Hot virtualization and cold compliance; New EventTracker 6.2 and more

August EventSource  Newsletter
By Jasmine Noel

Hot server virtualization and cold compliance

Without a doubt, server virtualization is a hot technology.  NetworkWorld reported: “More than 40% of respondents listed consolidation as a high priority for the next year, and just under 40% said virtualization is more directly on their radar.”  They also reported that server virtualization remains one of IT’s top initiatives even as IT executives are bracing themselves for potential spending cuts.  Another survey of 100 US companies shows 60% of the respondents are currently using virtualization in production to support non-mission-critical business services.  In other words, they are using it in a “production sandbox” before deploying it on a large scale.

Server virtualization is hot because surveys such as the one at CIO.com report cost reduction, improved disaster recovery, faster provisioning, and business flexibility benefits from virtualization projects.  These benefits are not surprising because server virtualization gives system administrators enormous flexibility in deploying server stacks (see note below) at will.  This is great for putting multiple server stacks on a single physical server.  Consolidating servers lowers costs because it drives higher resource utilization, which means less capacity twiddling its thumbs while waiting for a large workload to show up.  It is also great for copying production servers to disaster recovery facilities and for adding capacity for seasonal demand or demand driven by splashy marketing events.  IT can provision/copy/reconfigure a server stack in 30 minutes or less, instead of the weeks previously required.

All of this is great stuff…but there is a compliance catch.

Datacenter changes have long been the enemy of configuration control, security, and compliance reporting.  The more things change, the more difficult it is to manually manage, track and report those changes.  Since server virtualization greatly simplifies the adding, moving and changing of server stacks, it is only a matter of time before governance and compliance issues arise.  It is unlikely that enterprises will dodge these issues as the research also shows that 58% of the respondents plan to use virtualization to support their accounting and finance business services.

Early adopters of virtualization have already identified problems with server sprawl (i.e. server stacks are so easy to deploy that no one de-provisions them, leaving hundreds of unused virtual servers lounging around in the datacenter) and difficulty getting a consistent view on server performance and utilization. Virtualization also will fundamentally change basic system management tasks such as patching and identifying mal-ware signatures, since there is no longer a direct link between the virtual application stacks and the physical hardware/OS on which they run.  All of this demands meticulous configuration control, auditing and reporting processes and solutions.  Yet, many enterprises are giving compliance concerns the cold shoulder.  Only 24% of the CIO.com survey respondents listed governance as a top challenge to virtualization success.  It seems that many enterprises are poised to fall into the mode of “waiting until I’ve been shot at before I’ll wear my Kevlar vest.”

So how do you make sure that your virtualization projects will be different?

The short answer is: Ensuring that your control and compliance processes and solutions are able to keep up with the deluge of manual, semi-automated and automated changes that server virtualization will unleash.

The long answer includes:

1) Simplifying communication between different groups.  Applications, systems, network, and security managers need to know what is happening so they can do their jobs effectively.  For example, virtualization topped the list of emerging technologies creating monitoring challenges for network engineers attending InterOp.  The larger your enterprise, the bigger that group of managers becomes, and the more important it becomes to have audited data readily available for that diverse group of IT managers.  For example, if a server stack is automatically deployed (in response to predefined application performance conditions) the other management solutions should know about it instantly.

2) Implementing de-provisioning policies with security and auditing components.  The first step to implementing de-provisioning policies is to simply create de-provisioning policies as part of the initial provisioning process.  By doing so, you can head off the virtualization sprawl before it happens.  These policies can be as simple as “check with Bob the Business Manager every 90 days” or as complex as “de-provision a server if cluster utilization falls to 70% during peak power cost periods.”   The second step is to create automated auditing and reporting to check for obvious issues.  For example, if a server stack is no longer supposed to exist but someone has logged on to the system, then you know you have a problem.

3) Start thinking about how to create and integrate a “capacity timeline” into compliance reports or as a response to auditor requests.  For example, if someone asks IT for “all compliance events related to application X during June 2007,” and application X is deployed as a cluster of virtual systems, how easy will it be to report that from June 1-15 the cluster had three servers with these logs/events and that from June 16-30 the cluster had five servers with these logs/events.  While I’ve yet to see a specific case requiring that type of reporting, my fevered imagination can see a future smart-aleck lawyer with a class-action identity theft case asking an enterprise IT organization to prove a negative with their log data and compliance reports.  The last thing you’ll want is to pull all your IT staff to manually jigger something together in the week the judge gives you to hand over the documents.

4) Automatically find and remediate configuration drift.  Configuration drift typically happens because of mistakes, for example, when administrators performing the same tasks a little differently each time because there are no standardized best practices, or when they are under pressure to do something quickly and in an effort to save time don’t completely follow their own best practices.  Creating automated checks (such as a pre-deployment check against current policies related to patch levels, software updates, and configuration tweaks) can prevent many compliance issues altogether.

Basically, the best attitude to take is that auditing and compliance reporting are not the enemy.  They are mechanisms to make sure that you know what you think you know about your virtualized environments.  The companies that can put those controls in place in an automated way will not only dodge auditor and security bullets more nimbly but can keep the virtual sprawl from spreading like dandelions in your lawn.

Jasmine Noel is founder and partner of Ptak, Noel & Associates.  With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion.  Send any comments, questions or rants to jnoel@ptaknoelassociates.com

Note – I prefer the phrase “server stacks” to “virtual machines” because “virtual machines” implies a specific type of virtualization, however, there are several different ways one can virtualize a datacenter’s physical resources.

Industry News

Are SIEM and log management the same thing?

Like many things in the IT industry, there’s a lot of market positioning and buzz tossed around regarding how the original term of SIM (Security Information Management), the subsequent marketing term SEM (Security Event Management), the newer combined term of SIEM (Security Information and Even Management) relate to the long standing process of log management.

Did you know? – EventTracker combines both Log Management and SIEM functionalities including real-time collection, consolidation, correlation, analysis, alerting and reporting. Find out more here

Researchers Raise Alarm Over New Iteration of Coreflood Botnet

Password-stealing Trojan is spreading like a worm – and targeted directly at the enterprise

Did you know? EventTracker can detect zero-day attacks with its powerful change monitoring feature. Find out more here

Prism Microsystems releases EventTracker v6.2; offers advanced USB tracking for protection from inside theft

  • Read press release
  • Get more information on new features

EventTracker wins Network Products Guide 2008 Readers Trust Award

EventTracker wins in two categories – Event Management and Computer Forensics. Thanks to those who voted for us. We appreciate your support.