Manage Learn to apply best practices and optimize your operations.

The unexpected costs of server virtualization?

Formerly dominated by a single vendor, VMWare Corp., the field of virtualization security now has more options. But what's the most cost-efficient way to go virtual? Platform security expert Michael Cobb gives advice.

Although the virtualization of servers provides power and administrative savings, what are some of the unexpected costs of such an initiative? What, in particular, will cause the security costs to increase, and would you consider virtualization to be a cost saver when those security costs are factored in?

Even with a team of experts and a well-staffed test lab, questions regarding the economics of virtualization are hard to answer categorically, at least for a couple more years. We are transitioning from a marketplace dominated by one vendor, VMware, to a competitive multi-vendor market in which there will be downward pressure on both VMM licensing costs and the cost of hardware optimized for virtualization. Just how hard is it to agree on virtualization's cost/benefit numbers? Check out the claims and counter-claims in just one thread of TechTarget's Server Virtualization blog, a thread which started last summer but lasted all winter.

When it comes to unexpected costs, I would say the two main causes are people and relationships. People costs are incurred to make sure that you have the necessary skill sets and experience on hand to plan and execute a sound virtualization strategy, with a minimum number of false starts and loose ends. There are two ways to get such people: hire them or train them internally; both require an investment.

If you go the hiring route right now, you will face stiff competition for talent. A recent survey by analysts at Enterprise Management Associates (EMA) found that the number of enterprises who said they had the virtualization skills they needed had dropped over the past two years, by 25%. If you decide to "grow your own talent," you will need to invest in both training and the right incentives to keep the people you have paid to train.

That same EMA report, titled "Virtualization and Management: Trends, Forecasts, and Recommendations" (PDF excerpt), also identifies what I call the relationship cost, declaring that "human issues are the single most important problem in virtualization today. Political infighting is the No. 1 reason holding back successful virtualization deployments." More specifically, as Christopher Hoff writes on his Rational Survivability blog, "virtualization…further fractures the tenuous relationships between the server, network and security teams."

And fractures like these are not just a matter of morale and hurt feelings; they have, as we saw before when websites started to become dynamic, negative real-world implications. Consider Eli Lilly, a brand name that will forever be associated, at least in the minds of security professionals, with "security breach," namely the first breach to be prosecuted by the Federal Trade Commission. And that breach occurred because the company's otherwise exemplary policies and procedures for application development had not encompassed the pioneering programmers in Web development.

Virtualization offers many benefits and advantages over previous technology, including an obvious ability to bring new efficiencies and capabilities to the development and pre-production testing process. These advancements can have positive implications for security as well. But as far as the security of production systems is concerned, virtualization is one more opportunity for organizations to get things wrong and end up with problems they then spend years fixing, possibly while suffering embarrassing and costly breaches. Of course, that also means virtualization is an opportunity to get things right, to avoid the previous mistakes made during past waves of innovation.

Organizations must make a commitment to invest adequate resources and exercise appropriate restraint in the transition to virtualization. I don't see overall security costs being lower with virtualization. It might be possible, however, with the right architecture properly planned and executed, to achieve better security without increasing costs.

More information:

This was last published in June 2008

Dig Deeper on Virtualization security issues and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.