Integrating the virtual with the physical

Melancon: Care must be taken integrating physical and virtual worlds

Virtualisation can cut costs and create flexibility in the datacentre. But without real-time monitoring and assessment of the implications of change across physical and virtual infrastructures, regulatory compliance and operational security can be at risk.

Organisations must protect their virtual infrastructure with the same diligence traditionally applied to the physical environment.

This is challenge. It is relatively easy to assess how individual physically components perform, but virtualisation makes things less transparent.

Organisations can find it tricky to identify security loopholes, ensure system changes do not affect performance or be confident they are complying with regulations such as Sarbanes-Oxley.

We think that only 15 or 20 per cent of applications on virtual infrastructures are production systems. Most organisations are using the technology only for test environments.

We believe, though, that the number of production applications will grow to between 45 and 60 per cent of deployments in two years as cost pressures bite.

Companies may be moving into virtualisation ahead of their ability to understand and manage the technology.

Virtualisation adds complexity to the IT infrastructure stack, knitting many applications and services into one consolidated datacentre.

Traditional silo-based management tools offer no insight into operational performance of virtual systems. This can leave an organisation blind to the impact of change on the overall infrastructure.

What is more, virtual and physical worlds will co-exist for the foreseeable future.

Core infrastructure running the virtual middleware and legacy and in-house developed applications that are too complex to be migrated to the virtual world will continue to be core.

So organisations must implement policies, processes and monitoring tools to support the entire physical and virtual IT infrastructure.

Existing rigorous processes within the physical environment must be extended to encompass a virtual implementation.

This will ensure any business can immediately make the savings associated with a virtual world without undermining datacentre reliability or compromising regulatory compliance.

Indeed, we believe the pros and cons of the virtual world are being taken seriously by regulatory bodies.

The virtual environment continually mutates and poses massive compliance challenges, especially when it comes to auditing. How can an organisation know if a virtual machine is compliant if it no longer exists? How do you track change history for auditors in a virtual world?

The payment card industry, for example, has various development boards looking at the implications of virtualisation on its Data Security Standard.

The good news is that virtualisation adds some strong capabilities, especially for those organisations choosing to run multiple services on a single system to minimise hardware costs, creating a high-risk single point of entry.

Running each of those services separately within the virtual machine promises more security by creating disparate services.

However, if the virtual middleware is compromised, these services are just as vulnerable. In effect, the problem has been moved to the virtual machine.

The Payment Card Industry (PCI) Standards Council is beginning to define policies to include the virtualised infrastructure, and other regulatory bodies may follow suit.
As in the physical environment, real-time change monitoring is essential to ensure organisations remain compliant – or have early warning of incidents that may affect compliance.

We believe that 60 to 80 per cent of events that affect service levels are caused by a mismanaged or miscommunicated system change.

Failure to extend visibility into the virtual world will result in excessive troubleshooting and cross-silo confusion as organisations try to pinpoint the exact cause and location of an underlying problem.

A single view of the physical and virtual world with a continually updated system performance and compliance score can reduce the problem diagnosis time by 80 per cent and enable an immediate response that minimises downtime and service interruption.

According to Gartner, 60 per cent of production virtual machines will be less secure than their physical counterparts through 2009.

Misconfigured and mismanaged virtual implementations may cause service interruptions and downtime. Often, organisations discover that problems have been caused by a lack of procedural understanding, a shortcoming in the process or inadequacy in the toolset.

Dwayne Melancon is vice-president of corporate and business development at Tripwire