•  PRODUCTS & SERVICES 
  • Catbird V-Security
    • Catbird V-Security Overview
    • Virtual Security Assessment
    • TrustZones
    • HypervisorShield
    • VMShield
    • Virtual Machine Policy Compliance
    • Virtual Server Sprawl Manager
    • Catbird Compliance
  • Certification/Training (CVSP)
  • Website Security
    • Catbird Pharming Shield
    • Vulnerability Monitoring
    • Website Defacement Monitoring
    • Website Hijacking
    • Web Performance Monitoring
    • DNS Server Monitoring
  • Network Access Control
    • Rogue LAN Monitoring
    • IPS/IDS
    • Network Vulnerability Monitoring
    • Rogue WiFi Monitoring
    • Policy and Trusted Scan
  • Catbird Agents
    • Catbird V-Agent Overview
    • Catbird V-Agent
    • Catbird Pocket V-agent
  • Catbird Compliance
    • HIPAA Compliance
•  PARTNERS 
  • Partner Benefits
  • Become a Partner
  • Partner FAQ
  • Partner Application
  • Partner Login
•  NEWS & EVENTS 
  • Press Releases
  • Events
  • Catbird Blog
  • Security News
  • Videos and Podcasts
•  RESOURCE CENTER 
  • Customer Overview
  • Customer Case Studies
  • White Papers
  • Analysts Reports

Executive Summary

Maintaining Corporate and Regulatory Compliance with Virtual Infrastructure

Virtualization technology poses a challenge for IT organizations seeking to maintain security and regulatory compliance. Many of the standard practices for monitoring, complying and enforcing corporate policies or industry regulations are inadvertently ignored, or even lost, when migrating from physical environments to virtual ones. Government agencies, financial institutions, healthcare and other regulated organizations are increasingly being tasked with addressing compliance issues up-front when mapping out their virtualization deployment strategies. By identifying and addressing compliance challenges early on, deployment plans can continue unabated and on-schedule.

What Changed in Compliance When Moving From Physical to Virtual?

• Loss of Separation of Duties, a key component in most best-practice configuration and deployment recommendations. As a consequence, virtual center administrators have all the “keys to the kingdom”. Where in the physical world there were multiple people with multiple roles forming an inherent “check and balance” on the deployment of new machines in the data center, virtual center administrators now simply click a button.
• Loss of secondary or backup controls, essentially a loss of the “belt and suspenders” approach common in regulated data centers. Most security vulnerabilities happen not from malicious hackers but from inadvertent human error. Standard practice on physical networks mandate automated tools (often built into system software) to monitor for such error. Virtualization platforms are missing this essential compliance requirement. In fact, network controls to prevent unauthorized or anonymous access do not exist. Dual controls to prevent abuse of privilege do not exist. Automation to ensure secure life-cycle and strict change controls do not exist. Insecure or unauthorized hypervisor configuration negates secondary controls. Together, these omissions could lead to very exploitable weaknesses.
• Visibility. You can’t protect what you can’ detect. The virtual network infrastructure is invisible to information security devices on the physical network. VMs that are out of compliance will not be detected by such tools. Existing technical controls for validation, audit and compliance fail to monitor the virtual infrastructure. Questionable inter-VM traffic will not be blocked. This is an enormous gap that leads most virtualized data centers to run afoul of full compliance.

HIPAA-complaint Virtual Machine (VM) Administration

Human error and unverified automated processes can unintentional degrade security and compliance. Catbird provides independent enforcement of security and compliance through use of VMware APIs and network-based security technology (IDP and NAC) from inside the ESX server.

• Creation: Validate and enforce VM Administrator compliance to HIPAA & internal standards.
• Configuration: Enforce policy on authorized applications, monitor and validate patches.
• Separation of Duties: Provide logging & reports for VirtualCenter changes, alert on suspicious activity.
• Dual Controls: Enforce network segmentation to separate test, development, and production VMs. Enforce network access controls to any segment, vSwitch or VLAN. Monitor all VI client and VI web access.

Learn More About

Catbird HypervisorShield

Catbird VirtualMachineShield

Catbird Policy and Compliance Monitoring

Catbird V-Agent Up Close

Resources

Request a Free Trial and Evaluator’s Guide

Request Catbird’s V-Agent White Paper

Download the Catbird V-Security™ Datasheet

Download the Catbird V-Agent™ V-Agent Case Study.

 

Analyst's Report

See what the 451 Group has to say about the Catbird V-Agent™