On Thursday, 12/29/2005 at 12:10 PST, "Schuh, Richard" <[EMAIL PROTECTED]> wrote: > Our InfoSec people are going to set some rules as soon as they figure out that > VM is not covered by their current policy manual. I want to try to come up with > something a little more reasonable than what they do to the MVS folks and have > it in place before they audit us.
<security weasel> I'm not sure of the meaning "more reasonable". Protecting the servers that run the applications is at least as important as the protection of the applications themselves. You may find that your physical server access policies may be appropriate to virtual servers, while the application-level policies might apply to native VM apps. Dunno 'bout your place, but at mine it is very difficult to get physical access to servers. Ask your InfoSec folks about policies that are applied to VMWare, MS Virtual Server, Xen, or other virtualization software used in your company (if any). Those same policies probably apply to your VM system. Creating separate "VM-only" policies simply makes your VM system stand out and makes it a target, so be sure your new policies can be reused if/when you *do* deploy other virtualization gear. For the last couple of years I've been preaching that the you-can't-see-me-ignore-me mentality that often accompanies a VM system is on the rapid decline. It is important to get in front of the "wave" and establish the right policies to protect virtual production and test assets. </security weasel> Alan Altmark z/VM Development IBM Endicott
