Security Versus Compliance in the vSphere Environment

The terms security and compliance are often used interchangeably. However, they are unique and distinct concepts.

Security, often thought of as information security, is commonly defined as a set of technical, physical, and administrative controls that you implement to provide confidentiality, integrity, and availability. For example, you secure a host by locking down which accounts can log into it, and by what means (SSH, direct console, and so on). Compliance, by contrast, is a set of requirements necessary to meet the minimum controls established by different regulatory frameworks that provide limited guidance on any specific type of technology, vendor, or configuration. For example, the Payment Card Industry (PCI) has established security guidelines to help organizations proactively protect customer account data.

Security reduces the risk of data theft, cyberattack, or unauthorized access, while compliance is the proof that a security control is in place, typically within a defined time line. Security is primarily outlined in the design decisions and highlighted within the technology configurations. Compliance is focused on mapping the correlation between security controls and specific requirements. A compliance mapping provides a centralized view to list out many of the required security controls. Those controls are further detailed by including compliance citations for each respective security control as dictated by a domain such as NIST, PCI, FedRAMP, HIPAA, and so forth.

Effective cybersecurity and compliance programs are built on three pillars: people, process, and technology. A general misconception is that technology alone can solve all your cybersecurity needs. Technology does play a large and important role in the development and execution of an information security program. However, technology without process and procedures, and awareness and training, creates a vulnerability within your organization.

When defining your security and compliance strategies, keep the following in mind:

People need general awareness and training, whereas IT staff need specific training.
Process defines how activities, roles, and documentation within an organization are used to mitigate risk. Processes are only effective if people follow them correctly.
Technology can be used to prevent or reduce the impact of cybersecurity risk to your organization. Which technology to use depends on the risk acceptance level within an organization.

VMware provides Compliance Kits that contain both an Audit Guide and a Product Applicability Guide, helping to bridge the gap between compliance and regulatory requirements and implementation guides. For more information, see https://core.vmware.com/compliance.

Glossary of Compliance Terms

Compliance introduces specific terms and definitions that are important to understand.

Table 1. Compliance Terms
Term	Definition
CJIS	Criminal Justice Information Services. In the context of compliance, the CJIS produces a Security Policy for how local, state, and federal criminal justice and law enforcement agencies must take security precautions to protect sensitive information such as fingerprints and criminal backgrounds.
DISA STIG	Defense Information Systems Agency Security Technical Implementation Guide. The Defense Information Systems Agency (DISA) is the entity responsible for maintaining the security posture of the Department of Defense (DoD) IT infrastructure. DISA accomplishes this task by developing and using Security Technical Implementation Guides, or "STIGs."
FedRAMP	Federal Risk and Authorization Management Program. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
HIPAA	Health Insurance Portability and Accountability Act. Passed by Congress in 1996, HIPAA does the following: Gives millions of American workers and their families the ability to transfer and continue health insurance coverage for when they change or lose jobs Reduces health care fraud and abuse Mandates industry-wide standards for health care information on electronic billing and other processes Requires the protection and confidential handling of protected health information The latter bullet is of most importance to vSphere Security documentation.
NCCoE	National Cybersecurity Center of Excellence. NCCoE is a U.S government organization that produces and publicly shares solutions to cybersecurity problems that U.S. businesses encounter. The center forms a team of people from cybersecurity technology companies, other federal agencies, and academia to address each problem.
NIST	National Institute of Standards and Technology. Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. The mission of NIST is to advocate for U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that increase economic security and improve our quality of life.
PAG	Product Applicability Guide. A document that provides general guidance for organizations that are considering a company's solutions to help them address compliance requirements.
PCI DSS	Payment Card Industry Data Security Standard. A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
VVD/VCF Compliance Solutions	VMware Validated Design/VMware Cloud Foundation. The VMware Validated Designs provide comprehensive and extensively tested blueprints to build and operate a Software-Defined Data Center. VVD/VCF compliance solutions enable customers to meet compliance requirements for multiple government and industry regulations.