How virtualization impacts IT staff, security and change management

Virtualization breeds three new challenges: reorganizing IT department taskforces, recognizing new security vulnerabilities, and working with a complex change management process.

There is little doubt that virtualization can offer tangible benefits, such as finally making it possible to do more with less. But adopting server virtualization technology isn't all roses for an IT organization. In this tip, I spell out why server virtualization creates three specific challenges: breaking down IT department fiefdoms; possible increases in security vulnerabilities; and greater complexity in change management.

Before I deliver the bad news, however, I want to say that – for the majority of companies – adopting virtualization is worth shaking up the IT culture. Server virtualization projects have reduced data center footprints, decreased power and cooling costs and consolidated workloads onto fewer physical servers. There is little doubt that virtualization can offer amazing reductions in total cost of ownership.

Getting those benefits is only possible if organizational challenges are faced and overcome.

Challenge #1: Server virtualization blurs the responsibilities between formerly distinct IT disciplines.

Before server virtualization, large IT departments were segmented and distinct, consisting of the server administrators, the storage guys, the network engineers, and the security team.

Once an organization adopts server virtualization, these boundaries begin to blur. Now the server administrators who manage the virtualization servers are talking to the network engineers about VLANs (virtual LANs), 802.1Q trunks, and the native VLAN. The network has been extended inside the virtualization hosts, and now the network group and the server group needs to work much more closely together than in the past.

The storage team is now much more heavily involved in server deployments, as every new virtual server that gets turned up is stored on the storage area network (SAN). And the storage team might even have a more in-depth involvement with networking as the use of IP-based storage --iSCSI, NFS, or FCoE -- becomes more prevalent.

As server virtualization invades the data center, teams within the IT organization have to be prepared to work more closely together than they may have in the past.

Challenge #2: Server virtualization changes the network and server security landscape in ways that no one yet fully understands.

Does server virtualization make your IT infrastructure and IT organization more secure, less secure, or neither? Experts can't come to an agreement on this subject. The one thing that we do know is this: No one yet fully understands the full impact of server virtualization on network and server security.

That said, some impacts of server virtualization on security are well known and well understood. For example, there is a loss of network visibility inside the virtualization hosts. Traditional network security tools can't see the traffic that passes between guests connected to the same vSwitch within VMware ESX Server. This makes it more difficult for network security teams to comprehensively monitor for malicious or inappropriate traffic flows.

Other impacts, however, are not quite so clear, and bring up such questions as:

  • How should an organization manage offline virtual machines (VMs)?


  • What impact on security does the hypervisor itself introduce by way of new attack vectors and new vulnerabilities?


  • How does live migration affect security?


  • Is it possible to "escape" out of the virtualization layer and affect physical hardware or multiple virtual servers?

These are questions for which the security industry does not yet have all the answers.

Challenge #3: Server virtualization introduces new complexities and intricacies to existing change management procedures.

For organizations that have significant change management procedures in place -- such as organizations that are heavily regulated -- server virtualization can introduce new complexities and new intricacies. Consider these examples:

  • A virtual server is migrated from one physical host to a different physical host with different hardware configuration. How does the organization reflect that change? Does that change even need to be recorded and tracked?


  • The configuration of the underlying virtualization host (a server running VMware ESX Server, for example,) is changed, and that change affects the virtual servers hosted on that system. For what system is the change management documented updated: the host, the guests, or both?

These may seem like trivial examples; but for organizations in regulated industries who deal with seemingly-onerous change management paperwork and approvals, these are valid questions. Today, the process for documenting a change, managing that change, and the workflow on top of that documentation and management is well understood.

As server virtualization grows and encompasses ever-larger portions of the data center, the IT organization has to understand the impact it has on their procedures.

ABOUT THE AUTHOR: Scott Lowe is a senior engineer for ePlus Technology, Inc. He has a broad range of experience, specializing in enterprise technologies such as storage area networks, server virtualization, directory services, and interoperability. 

Dig Deeper on Server consolidation and improved resource utilization