Mohammed Thameem Rizvon,Group IT manager, Kamal Osman Jamjoom |
Yes. At Kamal Osman Jamjoom, we have virtualised our Windows non-production environment, to simulate our POS (point-of-sales) application server in a test environment. Apart from this, we have five virtual instances of the POS store application used for testing various store transactions.
When did you implement virtualisation?
In 2007. We decided to take the virtualisation path when we were looking at some additional hardware for a criticial business requirement. By doing virtualisation, we were able to avoid the new hardware purchase
The amount of budget on hand was one reason, while the second reason, and equally important for us, was to utilise our existing resources to their full potential
Well, whatever our selection, since we were trying it out for the first time, we decided to go with a non-production element in a complete test environment. We also created multiple instances for testing different applications and databases.
As I mentioned, this was the first time we worked with virtualisation in our organisation and we wanted to do it in a non-production environment. We used internal resources with minimal or no external help.
On embarking on the virtualisation project, our existing team members took on the initiative, conducted research and taught themselves to improve their general skill level and knowledge in virtualisation. Therefore, we did not need to hire any new staff.
As mentioned by me, we used only our internal resources and therefore we did not need any SLAs with external parties or providers.
Due to virtualisation, KOJ saved AED 50,000 which would have been spent on buying servers, that would have remained idle after testing. So yes, I would say that we did record ROI.
At KOJ, the IT team is seeking more inputs on the latest virtualisation trends, both on Windows and Sun Solaris environments. Following this research, we will identify solutions that can help us minimise our data centre load and operational cost.
Emad Khatib,CIO, Emcredit Ltd |
At Emcredit, part of our IT strategy is growth and cost control. As a result of this, virtualisation was adopted within our organisation for what it offers in terms of infrastructure consolidation. For that and other reasons, we implemented virtualisation at Emcredit.
If so, what elements of your infrastructure/applications does it cover?
We adopted this technology in our test environment to build two physical servers each hosting multiple virtual servers and applications.
When did you implement virtualisation?
We implemented this in the second quarter of 2009.
We are consistently seeking improvements in our infrastructure to reduce operational cost, enhance efficiency by reducing server sprawl, and become more effective in application consolidation. Virtualisation helped us achieve these goals.
How did you select the sections of your infrastructure/applications to virtualise?
As part of our business continuity management plan, we evaluated our infrastructure and selected the most demanding environment that would require extensive physical resources. We wanted to support our business (multiple systems and applications) with minimum number of physical resources.
Describe the processes you followed for virtualisation?
We conducted an internal assessment to determine the minimum application requirements and hardware resources needed. In addition, we evaluated the compatible virtualisation software and autonomic tools needed for server management.
What were the challenges you faced when virtualising? How did you overcome them?
Our main challenge was the skills needed to implement this solution as it was important for us to handle this implementation internally. We have very seasoned IT staff that was able to conduct proper research and self study that allowed them to obtain the necessary skills to implement the solution.
How did you train your internal IT staff? Did you take on any new hires?
As said, we did not formally train our staff. However, we allocated time for the assigned resources on this project to come up to speed on the required skills through research and self learning.
How did you capitalise on the vendor’s expertise? Explain how you achieved the best SLA with them?
There was no vendor involved in the process and therefore, no need for an SLA.
Have you achieved relevant return on investment (ROI) from your virtualisation investment?
Absolutely. We achieved our results quickly from virtualisation by reducing our operational cost and increasing efficiency.
What is your next step for virtualisation?
We always look for improvements and are on the alert for new solutions to ensure that we maintain our commitment to our customers. I am glad to say we have had success with virtualisation and our next step will be to implement it during our disaster recovery efforts.
Arun Tewary, CIO, Emirates Flight Catering |
Yes. We have deployed some amount of virtualisation at Emirates Flight Catering (EKFC).
If so, what elements of your infrastructure/applications does it cover?
As such EKFC has not gone into virtualisation in a really big way. We have initiated virtualisation in a limited manner in the area of our enterprise application servers. This was a natural choice because a large number of users are on enterprise application and we are using Citrix as a tool to provide the interface of these users. Specifically we have virtualised our ERP application on Citrix XenApps.
When did you implement virtualisation?
Quite recently.
What was your business driver for virtualisation?
The business drivers for considering virtualisation at EKFC was very clear – it was server consolidation. This comprised elements of power, environment, cost saving and centralised administration.
Describe the processes you followed for virtualisation?
