The promise of better use of resources, lower cost, and potential reduction of both power costs and real estate is a compelling reason to move toward virtualization. But the virtual data center raises some significant new issues in areas of performance, compliance, and security.

Organizations that fail to protect their virtual infrastructure with the same diligence traditionally applied to the physical environment will be at risk of seriously compromising their business.

Yet this is a major challenge: the virtual infrastructure, by its very nature, is completely hidden. While the physical infrastructure provides a clear view of individual component performance, virtualization removes that transparency. Without visibility into the virtualization engine, organizations cannot identify potential security loopholes, ensure system changes do not affect performance, or be confident of their complying with regulations such as Sarbanes Oxley, PCI or HIPAA.

Understanding Risk
Today, perhaps only 15% or 20% of the applications running on virtual infrastructures are production systems; most organizations use the technology only for test environments. But analysts believe that the number of production applications will grow to between 45% and 60% of total deployments over the next two years as cost pressures bite.

In the headlong rush to gain cost benefits there is a very real risk that companies are moving into virtualization way ahead of their ability to understand and manage the technology. The benefits are compelling. But at what cost to business risk and security?

Virtualization adds huge complexity to the IT infrastructure stack, pulling together large numbers of applications and services into one consolidated data center. Traditional silo-based management tools provide no insight into the operational performance of virtual systems, leaving an organization completely blind to the impact of change, both planned and unplanned, on the overall infrastructure.

Without a view into this virtual environment, how can any organization ensure that machines are tested and configured correctly or impose the required level of rigor over system changes?

The process becomes ever more complex when organizations accept the fact that virtual and physical worlds will co-exist for the foreseeable future. From the core infrastructure running the virtual middleware to legacy and in-house developed applications that are too complex to migrate to the virtual world, the physical infrastructure will continue to play a core role in any data center.

It is essential, therefore, that organizations put in place the policies, processes, and monitoring tools required to support the entire physical and virtual IT infrastructure. Organizations critically need to extend the rigorous processes they use in their physical environment to encompass a virtual implementation based on best practice implementation. This will ensure any business can immediately gain the cost benefits associated with a virtual world without undermining the reliability of the data center or compromising regulatory compliance.

Compliance Pressure
Indeed, the pros and cons of the virtual world are taken very seriously by regulatory bodies. The virtual environment, with its continual change, poses huge new compliance challenges, especially in auditing. How can an organization know if a virtual machine is compliant if it no longer exists? How do you track change history for auditors in a virtual world? Certainly these issues are now coming to the fore as increasing numbers of organizations look to virtualize critical production systems.

The payment card industry, for example, has a number of development boards looking at the implications of virtualization on its data security standard. The good news is that virtualization adds some strong capabilities, especially for those organizations that have opted to run multiple services on a single system to minimize hardware costs, creating a high-risk single point of entry.

Running each of those services separately in a virtual machine will provide more security by creating disparate services. However, if the virtual middleware is compromised, these services are just as vulnerable; in effect the problem has simply been moved to the virtual machine. The PCI Standards Council is now beginning to define policies to include the virtualized infrastructure, and other regulatory bodies will undoubtedly follow suit.

But the underlying principles remain unchanged:

• Management taking responsibility for effective controls
• Strong policies and process
• Fact-based accountability supported by real-time audit and control

As in the physical environment, real-time change monitoring is essential to ensure organizations remain compliant - or have early warning of incidents that may affect compliance status.

With 60% to 80% of service-impacting events actually caused by a mismanaged or miscommunicated system change, failure to extend visibility into the virtual world will result in excessive troubleshooting and cross-silo confusion as organizations try to pinpoint the exact cause and location of an underlying problem.

Combining a single view of the physical and virtual world with a continually updated system performance and compliance score enables organizations to rapidly identify problems. This reduces the diagnosis time by upwards of 80% and enables immediate response to minimize downtime and service interruption.

Virtual Confidence
Virtualization is an important technology that has the potential to transform data center costs. However, the business risks cannot be underestimated. According to Gartner, 60% of production virtual machines will be less secure than their physical counterparts through 2009. And analysts fear that misconfigured and mismanaged virtual implementations will result in service interruptions and downtime that will undermine confidence in the technology and potentially stall wholesale adoption.

Yet by continually monitoring the performance of the entire virtual and physical infrastructure, organizations will not only reduce errors and drive up performance, but also contribute to the incremental adoption of virtualization across an organization. Visibility ensures that all changes to the infrastructure, both physical and virtual, occur in full support of the business, in compliance with policies and procedures, and that any exceptions are rapidly dealt with before they can cause business damage.

In most cases, organizations discover that problems have been caused by a lack of procedural understanding, a shortcoming in the process or inadequacy in the toolset.

Addressing these issues through training, process, or technology change incrementally adds stability to the entire infrastructure and builds confidence in the virtual technology that will support on going deployment of increasingly mission critical applications.

Critically, it is by extending the same IT best practice and process rigour to the new integrated virtual and physical arena that organizations can maximize the cost benefits of virtual technology while seamlessly delivering key business services.