The value of server virtualization is undeniable. Insurance organizations can consolidate hardware, remove expensive legacy systems, reduce power consumption, cooling needs and footprint, while at the same time provide better service to their business partners. It also helps meet an increased demand for servers, eliminate unplanned downtime and respond to raised expectations in the business. But there is a price: A higher risk of server sprawl. Pretty much every data center manager has experienced server sprawl at some time even in a well-controlled "physical" environment. If you add the ability to deploy a new server at the click of a mouse, the environment becomes riskier.
Traditional data center management tools do not work well in the virtual space. When you have 15 copies of the exact same server, it can be difficult for traditional systems to keep track. The management tools provided by the virtualization platform show what is in the environment, but not where it came from, how it has moved or any real historical information about the trends in the environment.
A data center manager once described the impact of virtualization on the data center as the same as wireless LANs had on her perimeter. She had well-established processes and procedures for deploying new servers in her old data center. But, when a new server can be deployed easily, the existing control systems can be easily circumvented and, therefore, are not as reliable or auditable as they were.
This lack of control in the virtual space translates to increased risk. For example; virtual machines (VMs) placed on incorrect hosts may contravene security or corporate policies, while unauthorized or rogue VMs provisioned into the environment that do not use the standard procedures could be exposing you to attack or audit/compliance risk.
COSTS OF V-SPRAWL
Most executive IT planners, administrators and managers in the insurance world would agree that VMs have a cost. However, they are sometimes portrayed as free once the basic infrastructure is paid.
In an Embotics survey in May 2008, the costs associated with server sprawl were identified in four classes.
Infrastructure. Applications need processing, memory, storage and networking, whether they are contained in a VM or not. The more VMs you have, the more resources you will need. There is also an allocation for the virtualization platform and any tools used to operate the environment.
Management Systems. Some management tools, such as configuration and backup systems, are licensed per managed server, managed node, or agent; resulting in an incremental license charge for every VM.
Software Costs. These include the software license costs of operating system as well as applications and tools.
Using these three categories of cost alone, customers in the survey estimated that VMs cost anywhere from $1,000 to $3,000 each. You could probably estimate your own figure quite quickly.
Offline VMs incur much the same costs as running ones; they still consume license as well as reserved storage costs.
The survey indicated that at least 30% of VMs in a normal environment are probably redundant. Some customers, after performing a physical audit, reported over 50% of their VMs population redundant.
Administrative. The final cost category; administrative, is a little more difficult to calculate. This includes the labor required to configure, monitor, upgrade, manage and patch the VM. It also includes training, planning and other tasks required to keep the virtual infrastructure functioning.
Controlling your VM environment makes good fiscal sense, reduces potential risk and ensures you can satisfy auditors and compliance regulations easily. But the tools you use must be able to deal with the uniqueness of the virtual world.
At a minimum you should be:
* Controlling what goes into the environment, tracking who is deploying, and if VMs are being deployed appropriately (i.e. only production ready VMs in the production environment). Part of this task includes monitoring the environment to recognize unauthorized VMs entering the environment out of process.
* Tracing and controlling VM mobility. VMs may be deployed correctly, but if you do not trace and track them as they move around the environment, they could inadvertently put you at risk or contravene a compliance policy.
* Identifying and retiring redundant or unused VMs. Removing redundant VMs not only reduces costs, it also cleans up the environment making it easier to manage.
* Auditing everything. Auditors have yet to catch up with the differences between virtual servers and physical ones, but they are starting to understand the need to control mobility. Today, the isolation provided by the virtual server container is probably enough to satisfy some of the application separation requirements. Unfortunately most security experts agree this isolation will not hold much beyond this calendar year.
Other things to consider when looking at VM lifecycle management is the integration with your existing management systems. No one wants two management planes in the data center. It is also important to automate as much as possible, providing constancy and freeing up your administrators.
David Lynch is VP of marketing at Embotics: The Virtualization Lifecycle Management Co., Ottawa, Ontario.
(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.