We installed XenServer on a new machine and created virtual machines (VMs) for XenApps.
What were the challenges you faced when virtualising? How did you overcome them?
Fortunately for us, installation was a smooth process. We did not face any major hurdles.
How did you train your internal IT staff? Did you take on any new hires?
We trained our staff with the help of solution providers.
How did you capitalise on the vendor’s expertise? Explain how you achieved the best SLA with them?
The solution we used is free virtualisation software from Citrix – namely the XenServer. The SME engineers also demonstrated good experience and support.
Have you achieved relevant return on investment (ROI) from your virtualisation investment?
Since our virtualisation project was implemented quite recently, I believe it is a bit too early to comment on whether ROI was realised.
What is your next step for virtualisation?
At EKFC, we will soon be adding more servers to the virtualisation environment and we are also planning for blade servers in our organisation.
Hazem Awni Jarrar, IT manager, King Faisal Foundation, KSA |
We have not implemented virtualisation yet in business critical application servers. There were only simple implementations that were for testing and evaluation purposes. We are planning for some implementation in 2011. Our mainstream focus is on cloud computing and managed services. The main reason for this is that much of the server infrastructure that we have is quite modern, and there was proper planning when it was purchased about two years ago for a five year utilisation purpose.
In planning budgets for the year 2011, I’m reviewing options for virtualisation of some of main servers. I have already done some studies on it and my main objectives are reducing downtime for upgrades and updates, enhancing reliability to five nines, and simplifying data protection.
Box out
The virtual blind spot
Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of server virtualisation, where the threats are new and the traditional security tools like firewalls and intrusion-prevention systems don’t cut it anymore.
Desktop virtualisation vs PC
Unfortunately, at many enterprises, security strategies haven’t kept pace with the shift to x.86 server virtualisation.”Many companies that have virtualised environments haven’t contemplated the security ramifications of what they’re doing yet,” says John Kindervag, a Forrester analyst.
Gartner’s Neil MacDonald agrees. “The general awareness level of issues related to virtual security isn’t quite where we need it to be,” he says.
For their part, IT pros tend to look at it this way: Since physical and virtual servers run the same Linux and Windows operating systems on the same hardware, then security for the former is adequate for the latter. “They’ll argue that nothing has changed — and that’s a dangerous mistake,” MacDonald says.
“When you virtualise, you introduce a new layer of software and all of the Windows and Linux workloads running on top of it rely on its integrity. The first and most important thing you need to do is acknowledge this new layer and establish basic security hygiene around the configuration and vulnerability management of it,” MacDonald says. “That’s basic block and tackle.”
Secondly, IT needs to figure out what to do about the network blind spot that virtualisation creates, he adds.
“None of our network-based firewalls or IPSs in the physical world can see the traffic being switched between two virtual machines (VM) in the same box,” MacDonald says. “The question we need to answer is, ‘Do we need security controls inside of the virtual server to see this virtual network traffic?’ Maybe you do or maybe you don’t – but you’ve got to acknowledge that you can’t see the traffic and if something bad happens, like an inter-VM attack, you won’t be able to see it.”
Many enterprises haven’t focused on virtual server security because their virtualisation deployments are immature. When virtual servers are just used for test and development purposes or for running non-critical, low-priority applications, security doesn’t much matter.
But that changes as a virtualisation layer moves into the production environment to host mission-critical applications. The deeper entrenched virtualisation becomes, the greater the need to deploy security technology specifically aimed at protecting the virtual infrastructure.
Virtual security vendors step up
Many security vendors – from start-ups to well-established security vendors – are beginning to target virtual server security. Besides HP TippingPoint, this latter group includes CA Technologies, for security functions such as access control and log management; Check Point Software Technologies, for virtual firewalls; Juniper Networks, which has a strategic alliance with Altor; IBM, for IPS; and Trend Micro, which acquired virtual security start-up Third Brigade.
“As bigger companies jump in, this signals that there is a need for these types of products. It’s just a matter of time before they all have virtualised offerings of security enforcement,” Gartner’s MacDonald says.
It might seem logical to think that you would defend the hypervisor layer the same way you would defend physical servers — by plugging in IPS or anti-virus software.
But MacDonald disagrees. “We don’t believe you need to go run IPS or a copy of anti-virus in the hypervisor. That would defeat the whole purpose of this layer being very thin and hardened. Rather, good configuration, vulnerability and patch management disciplines are enough at that layer,” MacDonald says.
