Organizations are constantly looking for new ways to cut costs, improve efficiency and provide better services. You'll find that IT departments, specifically, are constantly involved in this process because of the rapid introduction, evolution and termination of technologies. While the potential of reducing costs across a shared infrastructure is appealing as a means of lowering the capital expenses associated with acquiring technology, the real economic benefits are realized by streamlining and lowering the time and expense associated with managing change.

One of the newest fronts in streamlining and efficiency has been the adoption of virtual machine environments. Those who deploy VM instances tout that they save costs by not having to buy extra hardware, rack space and ultimately the cost of personnel to maintain the hardware that is normally associated with huge clusters of servers.

Additional benefits include snapshot capabilities for rolling back servers to pre-installation state. That is, should you install a patch or an app and the uninstall does not go well, the VM instance can be "rolled back" and the admin will not have to hunt and peck for leftover installation components. Software developers and quality assurance groups also praise VM environments for the ability to quickly setup test environments utilizing minimal physical hardware, and once testing is over, those environments can be sanitized quickly for the next round of testing.

Let's look at one popular VM developer, VMware, which has been very successful in getting their product out to large corporations. Many of the benefits listed above are expounded upon by a large customer, 7-11 Inc. Matt Ramseyer, a Senior Business Analyst for 7-Eleven says, "VMware does for Intel servers what Henry Ford did for the automobile. In the same way more people were able to afford a Model-T because of the innovation of the assembly line, VMware enables us to allocate more server resources to developers. It has been a pleasant change now that getting a server up and running for a new project is not the delay it once was."

Back to top

Ramseyer goes on to say, "We get an exponential cost saving because of the way VMware pools server resources to optimize hardware utilization. A hosting company without a VMware solution couldn't compete with what we could do with VMware software."

When Matt obtained an evaluation copy of VMware GSX Server, he quickly realized benefits that he hadn't expected, running five virtual machines on a single physical system.

"All we really needed to do at the time was evaluate how different browsers affected our Web sites," says Ramseyer. "Because hardware cost was an issue, we needed to figure out how to run multiple operating systems on a single physical machine. Once we started to evaluate VMware software, we realized that being able to quickly deploy servers helped development teams get their jobs done."

In May of 2004, 7-Eleven added VMware VirtualCenter and VMotion technology to its virtual infrastructure for optimal server administration, managing servers centrally, providing new servers and moving virtual machines to different physical servers as resource needs dictate.

"We just move the virtual machines around when we need to," says Ramseyer. "Because all of the virtual machines are centrally managed by VMware VirtualCenter, we can allocate a server whatever resources it needs at the time it needs it."

Surely these are strong arguments for deploying VMs but are there any downfalls? You'd better believe it, and they aren't unique to a single VM vendor.

Since security and administration are dynamically opposing forces, you can imagine that when you have such a dramatic change in administration, you're going to have an equal and opposite shift in your security stance.

Back to top

Patch Management
The Achilles heel in most current VM environments is that they depend on a host OS. Let's say that you have a single server that hosts 20 virtual servers. Patching the 20 virtual servers is no different than patching ordinary non-VM servers, however, what happens when you need to patch the host OS?

You guessed it. All of your VM servers must be taken down when you are forced to reboot the host OS. This means that core services for an entire division may be affected because the host OS has to be rebooted after a patch is applied. Adding additional stress to the situation, given the frequency of patches that come out of Redmond Washington, before long, management will become less tolerant when you tell them that the entire sales division will be down while you reboot the host OS and restart all of the VM servers.

Separation of Sensitive Information
Smaller shops that do not have the funding to purchase all of the hardware required to engineer a network that provides isolation of sensitive data may fall victim to a common bad VM practice - adding VMs of servers that contain sensitive data on the same physical host that contains all other servers with data of varying sensitivity.

The security implications of this are critical when you take into account that attackers have already begun fortifying their toolboxes with the necessary tools to exploit VM environments. Techniques range from searching for VM tools and drivers all the way to mini apps that detect the presence of VM environments.

Back to top

Virtual Support
Microsoft still maintains their position on support within VMs with the exception, of course, of their own VM products. A Microsoft knowledge base article states, "Microsoft does not test or support Microsoft software running in conjunction with non-Microsoft hardware virtualization software. For Microsoft customers who do not have a Premier-level support agreement, Microsoft will require the issue to be reproduced independently from the non-Microsoft hardware virtualization software. Where the issue is confirmed to be unrelated to the non-Microsoft hardware virtualization software, Microsoft will support its software in a manner that is consistent with support provided when that software is not running in conjunction with non-Microsoft hardware virtualization software."

Now, don't think that premier level support customers are any better off. The folks paying a considerable amount more than most will simply be subject to terms similar to Symantec's in that they will make an effort but may require you to reproduce issues outside of the VM. This can take a lot of time and effort considering all the variables that have to be addressed when trying to isolate a VM issue. If you've ever been in the middle of a support issue that could be the cause of more than one vendor, you understand the pain associated with this task.

Considering that support contracts can cost hundreds of thousands of dollars and downtime costs have no limit, it would be extremely wise to check with your vendors before deploying production VM architectures otherwise you may end up voiding all of your support contracts. Generally speaking, this isn't a very good way to maintain gainful employment.

Are the risks worth the rewards?

Without question, VMs are here to stay and there are plenty of reliable statistics that prove cost savings. However, will these savings be justified when a published exploit is released that threatens virtual environments? When reading the product benefits listed by VM vendors, interestingly, you never see improved security as one of them. Like any other security saying, it's what you don't see that you have to worry about. Given this and lackluster vendor support one has to ask whether it makes sense to jump into the VM game this early or wait until VM vendors get a better handle on securing VM technology.

Back to top