Q&A: Virtualization Problems and Solutions
Virtualization promises to maximize hardware use and lower some IT costs, but is IT ready for the complexity and challenges the technology introduces into the data center?
Virtualization is a hot topic now, but is IT blind to the downsides and tradeoffs of the technology? Is IT ready for the management challenges and complexity virtualization introduces to the environment? Is IT aware of the impact to compliance and security that virtualization brings?
For answers, we spoke with Eric Chiu, CEO and co-founder of HyTrust (http://www.hytrust.com), a virtualization management appliance maker. Mr. Chiu has significant executive experience in high-tech management and finance and has served as vice president of sales and business development at Cemaphore Systems (a disaster recovery provider) and led business development at MailFrontier and mySimon.
Enterprise Strategies: Many of the benefits of virtualization are well understood, but what are the downsides or tradeoffs that enterprises are not thinking about now?
Eric Chiu: Virtualization spreads very quickly within an organization. Many companies adopt it for a specific use case (test dev, tier 3 apps, file/print servers, etc.) and it quickly spreads across the organization. What they don't think about is given the rate of change and the dynamic nature of virtualization, many of the traditional change control processes simply won't keep up. Given this, most companies have a difficult time (or don't do a good job) of addressing the security, compliance, and management issues around this new platform.
In what ways does virtualization add more complexity and risk to the IT environment? What’s holding businesses back from broader and deeper virtualization deployment?
Virtualization adds a number of complexities: organizational, technical, and philosophical. Organizationally, virtualization usually grows from pocket deployments in the organization. This causes an issue where the people architecting and implementing virtualization are sometimes not part of the core platform team that usually makes those type of architectural decisions. In addition, the security and compliance teams are usually not involved in the architecture and roll-out of virtualization which creates potential risk for the company. Technically, given that the hypervisor is an entirely new platform, existing security and compliance tools usually don't work. New solutions are needed to address the specific needs of this new platform in an automated way to keep up with the environment.
Philosophically, with virtualization, the machine is now the data (i.e., the physical server that you used to be able to see and touch is now simply a flat file that can be copied, modified, and accessed in ways that were not possible before). This creates additional challenges in terms of data protection for virtual machines at rest as well as issues around export control.
What is different about security with respect to a virtualized environment versus a physical environment? Why don't traditional approaches work in this environment?
The hypervisor is an entirely new platform. On the one hand, it is similar to an operating system such as Windows; on the other hand, it provides a rich set of capabilities that never existed before (copying virtual machines, live migration of virtual machines, etc.). Existing solutions do not address the needs of this new platform. In addition, the rate of change is much higher in a virtualized environment. For example, some large companies have virtual machines being automatically VMotioned 2 to 3 times a day per virtual machine. Existing change control processes, which are largely manual in nature, frankly can't keep up with the rate of change in the environment.
What are some of the compliance issues a company may face in relation to its virtualized environment?
Now that companies are starting to virtualize applications subject to regulatory compliance (for example, payment card information of patient health records), they have to ensure that they meet compliance for the virtual infrastructure in addition to the applications running as virtual machines. In terms of compliance for virtual infrastructure, most of the regulatory issues are around having access controls in place, granular auditing (knowing who did what and when on what resource), consistent configuration of the hypervisors, as well as ensuring that the data is properly segregated and cannot be accessed or modified.
How does virtualization affect regulations such as PCI DSS, HIPAA, and SOX? What are the implications for auditors?
If companies are virtualizing systems subject to PCI, HIPAA and SOX, they have to ensure that their virtual infrastructure meets the same level of compliance. For example, with regard to PCI DSS, there are 12 mandates that cover things "assigning a unique ID for each user with computer access" as well as "track and monitor all access to network resources and cardholder data." These same compliance regulations apply to virtual infrastructure, which auditors must include in their compliance audits.
What type of management issues are organizations encountering in rolling out and scaling virtualization?
Most organizations struggle with achieving the same level of control in their virtual infrastructure as their physical infrastructure. One big issue is that traditional change control processes can't keep up with the rate of change that happens in virtual infrastructure compared with physical infrastructure. In addition, with virtualization, many companies struggle with how much access to give to business groups for self servicing (power on/power off VMs and also request/provision new VMs). Many of the current tools to provide these capabilities end up giving too much access to the end users (i.e., the ability to see everything in the environment and potentially make harmful changes). Therefore, many companies are hesitant to provide these capabilities.
How can and should an enterprise address these issues and concerns?
Companies should look at adopting technologies that specifically address the unique capabilities and challenges that virtualization presents. For example, using HyTrust Appliance (a product from the company I work for), companies can address the end-to-end platform security and compliance needs of virtualization through a single point of control for access management, audit logging, and hypervisor configuration.
What are the IT issues surrounding virtualization? What mistakes does IT typically make when rolling out or scaling virtualization?
Many IT organizations do not think about security and compliance when architecting and deploying virtualization as well as the longer-term scale of virtualization. As companies look to deploy Tier 1 applications or adopt a "virtualize first" approach, the need for control, visibility, compliance, and security become much greater. In addition, most companies start with manual change control processes. This becomes a much bigger problem as they attempt to scale virtualization and the manual processes can't keep up.
What best practices can you recommend to help IT avoid these mistakes?
Companies should think about the near-term and longer-term needs when architecting virtualization. In addition, they should look for solutions that provide automation and control over the environment. Lastly, they should engage with other groups (such as security and compliance) to make sure they are addressing the key security and compliance needs of the organization.
What products or services does HyTrust offer to help enterprises deal with virtualization?
HyTrust enables control and visibility over virtual infrastructure. HyTrust Appliance provides a single point of control for access management, audit logging, and hypervisor configuration. This allows companies to achieve a secure environment while demonstrating compliance. In addition, HyTrust automates manual tasks to achieve best practices and compliance, saving time and trouble for administrators.