Site iconSite icon IFSEC Insider | Security and Fire News and Resources

Virtual and physical… as one

The promise of better use of resources and potential reductions in power costs are providing a compelling argument for companies to migrate towards virtualisation. However, the ‘Virtual Data Centre’ raises some significant issues in terms of performance, compliance and security.

Corporate concerns that fail to protect their virtual infrastructure with the same diligence traditionally applied to the physical environment will be at risk of serious compromise. It’s a major challenge, though. By its very nature the virtual infrastructure is completely hidden. The physical infrastructure provides a clear view of component performance, but virtualisation removes that transparency altogether.

Without visibility of the virtualisation ‘engine’, organisations cannot identify potential security loopholes, ensure system changes don’t affect performance or be confident in complying with regulations such as Sarbanes-Oxley.

Understanding the risk

Today, perhaps only 15%-20% of applications being run on virtual infrastructures are production systems – the majority of organisations are using the technology solely for test environments.

However, analysts believe that the number of production applications will grow to between 45% and 60% over the next two years as cost pressures really begin to bite.

In the headlong rush to realise cost benefits, there’s a very real risk that companies are moving into virtualisation far ahead of their ability to understand and manage the technology. The benefits are compelling, but at what cost to business risk and security?

Virtualisation adds huge complexity to the IT infrastructure ‘stack’, pulling together large numbers of applications and services into one consolidated Data Centre. Traditional, silo-based management tools offer no insight into the operational performance of virtual systems, leaving an organisation completely blind to the impact of change – both planned and unplanned – on the overall infrastructure. Without a view of this virtual environment, how can any organisation ensure that machines are tested and configured correctly or impose the required level of rigour over systems changes?

The process becomes ever more complex when organisations accept the fact that virtual and physical worlds will co-exist for the foreseeable future. From the core infrastructure running the virtual middleware to legacy and in-house applications too complex to be migrated to the virtual world, the physical infrastructure will continue to play a core role in any Data Centre.

It’s essential, then, that client companies put in place the policies, processes and monitoring tools required to support both physical and virtual infrastructures. Critically, companies must extend Best Practice in the physical environment. This will ensure immediate gains on the cost benefits associated with a virtual world without undermining the reliability of the Data Centre or compromising regulatory compliance.

Pressure from compliance

Indeed, the pros and cons of the virtual world are being taken very seriously by the regulatory bodies. With its continual propensity for change, the virtual environment poses huge challenges, particularly in the area of audits.

How can an organisation know if a virtual machine is compliant if it no longer exists? How do you track change history for auditors in a virtual world?

Such issues are coming to the fore as increasing numbers of clients look to virtualise their critical production systems. The Payment Card Industry (PCI), for example, has a number of Development Boards looking at the implications of virtualisation for its Data Security Standard. The good news is that virtualisation adds some strong capabilities, particularly for those clients that have opted to run multiple services on a single system to minimise hardware costs, in turn creating a high risk single point of entry.

Running each of those services separately within the virtual machine will provide more security by creating disparate services. However, if the virtual middleware is compromised, those services are just as vulnerable. In effect, the problem has merely been transferred to the virtual machine. The PCI Standards Council is now beginning to define policies to include the virtualised infrastructure. No doubt other regulatory bodies will follow suit.

As is the case in the physical environment, real-time change monitoring is essential to ensure that organisations remain compliant. With 60%-80% of service impacting events actually caused by a mismanaged or poorly communicated system change, any failure to extend visibility into the virtual world will result in excessive troubleshooting and cross-silo confusion as organisations try to pinpoint the cause and location of an underlying problem.

Combining a single view of the physical and virtual world with a continually updated system performance and compliance score enables organisations to identify problems pretty rapidly. This reduces the diagnosis time by upwards of 80%, and enables immediate response to minimise downtime and service interruption alike.

Confidence in the virtual

Virtualisation is an important technology that has the potential to transform Data Centre costs. However, the business risks cannot be understated. According to analyst Gartner Group, 60% of production virtual machines will be less secure than their physical counterparts through 2009. The potential for service disruption and downtime could undermine confidence and stall wholesale adoption.

In the majority of cases, organisations discover that problems have been caused by a lack of procedural understanding, a shortcoming in the process or inadequacy in the toolset.

Addressing these issues through training, process or technology change on an incremental basis adds stability to the entire infrastructure, and builds confidence in the virtual technology that will support an ongoing development of what are increasingly mission-critical applications.

Crucially, it’s by extending the same IT Best Practice and process rigour to the new, integrated virtual and physical arena that organisations can maximise the cost benefits of virtual technology while seamlessly delivering key business services.

Exit mobile version