I am in love… Truly … Truly. In love. I got to work with and demo the new RSA Archer eGRC Cloud Security and Compliance solution. The ability to see the virtual world through the eyes of security made me almost cry. I am not sure if it was the complete solution or just what it means that made me more in love. The fact that cloud security had it’s own tab… It’s own dashboard available in the tool is so ground breaking. It means that everything I believe in is coming together… security and the cloud. It means that all this talk was not for nothing.
Let me give you a little background on the RSA Archer eGRC solution. It is a platform that allows you to get a deep and granular understanding of the governance, risk, and compliance within your entire organization. It allows you to map control procedures (enable logging) to control standards (maintain security logs of all network devices) and regulations (PCI, HIPPA, NERC). It uses multiple integration points such as a data feed manager and web service API. But in all actuality, that is just the beginning of the capabilities of the tool. There are multiple customers that use the tool for many other things. There are NINE core solutions in the Archer platform: Enterprise Management, Business Continuity Management, Vendor Management, Audit Management, Policy Management, Risk Management, Compliance Management, Incident Management, and Threat Management. Cloud Security and Compliance requires Enterprise Management, Compliance Management, and Policy Management. I can not begin to give the RSA Archer eGRC Solution the credit it deserves. Some people do not understand the importance of this tool but then again, some people just don’t get the big picture. They live in a silo’d world and can not understand the concept of a solution versus a product. I personally love the Archer product… I actually joke that if I had children, I would name one of them Archer.
The RSA solution for cloud security and compliance uses the RSA Archer eGRC solution to allow you to see if your virtual environment is complying with the VMware hardening guidelines and whether your physical environment is in compliance with the appropriate hardening guidelines that the other vendors have released. It is important to understand that in order to get the full risk and compliance factors across the entire stack, you must use the appropriate tools. For instance, vCM (VMware vCenter Configuration Manager which is also called EMC IONIX SCM or Configuresoft) should be a source that you use to map these factors to your physical servers. EMC IONIX UIM (Unified Infrastructure Manager) or EMC IONIX NCM (Network Configuration Manager or Voyence) should be used to map these factors to your network devices.
Now lets get back to the point… once again I want to determine whether my virtual machines are complying with my corporate standards as well as VMware’s hardening guidelines. For example, are the VM’s that the financial department are using at the highest compliance levels? Are all the configurations set appropriately? Am I doing everything to reduce my security risk for my own corporate needs as well as the PCI regulations that I need to adhere to? How am I supposed to talk about virtualization and security if I can’t even tell you how to assess your risk levels? There is so much to this product and where it will be going in the future… this is just a start. The possibilities are endless… I get giddy just thinking about it. RSA of course released a SecurBook discussing this solution… and no solution is complete without a video explaining it all and it is available below (got to love the accent). And of course to get all the information on the other RSA SecurBooks as well on Secure Virtualization…