It’s more important in the SDDC than it is in a traditional data center to ensure compliance during the development phase, instead of using the bolt-on approach.
Moving from a standard data center with physical servers, networking and storage to a software-defined data center provides many benefits, but it also requires changing the way services are provisioned and managed. More importantly for many organizations—especially those in highly regulated industries like finance, healthcare and government—it changes the way legislative and company compliance policies are met and managed.
It’s enough of an issue that it has caused more than one company to hold off on making the move. There are reasons for concern: Virtualization means that data and applications cross silos and domains in ways they never did before. Until the organization can figure out the dependencies and map processes in logical ways, it makes sense to worry about meeting compliance requirements and passing audits.
Because of these concerns, it’s more important in the SDDC than it is in a traditional data center to ensure compliance during the development phase, instead of using the bolt-on approach.
The key, says Johnnie Konstantas, a security expert at Gigamon, is to ensure the greatest amount of visibility possible in the SDDC. “Visibility is the starting point for any troubleshooting, optimization and security action that leads toward establishing a compliant state for workloads,” she says.
Along with visibility, other must-haves for a compliant SDDC are agility and automation. With these features, it’s much easier to automate policies in ways that auditors will approve of, and to quickly and easily apply policy changes as soon as they are made.
The best way to ensure the visibility, agility and automation necessary to enable compliance is by choosing the technology for the SDDC carefully. Make sure the technology will allow the operations manager and compliance professionals to effectively secure virtualized workloads and automate policy. Ask the right questions to ensure that the platform or framework you are using will allow your organization to consistently comply with applicable regulations.
Another important choice is the type of cloud the organization uses with its SDDC. Most choose a private or hybrid cloud due to concerns about the public cloud’s ability to handle compliance and security concerns. That may be changing, as vendors work on developing a way to associate security and compliance policy with a workload. When that happens, the policies, processes and procedure associated with that workload, user models and people accessing it will follow it no matter where it is sitting in the cloud environment.
To truly ensure compliance, consider adding third-party software to clinch the deal. There is software available, for example, that provides application-focused protection for specific workloads. Organizations focused on certain regulatory requirements also can find software that specifically supports controls in specific areas. In the case of HIPAA, for example, there is software available that supports hypervisor administration and data-at-rest encryption.
While putting the right technology and processes in place up front is the biggest line of defense against compliance issues, the effort must continue long after the SDDC is operational. Regulations change, data center technologies evolve, and personnel come and go. By assigning the job of compliance oversight to one specific person within the organization, it will be much easier to remain in compliance over the long term.
Learn more about the software defined data center and how you can help your customers remain in compliance.
For more information on the Software-Defined Data Center please visit http://www.vmware.com/software-defined-datacenter/index.html.