Even with a team of experts and a well-staffed test lab, questions regarding the economics of virtualization are hard to answer categorically, at least for a couple more years. We are transitioning from a marketplace dominated by one vendor, VMware, to a competitive multi-vendor market in which there will be downward pressure on both VMM licensing costs and the cost of hardware optimized for virtualization. Just how hard is it to agree on virtualization's cost/benefit numbers? Check out the claims and counter-claims in just one thread of TechTarget's Server Virtualization blog, a thread which started last summer but lasted all winter.
When it comes to unexpected costs, I would say the two main causes are people and relationships. People costs are incurred to make sure that you have the necessary skill sets and experience on hand to plan and execute a sound virtualization strategy, with a minimum number of false starts and loose ends. There are two ways to get such people: hire them or train them internally; both require an investment.
If you go the hiring route right now, you will face stiff competition for talent. A recent survey by analysts at Enterprise Management Associates (EMA) found that the number of enterprises who said they had the virtualization skills they needed had dropped over the past two years, by 25%. If you decide to "grow your own talent," you will need to invest in both training and the right incentives to keep the people you have paid to train.
That same EMA report, titled "Virtualization and Management: Trends, Forecasts, and Recommendations" (PDF excerpt), also identifies what I call the relationship cost, declaring that "human issues are the single most important problem in virtualization today. Political infighting is the No. 1 reason holding back successful virtualization deployments." More specifically, as Christopher Hoff writes on his Rational Survivability blog, "virtualization…further fractures the tenuous relationships between the server, network and security teams."
And fractures like these are not just a matter of morale and hurt feelings; they have, as we saw before when websites started to become dynamic, negative real-world implications. Consider Eli Lilly, a brand name that will forever be associated, at least in the minds of security professionals, with "security breach," namely the first breach to be prosecuted by the Federal Trade Commission. And that breach occurred because the company's otherwise exemplary policies and procedures for application development had not encompassed the pioneering programmers in Web development.
Virtualization offers many benefits and advantages over previous technology, including an obvious ability to bring new efficiencies and capabilities to the development and pre-production testing process. These advancements can have positive implications for security as well. But as far as the security of production systems is concerned, virtualization is one more opportunity for organizations to get things wrong and end up with problems they then spend years fixing, possibly while suffering embarrassing and costly breaches. Of course, that also means virtualization is an opportunity to get things right, to avoid the previous mistakes made during past waves of innovation.
Organizations must make a commitment to invest adequate resources and exercise appropriate restraint in the transition to virtualization. I don't see overall security costs being lower with virtualization. It might be possible, however, with the right architecture properly planned and executed, to achieve better security without increasing costs.
This was first published in June 2008