compliance monitoring and assessment is not performed within the virtual environment
Is Virtualization in Use?
Due to most compliance guidance there is currently no real need for an Auditor to know if virtualization is in use as the compliance does not comment upon it. There are three outcomes to this lack of guidance:
- The auditor looks only at the virtual machine and ignores the virtualization hosts
- The auditor looks at the physical server as a single host and not a virtualization host and that part of the audit fails
- The auditor looks at the virtualization host and the VMs as a hybrid device.
The first is in conjunction with most guidance today as auditing is looking at the data protections within the guest and network. Since virtualization is not mentioned within most guidance, the second outcome is also possible and hopefully not as common. The third outcome requires the auditor to understand the basis of virtualization to make a judgement based on their knowledge.
Guidance on Virtualization?
PCI and FDIC are working on guidance for compliance that includes virtualization within their definitions. NIST also has general guidance on virtualization. However, there is not any specific guidance for virtualization based on the hypervisor in use. General guidance goes a long way but each hypervisor has strengths and weaknesses.
Compliance is Not Security
Conversely, Security is not Compliance. There is a lawsuit between a bank and a auditing company because the auditing company stated a third party was compliant. The bank interpreted that to be that the third party was secure and therefore when a breach happened, they sued the auditing company.
The attitude by non-auditors is that Compliance equals Security and that is false. Compliance is meeting regulatory needs, not necessarily security needs. Granted many compliance needs are based in security, you can never guarantee that compliance implies security, for that you need to perform a penetration test.
This is a hard sell to the C-levels as they spend monies on things they need to do based on compliance not on security unless there was a breach. Monies are tight and decisions need to be made, but assuming compliance is security is a mistake. Compliance is just one part of the overall security picture.
Auditors do not necessarily look for continuous compliance, instead they are looking at a point in time. At this point, for example, where patches installed? Not whether the patches were installed since the last audit, etc. Auditors should check for continuous compliance instead of point in time.
Virtualization actually lends itself quite well to continuous compliance using such tools as Catbird vCompliance, or Reflex Systems VMC. There are also other products such as RSA Envision.
Even so, continuous compliance is just one aspect that an auditor needs to ensure is occurring, but more importantly Compliance needs to catch up with virtualization. Until guidance is available, auditors should arm themselves with knowledge of virtualization and current security guidance from the vendors, CISsecurity, or current government documentation (in the US this would be from NIST and DISA).