VMware Cloud Community
TheVMinator
Expert
Expert
‎01-19-2015 06:39 PM
Jump to solution

Tools for Compliance

I am aiming at eventual HIPAA and SOC 2 compliance.  Right now from a tools perspective I have only Nessus, a scanning tool.  As far as tools that I may need to invest in, what are the areas and best tools in those areas that I need to look at, to have a shot at HIPAA + SOC 2.

Has anyone tried to quantify the areas that you need purchase tooling and/or develop automated reporting around in order to faciliate the process of driving toward compliance standards such as these and can help me quantify what is needed as represented below?

AreaTool ExampleWhat is the level Importance/Non-Importance for Compliance (Recommended, Important, Essential, or Overkill?)
Scanning of ESXi hosts and vCenter Server and reporting resultsNessus (is this enough by itself to address scanning or is another tool needed?)
Configuration Management Tool(VMware Configuration Manager, others?)
Security Analytics Tool for logs and events(example -  Log insight plus security pack or Splunk) -
Tool for authentication / password vaultHytrust or similar
(add other areas / tools I missed here...)
Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎01-21-2015 05:56 PM
Jump to solution

Hello,

Re: Nessus

It can be used but only sees a little of the VE, it however will see your VM environment. Compliance is really about the workloads. What they touch and whether what they indirectly touch. Start with figuring out the actual scope of the compliance.

Re: Script

Not really it however hits the highlights. I plan on making it available somehow.

Re: HIPAA

Where are your workloads in relation to everything. Generally I would say Yes, but how is HIPAA handled today? First check that with your compliance folks. Compliance is really about the workloads. What they touch and whether what they indirectly touch. Start with figuring out the actual scope of the compliance.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
5 Replies
Netwrix
Enthusiast
Enthusiast
‎01-20-2015 02:58 AM
Jump to solution

You can also look at our Netwrix Auditor for VMware, it tracks who made what changes, when, where, including snapshots and other things. Works with vSphere and individual ESX(i) hosts. Integration with SIEM supported.

HIPAA compliance with Netwrix reference documentation.

Reply
Texiwill
Leadership
Leadership
‎01-20-2015 07:00 AM
Jump to solution

Hello,

Auth: HyTrust, Xceedium, Thycotic, etc. Lots that can help here, some will record, others will not.

Compliance checking: Catbird (covers most if not all of them), HyTrust (depends on what), VMware vCM + its add on packages, etc.  I personally like HyTrust and Catbird for this. Now VMware may be working on new stuff as well. I even wrote my own script to check against the hardening guide. You really want to meet that for the Virtual Environment (VE). For the VMs that is different. Is the VE in scope if the management is segregated from the VMs? What is the scope of your compliance? That is paramount to understand first. Remember compliance is NOT security.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
TheVMinator
Expert
Expert
‎01-21-2015 04:15 PM
Jump to solution

Compliance checking: Catbird (covers most if not all of them), HyTrust (depends on what), VMware vCM + its add on packages, etc.

OK - what do you think about Nessus for use in compliance checking?

I even wrote my own script to check against the hardening guide.

by chance is your script publicly available?


You really want to meet that for the Virtual Environment (VE).

For HIPAA - do I need to meet Reference Profile 2 on all points?


Is the VE in scope if the management is segregated from the VMs? What is the scope of your compliance?

Not sure how to go about determining this for HIPAA or SOC 2 - suggestions?  (There is a separate management cluster and networks for management VMs)


Thanks for the input!

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎01-21-2015 05:56 PM
Jump to solution

Hello,

Re: Nessus

It can be used but only sees a little of the VE, it however will see your VM environment. Compliance is really about the workloads. What they touch and whether what they indirectly touch. Start with figuring out the actual scope of the compliance.

Re: Script

Not really it however hits the highlights. I plan on making it available somehow.

Re: HIPAA

Where are your workloads in relation to everything. Generally I would say Yes, but how is HIPAA handled today? First check that with your compliance folks. Compliance is really about the workloads. What they touch and whether what they indirectly touch. Start with figuring out the actual scope of the compliance.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
TheVMinator
Expert
Expert
‎01-22-2015 03:07 PM
Jump to solution

OK thanks again

Reply
0 Kudos