TechWorld

INTEROP: Focus on virtualization as financial world shakes

New security threats must be overcome in order to fully benefit from virtualization.

Users need to warily embrace virtualization was the message put forth by speakers at Interop New York, where attendees tried to sort out how to proceed with technology investments in the face of possible IT budget cuts prompted by the Wall St. financial crisis unfolding just blocks away.

Interop shared space with Mobile Business Expo in an effort to bolster both events in an economy where trade show attendance is flagging, and together they hoped to draw a total of 13,000 people over the course of the four-day event, show officials said.

Those who attended Interop heard that cloud computing will help companies accomplish more, but new security threats must be overcome in order to fully benefit from this new technology, speakers said.

Virtualization is a "chameleon concept" with one common denominator: breaking the bond with physical reality "so you can do more," Marie Hattar, vice president of network systems and security solutions atCisco, said during her keynote address. "It's one asset to many, or many assets to one," she said.

But perhaps the most critical issue is the new and numerous security holes opened up by virtualization and cloud computing. "A hypervisor needs hypersecurity," Hattar said, as Cisco found out when it virtualized its own servers. "We have to rethink our security approach because when we virtualized, it increased complexity. In cyberspace, there are a lot more points of entry."

She stressed that companies embarking on virtualization and cloud computing need to plan copiously for operations, management, control and security of the new infrastructure.

Her points were echoed by Novell President and CEO Ron Hovsepian, who said companies need to overcome challenges such as reduced spending, complex management and risk mitigation in order to have their heterogeneous IT assets work as a unified system.

Key to bringing IT assets together are injecting agility into the data center through virtualization; enhancing end-user productivity through collaboration and pinpoint management of enterprise desktops; and then implementing and enforcing companywide IT identity and security policies and procedures through access and compliance management strategies.

While Hovsepian touted the benefits virtualization and cloud computing can bring - improving use of storage arrays, reducing power consumption, streamlining server architecture - another speaker focused on the litany of new risks virtualization comes with.

At least for now, virtual servers, the hypervisors that oversee them, the management platforms that govern them and the IT staff that sets them up and runs them day to day are all potential attack vectors, says Joshua Corman, principal security analyst for IBM/ISS. "Virtualization is a game changer for good and for bad," he says.

IT staffs under financial pressure to implement virtual servers may be overworked and lose the diligence to properly plan secure deployments, Corman says. "Virtualization requires more discipline and enforcement of policies than before," he says.

Page Break

Virtual technology itself presents weak spots for attackers to take advantage of, he says. In particular, virtual environments are a "management nightmare" where each virtual machine may spawn another that could appear virtually anywhere. This makes instances of servers hard to find let alone protect, he says, and this "server sprawl" can lead to catastrophic failures, he said.

Individual virtual machines, called guests, can fall into vulnerable configuration due to a feature of virtualization that suspends them when they are not used, he says. When the applications these guests host are needed, they are brought back online, but in the meantime may have missed critical security updates and are left open to exploits.

Hypervisors that oversee virtual servers are designed to be small and simple to make them more difficult to attack. But they can be exploited according to publicly announced research, and that allows unlimited access to all the virtual machines they control, Corman says. "If they get into the hypervisor, the game is over," he says.

While grappling with the rigors of virtual security, show-goers were encouraged to embrace green networking principles, if not for actual costs savings then for the goal of reducing corporate carbon footprints.

"It's about efficiency as much as it is about anything else," said Johna Till Johnson, president and senior founding partner of Nemertes Research, of the dual-pronged impetus for green initiatives.

The drivers are there: Most servers use 50% of their rated power even when idle, so they're using 50% of electricity but doing 5% work, Johnson said.

That means that for every 100 servers only five are in use. Turning off the other 95 would result in 47.5% efficiency, she said. In addition, for every productive dollar gained from servers, almost two dollars are wasted in UPS, AC/DC conversions and fans, Johnson said.

Even so, 80% of companies recently surveyed by Nemertes have no corporate green policies; only 13% knew data center energy costs; only 3% turn off their servers when not in use; and desktops are left on 50% of the time.

Miami-Dade's public schools started a green initiative as a cost-saving measure. But it required the cooperation and support of the faculty and students at each school, said Paul Dunn, senior network analyst for the schools, said.

"We had to go to the CFO to get the project and funding approved," he said. "We were spending [US]$8 million per year in electricity just to keep computers going. But the buy-in had to be from grass roots, the school sites. Their cooperation made it happen. Kids don't care about saving money but they do care about green initiatives."

Dunn said that cooperation will help the school district establish custom scheduling per site to try to save even more money from energy efficiency.

Johnson said green IT initiatives have to start like that -- with corporatewide policies or mandates to consolidate IT assets, encourage telecommuting and virtual work, establish sustainable supply chains, and recycling.

Half the total carbon footprint for KPMG's back-office campus is from electricity, and half of that goes to power the data center, says the firm's CIO, Rowan Snyder. "I'm not a tree hugger, but it's a significant issue," said Snyder, who spoke on a panel about the status of IT in corporations.

If IT projects don't actually save money, they'd better help generate some, says Joanna Young, CIO of insurance company Liberty Mutual, who spoke on the same panel. "There are no IT projects anymore, there are business projects. The question we always ask is, 'What is the smallest IT investment we need to make to have this [business result] happen for you?'"

As Wall Street sagged, she clung to the hope that her company in particular might be spared some of the stock-trading volatility. "We are not a public company, which might be good today," she said.