VMware Compliance Reference Architecture

Framework: Accelerate your Deployments

Moderator: Rob Randell, VMware

Jerry Breaud, VMware

David Barker, EMC

Eric Bruner, Sallie Mae

Noah Weisberger, Coalfire

Tim West, Accuvant

SEC5624

#SEC5624

2 2

Objective

Objective

• Understand how the VMware Compliance Reference Architecture provides

guidance to enable the design and deployment of VMware and VMware

Partner products to meet PCI DSS 2.0 requirements.

• Learn how customers have utilized the VMware and PCI QSA guidance to

accelerate the deployment of VMware products to meet their PCI regulatory

requirements

Key Takeaways

• The VMware Compliance Reference Architecture for PCI contains product

applicability and design guidance for VMware and our Technology

partners products

• The Compliance Reference Architecture for PCI has been reviewed and

validated by an independent PCI QSA

• Audit, assessment, design and deployment services are available from

VMware and our services partners

3 Confidential Confidential

Meet your panelists….

Moderator

Rob Randell, CISSP

Nicira by VMware

Director Systems Engineering NSBU

Noah Weisberger

Coalfire

Dir Professional Services

David Barker

EMC

Cloud Operations & Security

EMC OnDemand

Tim West

Accuvant

Senior Consultant

Eric Bruner

Sallie Mae

Business Systems Architect

INSERT

PICTURE

4 4

Panel Topics

Satisfying information risk managers who have concerns

regarding how these technologies are implemented to achieve

an ongoing compliant state

Defining the steps on the cloud computing journey in the

customer's terms while providing specialization on product

implementation to achieve goals and objectives required

What is the VMware Compliance Reference Architecture

Framework

Leverage these Compliance services with the VMware

Compliance Reference Framework

5 5

Two Types of Compliance Challenges

Compliance & Security

Operations

Operations Wants to Virtualize

and Consolidate More

Business Risk Owner

Chief Compliance Officer/ Legal Council

But Sometimes Risk Owners

Need Convincing

Will I meet compliance & security requirements?

Will my auditor approve?

What’s in it for me?

Will my virtualized environment be as compliant as my physical

environment?

Reducing Costs

Infrastructure efficiency

Simpler management

Reduces Compliance Complexity

Streamline compliance reporting

6 6

Trust and Cloud Computing – Some New Challenges

Mixed mode levels of trust

• VMs riding on the same Guest with different Trust Levels (PCI)

• Multi-Tenancy protecting Intellectual Property (IP) with shared Resources

• Auditor Approval of Design

Evidence based compliance

• What standards and frameworks do I adopt to minimize risk?

• How do I prove my data is properly protected and segmented?

• How do I automate the application best practices, regulatory guidelines and vendor standards?

Separation of consumer and provider

• Consumer delivered governance around workloads

• Evidence from provider around infrastructure compliance

• How do I address data governance, privacy, etc?

• How do we account for change? (Loss of Service)

7

Infrastructure

Requirements

• Access

Control

• Segmentation

• Remediation

• Automation

• Policy

Management

• Audit

Common

Control

Frameworks

Regulations,

Standards,

Best Practices

Reference

Architectures

PCI Zone

VMware vSphere

Process for Defining Reference Architectures is Not Trivial

8 8

Solution Development Lifecycle

AUDITOR VALIDATED AUDITOR REVIEWED MULTI VENDOR

9 9

VMware + Partner + Customer PCI Responsibility

10 10

Panel Discussion – Enabling PCI Compliant Applications

What do the

experts say?

11 11

Take Aways

Key Takeaways

The VMware Compliance Reference Architecture for PCI contains product applicability and design guidance for VMware and our Technology partners products

The Compliance Reference Architecture for PCI has been reviewed and validated by an independent PCI QSA.

Audit, assessment, design and deployment services are available from VMware and our services partners

VMware Collateral

VMware Approach to Compliance

VMware Solution Guide for PCI

VMware Architecture Design Guide for PCI

VMware QSA Validated Reference Architecture PCI

Partner Collateral

VMware Partner Solution Guides for PCI

How to Engage?

compliance-solutions@vmware.com

12 12

Summary

You now have product, industry and audit guidance coupled with a

reference architecture to begin building a PCI compliant cloud

VMware and their partners address compliance concerns for

the cloud

VMware has an eco-system of partners and industry leaders

aligned behind and supporting the VMware Compliance

Point of View

1

2

Confidential

13 13

Thank You!

14 14

Other VMware Activities Related to This Session

HOL:

HOL-SDC-1315

vCloud Suite Use Cases - Control & Compliance

Group Discussions:

SEC1002-GD

Compliance Reference Architecture: Integrating Firewall Antivirus,

Logging IPS in the SDDC with Allen Shortnacy

SEC5624

THANK YOU

VMware Compliance Reference Architecture

Framework: Accelerate your Deployments

Moderator: Rob Randell, VMware

David Barker, EMC

Jerry Breaud, VMware

Eric Bruner, Sallie Mae

Noah Weisberger, Coalfire

Tim West, Accuvant

SEC5624

#SEC5624