I received a few emails looking for more information on how to start mapping their virtual and cloud environments to different compliance standards without starting to invest in security solutions. A free check-up if you will. Since this falls right in line with what I am hoping to get virtualization folks to start thinking about, you can think of this as a modification of Technology Tuesday, let’s call it Woohoo! Wednesday. The key is that it is indeed worthy of that exclamation mark because this compliance tool is not only free, but if you’re running a VMware environment, you probably have it already, you just don’t know it.
Back when vSphere 5 came out, there was a tool that somehow slipped under most people’s radars called Compliance Checker. This free (yes, you read that right) tool is a fully functional tool that helps you measure your virtual environment against the recommended hardening guide for vSphere. In addition, you can run the checks across multiple ESX and ESXi servers and print out reports (the reports are a great way to show your progress towards a compliant environment).
So why is this tool such an important first step aside from showing you “hey you are(n’t) compliant”? Well, for one it’s a great tool to bring security folks and infrastructure folks to the same table. If you have a measurable goal, it’s a lot easier to make a detailed plan to get there. Think of the reporting functionality as a way to regularly review your environment and ensure that you are moving in the right direction. It can also help you see any vulnerabilities or risks in your environment before it causes a significant risk, and give you detailed information on how to perform remediation supported by experts -straight from the tool.
Simply stated, if you do one thing in the next 6 months to start securing your virtual and cloud environments, start with mapping against compliance requirements. This tool will be one of the easiest ways to show both the infrastructure and security teams the importance of starting to think of security within virtual environments. In addition, because its an absolutely free tool for those with VMware environments, it can be implemented quickly without involving higher levels of management – although I expect they will be curious to see the results.