Forrester’s Kindervag adds, “They say about 40% of issues in modern networks relate to configuration or other types of human error. That leads me to believe that how you do security management is more critical [than hypervisor security] at this moment,” he says.
“What vendors really are talking about now is protecting the VMs and traffic between them just as you’d protect workloads in the physical environment,” MacDonald adds. “This becomes especially important when you start combining virtual workloads of different trust levels on the same physical servers. You’re going to need that visibility, that separation and that policy enforcement.”
When evaluating virtual security products, he advises, select those that are optimised to run inside the virtualisation environment and have been integrated into virtualisation frameworks from Microsoft, VMware and Xen-based virtualisation vendors.
For its part, virtualisation leader VMware provides virtual security companies visibility into VM operations via its VMsafe API.
“About seven major security vendors have participated as VMsafe partners. They’ve developed virtualisation-aware network and endpoint solutions that work through the hypervisor in a privileged fashion with high security,” says Venu Aravamudan, senior director of product marketing for VMware’s server business unit.
But that’s just for starters, he adds. Earlier this year, at the RSA Conference 2010, VMWare previewed how it envisions next-generation virtual server security technology might work. Working in conjunction with Trend Micro, it showed the ability to run anti-virus processing on a host machine rather than VM by VM as current-generation products do.
“Once this technology becomes real, in terms of a shipping product, we don’t have the need for an agent in each VM. That means better performance, less to manage, lower cost and so on,” Aravamudan says.
It also means new capabilities. “You can look at this model to drive solutions such as being able to detect rootkits in the files hypervisors are running on, discover credit card and other sensitive information in VMs and check the integrity of files, for example,” he says.
Baked-in security
VMware encourages its partners and field service organisation to ensure that all enterprises bake security into their planning and designs.
While the security-first encouragement doesn’t always stick with customers just starting out on their virtualisation journeys or who are using the technology in limited scenarios, larger enterprises do get it, Aravamudan says.
“Especially at those customers with large percentages of workflows deployed on virtual servers, we clearly see a lot more discipline in adhering to our best practices and security hardening guidelines,” he adds.
VMware believes that just as virtualisation enabled massive cost savings and efficiency gains, it is a real game-changer when it comes to security, Aravamudan says. “It’s definitely one of our goals — and we’ve already started to prove this – that security for environments based on virtualisation will be better than physical security as it exists today in IT.”
Gartner’s MacDonald agrees. “What we see clearly is that virtualisation is not inherently insecure, but that it gets deployed insecurely today. But this problem will go away over the next three to four years as IT staffs, vendors, the tools and skills mature,” he says. “People will be deploying securely — ideally even more securely — than they have been in their physical environments.”
Box out 2
Six keys to virtualisation project success
With server virtualisation being all the rage, it can be very tempting to jump into it with a “build it and they will come” mentality. This could be risky, since recent surveys have indicated that a sizable number of adopters aren’t able to determine if their projects were successful. We shouldn’t forget that a virtualisation project is no different from any other large scale IT undertaking: It takes careful planning, clearly defined objectives and reliable execution to realise the benefits. Here are a few items to help avoid some common pitfalls:
1. Quantify projected cost savings with straightforward, easy-to-quantify metrics. You can’t determine project success without a yardstick, but stick to hard dollar savings and avoid soft, fluffy or complex TCO/ROI calculations.
2. Prepare to virtualise a substantial number of servers. Realising the value depends, to some degree, on scale. Develop a formalised target server list and ensure that resources and commitments are in place to virtualise them.
3. Ensure application owner buy-in. Application owners don’t like to feel like guinea pigs and may raise concerns over potential service impact. Have solid resource utilisation metrics in place and ready answers for common concerns (performance, availability). Strong executive sponsorship will also help. And, of course, always have a back-out plan.
4. Create a plan for ongoing operational process integration. This is where much of the “heavy lifting” comes. Processes for monitoring and managing virtual machines must be integrated into existing workflows, and it will be necessary to enhance standard procedures and possibly acquire additional tools to better support virtualisation.
5. Re-evaluate capacity planning and resource requirements. Virtualisation makes provisioning easy — sometimes too easy — and it’s possible to overrun server and storage capacity sooner than expected.
6. Enlist the right cross-functional resources in the project process. This is not just a server consolidation, it’s a major infrastructure change and the other segments of the infrastructure supply chain, including storage and networking, need to fully participate.