Problem solve Get help with specific problems with your technologies, process and projects.

Using virtualization for compliance efforts

Information security professionals at financial institutions deal with a myriad of regulatory requirements and many experts expect the compliance burden will grow in 2009 in the wake of last year's industry meltdown. To meet reporting and other auditing requirements, financial firms need a lot of computing power. In this tip, Judith Myerson explains how virtualization technology can overcome problems associated with physical servers and aid the compliance process.

Don't miss need-to-know info!
Security pros at financial organizations can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
Financial services firms are faced with an increasing number of local, national and international compliance requirements. Meeting these requirements not only demands people devoted to compliance who can oversee complex processes, but also the computing power of a vast pool of servers to handle the many compliance-related tasks, including auditing information, reporting deadlines and data storage for a specified period of time.

The problem is that today's new server technologies are often expensive to buy and many legacy servers do not allow for the dynamic allocation of existing IT resources. Some servers may need to be shut down to adjust configurations in response to changes in regulatory requirements. Even if money is no object, many organizations have felt operational pains that come with purchasing, configuring, implementing and managing a lot of computer hardware, either in their own facilities or in conjunction with a collocation provider.

Virtualization technology, however, can help overcome these server problems, enabling a financial organization to manage compliance efforts more quickly and cost effectively, and with greater scalability. In this tip, we'll review some specific benefits offered by server virtualization, and how they translate to easing compliance-related business processes for financial firms. We'll also examine some general best practices for preparing for virtualization.

Virtualization ensures business continuity
Virtualization offers an advantage over traditional servers because when a virtual server fails, it's relatively easy for another healthy virtualized server to take over, allowing business to continue. For instance, the Sarbanes-Oxley Act explicitly requires certain types of records be retained for minimum periods of seven years. A failure by a traditional server to appropriately archive information and expand storage capacity beyond the server's maximum limit within the given time can have serious legal consequences, putting the organization at risk of non-compliance.

Virtualization saves hardware, provisioning costs
Another benefit of virtualization is that it allows for provisioning of new systems through the dynamic allocation of existing IT resources. Reducing hardware and provisioning costs help financial firms offset the costs of complying with various regulations, such as training of systems administrators, hiring of external auditors and preparation of audit reports.

Virtualization makes server management easier
Virtualization decreases the labor costs associated with managing traditional servers, reduces the number of tangible hardware assets in use and the logical size of resources including CPU, I/O, network, server storage and database resources. It hides physical constraints, which makes it easier to minimize the impact of changes to physical resources.

For more information
Learn more about strategies for outsourcing compliance.

Protect third-party processes on all levels with this expert advice.
Virtualization implementation: Strategic guidance
When using virtualization for compliance efforts across the enterprise, the ultimate goal is to quickly meet regulatory requirements for reports and data storage, as well as to provide detailed guidance for the people managing the complexity of virtualization at four different levels: data center, servers, applications and workstations. To achieve this, financial firms should do the following:

  • Build a virtualization strategy that details the process of consolidating physical servers and logical resources into multiple virtual servers and resources. The CEO, CIO, compliance officer and other executives -- as well as compliance auditors and IT managers -- should help build the strategy.
  • Review the organization's compliance policies to ensure that regulations have been met and the storage of data can be retained virtually for a minimum of, say, seven years as required by SOX. Make sure to address whether the virtual storage can be expanded later as data is collected over time.
  • Conduct a pilot study on testing virtualization in a sample portion of the enterprise. This will help compliance and virtualization managers collaboratively solve any potential problems before using virtualization on a large scale. It also will help determine what education and training the managers will need to solve unusual problems with virtualization. Without proper training and education, virtualization can be very complex and difficult to perform and administer.
  • As part of the study, perform the following steps. You can always repeat the process in a step to fix the problem.
    • Know which regulatory compliance applications are right for virtualization. Examine the application-based processes that are part of the compliance effort, such as data retention, and evaluate which compliance functions are best suited for virtual resources. Choose applications that require the least maintenance and do not require a huge amount of server CPU and memory resources for both the virtual application running locally and the management and application logic running remotely.
    • Know which workflow technology can virtually automate the approval processes to meet the compliance requirements. It should allow managers and executives not experienced in programming to edit these processes in response to changes in regulations.
    • Test for virtualization vulnerabilities. Know what compliance data you are storing, when to meet the deadlines and what access control mechanisms are in place.
    • Plan for periodic backups off-site at established times. Test restoration of the backups to make sure they will be functional when the auditors and officers need the backups to audit the data.

Using virtualization for compliance efforts can be a challenge for a financial services firm. Proper implementation can make the job easier.

About the author:
Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide system, database technologies, application development, network management, computer security, information assurance, financial, RFID technologies and project management. She is also a consultant. You can reach her jmyerson at

Dig Deeper on SOX financial reporting compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.