Server virtualization: not just IT

In the current economic climate, most IT companies are beginning to accelerate the deployment of server virtualization as a means of lowering total cost of ownership, cutting energy bills, and keeping pace with competitors. The use of server virtualization is expanding, and it is no longer limited to IT operations, but has a broader impact on the entire IT business. Virtualization technology has a direct impact on the overall management model and puts new demands on controls, processes and systems. Although the use of virtualization technology in the data center is relatively small, the impact is limited. But as the scale of virtualization grows, this technology will have an impact on the entire business.

This article focuses on the impact of this new architecture on data center and business control, and recommends new policies, systems, and control processes that are needed to help virtualization technology become more efficient.

Impact on the Data Center

First, most data center managers believe that they can manage virtual machines in the same way that they manage physical servers, but it turns out that this is simply impossible. . Although there is much in common between the two environments, there are some significant differences.

The potential impact of virtualization technology on existing control processes and procedures is one of the biggest differences. For example, each data center will have specific processes and procedures when it comes to new server configurations. These usually involve work transfer between the various data center teams, and finally the installation of new servers in the data center.

But when you create a new virtual machine, the surface process is a click of the mouse - then copy a ready-made virtual machine from the template or generate a new virtual machine, these processes are easy Go around.

When you generate 10 identical copies of a particular server and distribute them within the enterprise, tracking these copies is a challenge you must face. The management system provided by the virtualization vendor will tell you where the specified virtual machine is now, but the user has no idea what the specified virtual machine is with the other virtual machines and their actual location. They can migrate around the environment after the virtual machine is configured. This process not only makes virtual machines more difficult to track and manage, but also threatens the security of the data/application partitioning policy.

The current data center management tools running in a virtual environment are difficult to resolve these differences and other issues, leaving a potential blind spot in the virtualized environment. This has further exacerbated the lack of virtual management tools, reporting and automation features. The end result is a very artificial environment that cannot be integrated with existing data center compliance and control models.

This means that the traditional "small red flag" or alarm system may not function properly in the virtualization arena because they are either circumvented or ignored in daily operations, exposing your data center In danger.

In a physical data center consisting of various associated systems, processes, and checks and balances, a small red flag will be inserted if any conditions are removed from the normal process. Management is an exception. Under today's rules, the management environment is seen as "no news" or true "good news."

But in a climate dominated by manual control and reporting scarcity, controlling the lack of visibility can cause you to turn a blind eye to upcoming problems. When the scale of the virtualized application environment is still relatively small, this may not be a big problem, but with the development of the virtualized application environment - the impact of this problem will become increasingly prominent.

Impact on Business Control

With the development of virtual environments, the lack of automated control and the increasing number of human activities have begun to cause imbalances between IT applications and auditing businesses, and with virtual The development of the environment is increasing day by day.

integrated CRC model (ie, governance, risk management and compliance abbreviation of three words) (Figure 1) you can more clearly see the effects of these operations on the control system. The lack of automation in the virtual environment, the lack of regulatory and continuous measurement, and the corresponding increase in manual processes make the virtual environment less effective and more risky than the physical environment. When the virtual environment

smaller scale and limited content, will not cause much impact, but with the development of the virtual environment, the situation has changed rapidly, leading to a serious imbalance in the whole system.

The more obvious the imbalance of the GRC system model, the greater the impact on the overall business.

each respective business "tipping point" will be different, but sooner or later reach, when companies began to see the corresponding costs and increasing the risk: many companies have begun to go beyond this part of the plan included IT spending, which is generated by an inefficient virtual environment. Others will also see an increase in the number of tangible and intangible data center incidents, all of which will ultimately affect the overall business.

Need additional policies

A large number of existing business and risk policies and control objectives remain applicable to virtual environments. They may need to adjust to flexibly adapt to this new architecture, but they still apply. These policies include basic elements that are common to all servers, whether physical or virtual, such as configuration, patch management, and security.

However, virtualization technology also has new policies and controls that it specifically needs. These include:

• Identity Management: Given the flexibility of virtual machines, it is not necessary to have a certain level of identity management protocol based on simple naming conventions, but also to ensure that these policies are correct. application.

• Mobility Control of Virtual Machines: The flexibility that virtualization brings is the value it provides to IT departments. Virtual machines are designed to be flexible and easily migrate from host to host in response to automation needs (load balancing) or manually when necessary (such as removing virtual machines from physical hosts when repairs are needed). But liquidity is also a double-edged sword, because not all virtual machines need to flow. For example: You want to control (not for auditing purposes) any application that meets the requirements or internal standards of the enterprise. Whether the policy around the specified virtual machine should allow the policy to run, how long should the virtual machine be offline?

• Configuration: Traditional server configuration processes can be easily circumvented in a virtualized environment, so new processes need to be established to control the configuration of the virtual machine and determine if a new server should be authorized.

• Data Separation: Each data center has specific rules around data separation that are often affected by security issues or compliance issues. When you deploy virtualization to your application based on these standards, it's important to consider how to implement a virtualized deployment, not only when you need to pay attention to virtual machine configuration, but also to prevent erroneous flow throughout the lifecycle. Occurs, whether it is unintentional or malicious.

• Recycling: Ensuring that redundant or unused virtual machines are removed in a timely manner is another aspect that requires specific policy and goal control. In addition, the security impact of this new technology must also be taken into account: including the impact of virtual machines on existing security systems (some systems do not work properly in virtual environments) and the potential for potential attack risks.