Chapter 10

Building Compliance into Virtual and Cloud Environments

The question isn't who is going to let me; it's who is going to stop me.

— Ayn Rand

Ah, but a man's reach should exceed his grasp, Or what's a heaven for?

— Robert Browning

Compliance and security often are confused, debated, and rated as separate and distinct. There may actually be more alignment than discord. The idea of a secure environment being compliant and the idea of a compliant environment being secure can actually mean the same thing.

What makes them different is more a matter of decision and procedure than talent or technology. This chapter attempts to explain the differences to bring the previous nine chapters into perspective for anyone working with regulations and compliance in virtual and cloud environments. It also presents details of a sample set of regulations to illustrate how to achieve compliance with virtualization.

Compliance versus Security

Perhaps the simplest and clearest definition of security is that it is a singular perspective of protection against risk. Whenever you assess security, you are working from your own criteria. Compliance, on the other hand, always involves more than one perspective; it introduces an outside or foreign set of criteria that might not match your own.

That might seem like an unsatisfying definition. Suppose a security consultant says that compliance is a lower bar than security. She suggests that if you follow her list of recommendations, you will be far more ...