Virtualization Policy

I am looking for a policy for financial institutions that covers server virtualization.  The policy should address host security management,  compliance, spin up, deployment, retirement and other areas that need to be included in such a policy.  

Thanks in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You will need to write the policy to address your company and the business model.  You can use something like this as a starting point,
btanExec ConsultantCommented:

>propose that you check out PCI DSS 2.0. This major change in version 2.0 is that PCI Security Standards Council brought the virtualization layer into the scope of the standard, which governs organizations that handle credit card information.

Keep point in general to the processes are
-  implement one primary function per VM and treat VMs as physical servers
- segregate functions and networks with different security levels e.g. if VLANs have different functions or security levels, you may need to create more vSwitches to isolate traffic
- cannot share production environments with test and development environments e.g. it easy to have test and dev VMs running on the same hosts with the same storage devices as production VMs, but PCI DSS 2.0 does not allow that.
- cannot use devices that could be shared among VMs, such as USB devices that are attached to the host.
- provide only the level of access needed for someone to perform his job and no more e.g. assign someone access to manage a VM, don't allow that person to move it to another vSwitch. Just give him the specific permissions needed for that task.
- shouldn't allow people to directly access a hypervisor. This privilege should be extremely limited
- make users go through vCenter Server, or whatever management console you use, to ensure virtualization compliance.

Information Supplement: PCI DSS Virtualization Guidelines

NIST Special Publication 800-125

> Another is the NIST as fundamental hardening and guidelines which PC DSS is not far off but specifically I find its "Guide to Security for Full Virtualization Technologies - Section 5: Secure Virtualization Planning and Deployment  has much we can extract as principle.

The guide is intended for system administrators, security program managers, security engineers and anyone else involved in designing, deploying or maintaining full virtualization technologies. NIST SP 800-125 recommends organizations:
-secure all elements of a full virtualization solution and maintain their security;
-restrict and protect administrator access to the virtualization solution;
-ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and
-carefully plan the security for a full virtualization solution before installing, configuring and deploying it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sfjcpuAuthor Commented:
Thank you for your feedback!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.