For a few years now I've been working on building reference architectures at VMware that satisfy requirements to host things like Payment Card Industry (PCI), Personal Health Information (PHI) and other regulations for protecting government systems such as CJIS, FISMA and FedRAMP. I do a berakout and partner session each year at VMWorld US and Europe on this topic but that lasts only an hour and leaves a lot to be discovered at my other 3 sessions to really get the whole picture. So rather than try to condense the subject into something that wouldn't do it justice I came up with a metaphor from one of my previous lines of work, civil and structural engineering.
For this metaphor we'll say that VMware makes large steel beams that are used in building bridges. As the manufacturer of these items VMware performs many in house certifications of its products, in the case of the steel manufacturer it might be analyzing the quality of each batch of steel poured into the beam mold for defects like perocity and for VMware these are certifications such as Common Criteria EAL 4+ and FIPS. Because no one builds a bridge with only steel, the beams will be coupled with other subsystems in the field such as concrete encasement, piers, and cages or suspension systems to support the bridge span. These subsystems can be thought of as the VMware Technology Partner solutions that participate in the Compliance Reference Architectures. Each of these integrations causes each of the other integrated components to be designed as part of the whole system. To truly integrate the steel beams into the 'system', in this case a bridge, we will need to weld it in place changing the properties of the steel. Because this design changes from implementation to implementation it is just as important for each vendor to establish how its integration can be 'continuously' measured throughout the project lifecycle and beyond based on it's intended performance as part of the design.
Understanding how to build and measure the implementation lies mostly within a select community of persons. For the bridge project it would be the engineers, builders and inspectors while for VMware running in a regulated environment subject to audits such as PCI, HIPAA or FISMA, FedRAMP, etc. for the Federal Government, it is the system architects, engineers, operators and auditors. This community makes up much of the critical interaction for delivering a bridge that's safe to drive on or in the case of our analogy, an SDDC (Software Defined Data Center) that's safe to host sensitive data on. In order to familiarize the community involved in delivering these systems there are groups that study the components producing best practices for their integration by explaining how environment specific variables might impact the total system design relative to individual components and the system as s whole.. While this process is mature in the civil and structural engineering fields through bodies such as AISC, AASHTO, ASCE, ASTM, etc., in the case of VMware, the Compliance Reference Architectures are best practices written by and for practitioners in the target community and intend to convey not only how individual products and solutions from VMware and Technology Partners may be used to address a control but how they may be used together to address all applicable controls specific to each operating environment. As our program matures we are working more with Cloud Security Alliance, Center for Internet Security, NIST, GSA and FedRAMP 3rd Party Assessor Organizations asserting new design patterns based on capabilities unlocked by the SDDC relative to achieving compliance with a given regulation or standard.
Without these best practices and examples it is that much more difficult for our customers to standardize on SDDC patterns and required VMware Technology Partner solutions needed for Compliance while also designing for cost, both CAPEX and OPEX as well as performance and agility. Having the knowledge that the foundation is certified for EAL4+, FIPS, etc. allows us to leverage vSphere, NSX and VMware Management tools to deliver compute, storage and networks as a foundation that can be made compliant with a given regulation(s). This while also providing the sample blueprints as information for integration of the VMware Technology partner solutions for each of these facets of the SDDC along with how the system should be measured over time relative to these requirements, many which are implementation environment specific. Much like every bridge design requires field engineering, a solid SDDC design accommodates adoption of the system into operational best practices so you can be sure the system remains compliant over time. So, you see, delivering a compliant VMware SDDC is a lot like building a bridge at this layer of abstraction and providing what has worked well for the other engineering fields is what the VMware Compliance Reference Architectures aim to deliver.