From researchers working with protected health information to administrators and executives working with financial numbers to the business offices dealing with credit card transactions, many individuals and groups within an organization need secure servers on which to conduct business using information protected by state and federal laws and regulations.\u00a0Virtualization technologies allow IT to provide computation and storage solutions with much greater economies of scale, natural system lifecycle management, and reduced environmental impact. This is primarily because system information and resources are shared by tenants, which brings a lot of efficiencies, but unfortunately also means that protected information may leak through shared memory and other mechanisms.\u00a0 However, capabilities now exist\u2014one example being the ability to reserve memory space for the exclusive use of one particular tenant\u2014that allow us to create virtual machines specifically designed to meet the complex requirements of today\u2019s regulatory environment, allowing a more convenient and scalable solution for sensitive and regulated business loads.Boston University\u2019s Information Services and Technology Department (IS&T) received the 2015 CSO50 Award from IDG's CSO Magazine (International Data Group\u2019s Chief Security Officer Magazine) for efforts in designing just such a solution.BU Information Security and IS&T Systems Engineering worked together to create the \u2018Premium Secure VM\u2019 service, which leverages VMware, vSphere Enterprise and other tools to provide the security required to handle regulated information in a virtual environment. This solution was designed to meet the requirements of a variety of sensitive information\u2014HIPAA, GLBA, PCI, PII, ePHI, and data protected by Massachusetts Privacy Law\u2014but as most regulations contain many of the same requirements, a VM can be designed to meet the superset of almost any combination of regulations or standards needed. It also includes other security features or tools, such as compliance monitoring, security monitoring, vulnerability management, etc.\u00a0 BU created and maintains a gold image and clones it when a new server is needed, standing up a new secure computing environment in minutes.For every system brought into this environment, BU is seeing savings of $1,000 on acquisition costs and another $1,000 per year on maintenance. Clearly, this approach provides cost benefits, but it also allows another extraordinary value add: An organization can conduct a risk assessment, certification review, regulatory review, penetration test, and whatever else may be required on that original image and provide that baseline information and associated documentation to the client along when setting up their clone, significantly reducing the administrative time and effort it might otherwise take.-----------------Let\u2019s walk through an example to see how this can work to make both service and security more convenient. We will take the case of an organization that does medical research: Using this approach, such an organization can create a gold image and work through the NIH or SSA to have it certified as being compliant with HIPAA and with NIST 800-53 [moderate], generating the documentation required to achieve the certification: Risk Assessment (RA), System Security Plan (SSP), Contingency Plan (CP), Security Assessment and Authorization (SAA), Privacy Impact Assessment (PIA), and Data Management Plan (DMP).\u00a0Later, when a researcher needs a computing environment for human subjects research or some other federal research covered by FISMA, IT has a turnkey solution. Not only can IT spin up the required environment in moments, but infosec can also provide the pre-approved RA\/SSP\/CP\/PIA\/CP\/SAA\/DMP documents.\u00a0Benefits:The researcher doesn\u2019t have to buy his own environment, doesn\u2019t have to propose as much money as part of the grant request, and therefore has a competitive advantage.The researcher doesn\u2019t have to learn the tortuous details of 800-53, set up an environment that meets those requirements, or get that brand new environment approved. This saves weeks, if not many months of project effort, providing an advantage in speed and agility.The researcher does not have to draft 150 to 400 pages of documentation to prove compliance. The templates from IT already have the system and environment-specific details filled out, so the majority of that work is already done. He only has to supply a few pages of project-specific material, saving untold hundreds of hours of frustration.\u00a0If such a solution is available, technology and regulation get out of the way of the researchers, allowing them to focus on their true purpose: Research. Let\u2019s work to innovate, leveraging our various groups for their true areas of expertise: IT for technical engineering, infosec for regulatory guidance and security configuration\/tooling\/testing, and researchers for exploring their worlds, creating new insights and stretching the boundaries of their fields.This is one way that IT and information security can work together to design solutions that bring value to the business, providing researchers (and others with sensitive business loads) more convenient security.