2010 Prediction: Pete Privateer, Reflex Systems

By Pete Privateer
published: Tuesday, December 22 2009

Virtualization Management and Security - the Key to a Fully Virtualized Datacenter

All of us are familiar with the benefits of virtualization.  Consolidating servers and/or desktops saves on capital costs such as hardware and operating expenses, including cooling and electricity.  Virtualization can also reduce people costs by simplifying and automating many routine management tasks.  There is plenty of empirical evidence that demonstrates dramatic cost reductions with virtualization.  One large financial institution has documented $125M in capital expense and operating cost savings in just a two year period.  So if the technology is proven and the cost benefits unequivocal, then why are so few data centers fully virtualized?

Recent surveys indicate performance and scalability are key technical concerns to deploying more applications on a virtual platform.  However these surveys also show that main operational inhibitor is the ability to secure and manage the virtual infrastructure to the same standards that we have achieved in the physical environment.  Unless we can satisfy application owners as well as internal and external auditors that they will have the same level of performance, control and compliance in the virtual world as they now have in the physical one, the goal of a fully virtualized datacenter will be hard to achieve.

Today the virtualization paradigm is at a crossroads.  So far the vast majority of applications running in the virtual infrastructure are less critical applications such as test/development, email, Web servers, etc.  To fully realize the benefits of virtualization we now must move our most sensitive and “mission critical” applications to the virtual platform. 

By definition these types of applications have well defined policies for management and security.  Sensitive applications (and their server, network and data storage infrastructure) must be isolated from other less sensitive applications.  Virtual servers, networks, and data stores must be protected from internal and external threats in a verifiable and auditable way.  Configuration changes must be closely monitored and clear protocols must be enforced before changes to the environment can take place.  Performance SLA’s must be monitored and strictly adhered to.  Compliance with internal and external standards and processes must be closely watched and audited.

In today’s physical datacenter we have a host of security and management tools at our disposal to monitor and enforce our organization’s standards, policies and procedures.  Enterprise Systems Management (ESM) products as well as firewalls, intrusion prevention systems (IPS), VLANs, and other technologies are widely used and well proven.  They may not be perfect, but we have come to accept and rely on them.

Some will argue that these tools can be easily extended into the virtual world.  However that viewpoint overlooks the many fundamental differences between the virtual datacenter and the physical one.  Managing and securing the virtual datacenter requires a different approach and new technologies.

What is so different in the virtual world from the physical one?  After all, a Windows server is the same in either environment right?  While the a virtual machine running Windows Server may appear the same as a physical machine running the same operating system, there are profound differences.

For one thing, to provision the physical machine requires the purchase of hardware, installing an operating system and other software, racking the hardware, and connecting it to the right network.  This process can take hours, days or in some cases weeks depending on the processes in the datacenter.  A virtual machine can be provisioned, imaged, and connected to the network with the click of the mouse in mere minutes.

Once the physical machine is mounted in the rack and connected to the right network, it is unlikely to get up and move to another location, another network or another datacenter.  Its location on the network can be uniquely identified by its IP or MAC address.  A virtual machine is an “on demand” resource that can move from one physical server to another or even from one datacenter to another automatically.  IP addresses and MAC addresses can be arbitrary and subject to change depending on configuration.

Management and security tools built for the physical environment have a hard time coping with the dynamic nature of the virtual environment.  Tools that manage physical networks expect attributes like IP and MAC addresses to remain constant.  In the physical datacenter network and switch configuration is managed separately from server configuration.  In a virtual platform networks, switches, and servers are all virtual objects which exist only in software.  Because all of these objects are interrelated and highly dynamic, configuration management of the virtual environment is far more challenging.

While the dynamic nature of the virtual infrastructure could be viewed as a management and security nightmare, it can also be viewed as an opportunity.  Because the virtual environment is so flexible there are many management tasks that can be done better and cheaper or even automated.  In fact, with management and security tools designed for the virtual infrastructure, you can achieve even higher levels of datacenter automation and significant operating cost reductions.

For example, ESM tools today assess the software assets installed on a physical server in one of only two ways.  They either scan the machine or require an agent to be installed on that machine.  Neither approach is ideal.  Agents consume CPU cycles and scanning, well let’s just say scanning can deliver unpredictable results.  Neither approach is viable if you don’t have permissions on the subject machine or if the machine is powered off.  In the virtual space you can determine precisely what software is installed, who installed it and when it was installed without scanning or using an agent and with orders of magnitude greater speed.  You can even obtain this information if the virtual machine is powered off!