Most organizations in the banking industry have already discovered the potential that server virtualization offers to reduce costs while enabling greater agility and IT responsiveness. Organizations that have embraced virtualization are gaining advantage, and perhaps more importantly in today's economy, driving real savings to the bottom line.
Data centers are cheaper with virtualization, often significantly so. A recent IDC study estimated that by adopting virtualization, organizations can expect savings of 35 to 52 percent in infrastructure costs, which is a significant part of an average data center budget. The more you virtualize, the more you save.
Server virtualization breaks the bond between physical resources and the software that uses them, delivering immediate benefits such as:
* Increased capacity utilization, thereby reducing the data center footprint and power and cooling costs;
* Reduced downtime by simplifying maintenance procedures; and
* Faster development and test cycles as labs become much more flexible.
Ultimately, virtualization can be used to significantly improve scalability, availability and business continuity for the banking industry. But the benefits come with major challenges; especially when it comes to management, control and compliance.
Unfortunately, the characteristics that make virtualization a game-changer also create issues when it comes to management and control. Governance that relies on physical-era assumptions, such as physical server identity, data separation and isolation, does not work with server virtualization.
Take Sarbanes-Oxley (SOX), regulatory compliance for example. There are a number of common IT controls and best practices that will be affected by virtualization.
First,
Second, chronological event data needs to be collected so that system and data processing can be reviewed, examined and reconstructed as required. The underlying assumption that systems stay where they are placed makes it easy to match server logs with systems installed on them. But what if systems, or parts thereof, are moved as a result of maintenance, load balancing or disaster recovery? How do you ensure that various event logs are kept straight, especially if a VM was moved onto another host for a period of time and then returned to its original one?
Finally, access control is a specific requirement of SOX for application users as well as IT administrators. Virtualization can change this dynamic considerably. Take for example, the provisioning of a new server. In the "physical" data center this was a well established and auditable procedure. In the "virtual world" however, a server can be created with a couple of clicks of a mouse, and theoretically, if a server can be seen on the network, a VM can be deployed to it, with or without the normal approvals that the old process required.
Virtualization is going to have an impact on the way audits are performed and compliance, especially when it comes to existing traditional (i.e. physical based) processes and procedures.
In many ways a server is a server, and there are a lot of commonalities between the virtual and physical kind. To some degree the requirements haven't changed, but the implementation has. For example:
* Identity: When you can make 20 exact copies of an existing server and distribute them around the environment with a click of a mouse, server identity becomes critical. The traditional identity based on "physicality" is no longer good enough.
* Mobility: Physical servers do not move much. VMs, on the other hand, are designed to be mobile. Tracking and tracing them throughout their lifecycle is critical to maintaining and proving compliance.
* Data separation: Host servers share resources with the virtual servers running on them. For example, portions of the host's hardware, such as the processor, memory and networking are allocated to each virtual server. There have yet to be any breaches of isolation between virtual servers, but this isolation will not last.
Obviously, the virtualization side of the data center needs new audit and process requirements. A good starting point is the existing corporate policies and procedures, but they will need to be adapted to the virtual environment.
These should be supplemented with virtualization-specific policies dealing with the uniqueness of mobility and provisioning. VMs need to be managed and controlled, not only when deployed, but throughout their lifecycle.
It is going to take some new technologies to ensure that virtual servers are uniquely identified, that their location and lineage can be tracked and that you can confidently segregate them. Finally, automation is a must, if only to maintain consistency and auditability.
David M. Lynch is vp of marketing at Embotics Corporation.
For more Perspectives columns, visit www.americanbanker.com/btn
