Virtualization Policy

I am looking for a policy for financial institutions that covers server virtualization.  The policy should address host security management,  compliance, spin up, deployment, retirement and other areas that need to be included in such a policy.  

Thanks in advance!
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:

>propose that you check out PCI DSS 2.0. This major change in version 2.0 is that PCI Security Standards Council brought the virtualization layer into the scope of the standard, which governs organizations that handle credit card information.

Keep point in general to the processes are
-  implement one primary function per VM and treat VMs as physical servers
- segregate functions and networks with different security levels e.g. if VLANs have different functions or security levels, you may need to create more vSwitches to isolate traffic
- cannot share production environments with test and development environments e.g. it easy to have test and dev VMs running on the same hosts with the same storage devices as production VMs, but PCI DSS 2.0 does not allow that.
- cannot use devices that could be shared among VMs, such as USB devices that are attached to the host.
- provide only the level of access needed for someone to perform his job and no more e.g. assign someone access to manage a VM, don't allow that person to move it to another vSwitch. Just give him the specific permissions needed for that task.
- shouldn't allow people to directly access a hypervisor. This privilege should be extremely limited
- make users go through vCenter Server, or whatever management console you use, to ensure virtualization compliance.

Information Supplement: PCI DSS Virtualization Guidelines

NIST Special Publication 800-125

> Another is the NIST as fundamental hardening and guidelines which PC DSS is not far off but specifically I find its "Guide to Security for Full Virtualization Technologies - Section 5: Secure Virtualization Planning and Deployment  has much we can extract as principle.

The guide is intended for system administrators, security program managers, security engineers and anyone else involved in designing, deploying or maintaining full virtualization technologies. NIST SP 800-125 recommends organizations:
-secure all elements of a full virtualization solution and maintain their security;
-restrict and protect administrator access to the virtualization solution;
-ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and
-carefully plan the security for a full virtualization solution before installing, configuring and deploying it.
Melannk24Connect With a Mentor Commented:
You will need to write the policy to address your company and the business model.  You can use something like this as a starting point,
sfjcpuAuthor Commented:
Thank you for your feedback!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.