vGRC: Virtual Governance, Risk, and Compliance

Virtualization Reality

vGRC: Virtual Governance, Risk, and Compliance

By Lori MacVittie, Senior Technical Marketing Manager  |  December 10, 2012

 This article originally appeared in the Dec. 2012 issue of INTERNET TELEPHONY

One of the truisms of technology is that it advances far faster than regulations and standards. It is usually the case that widespread adoption is the impetus for standards and specifications that deal with a variety of concerns, not the least of which is security. Virtualization is no different, having perhaps a longer adoption curve than most but in the end still subject to the same lagging standards and specification around security.

That’s problematic, particularly with respect to GRC initiatives and the need for organizations to balance pressure to adopt newer technology with risk and compliance.

While some standards, such as PCI (News - Alert) DSS, have begun to address virtualization others remain silent on the subject or are in progress, with no real indication of when or if such standards might emerge. Cloud computing environments, the majority of which are based on virtualization, provide little specific guidance. While groups such as the Cloud Security Alliance work on defining guidelines and frameworks through which cloud providers and customers alike can exchange knowledge with respect to security and compliance, still most customers are left to fend for themselves when it comes to determining whether cloud and, in particular, virtualization impacts GRC efforts.

The good news is that the vast majority of compliance initiatives require certification that is achieved via an audit process because so much of it is dependent on architecture and functions, not products. 

Thus form factor is not nearly as much an issue provided virtual appliances have feature parity with their hardware predecessors. If and when virtualized infrastructure is being considered it must be evaluated based on organizational GRC requirements. If controls are currently implemented via hardware devices, it must be asked whether a virtualized equivalent can provide the same control.  

For example, consider the ISO 28000 series framework, one section (ISO/IEC (News - Alert) 18028) of which describes specific techniques and controls related to “securing communications between networks using security gateways.” The section goes on to describe a variety of functions performed by “security gateways” and best practices with respect to deployment and responsibility of the device.

None of this changes when moving from hardware or software to a virtual form factor provided feature parity or equivalency is maintained. What may change is the addition of new network elements that may need attention, such as virtual switches that coordinate east-west traffic between multiple virtual machines hosted on the same physical server.

That’s not to say that virtualization – especially of network infrastructure – has no impact on GRC initiatives. There are certainly questions and concerns raised by the introduction of virtualization with respect to specific controls around interfaces and management mechanisms, all that must be addressed. But by and large these controls are not specific to virtualization; they are simply one more entry point that must be secured.

Simply because specifications and standards do not mention or call out virtualization does not mean they are not applicable. Nor does it mean virtualization is not compliant. Consider the controls and best practices embodied by standards with an eye toward what they are trying to accomplish and whether or not equivalent controls can be implemented in a virtualized solution before declaring virtualization out of scope.

Lori MacVittie is senior technical marketing manager at F5 Networks (News - Alert) (

Lori MacVittie is senior technical marketing manager at F5 Networks (

Edited by Brooke Neuman