Top Ten Virtualization Risks Hiding in Your Company

What are the management risks and problems hiding inside your virtualization effort? That's a question that David Lynch, VP of marketing for Embotics, tries to help IT groups answer. Embotics, part of CIO's recent list of 10 virtualization vendors to watch, provides what it calls VM lifecycle management. The company's V-Commander software (which integrates with VMware's VirtualCenter management suite) promises to help you track VMs from cradle to grave. The tool lets IT groups apply policies and automation to that tagging and tracking work.

Lynch recently shared with me a top 10 list that his staff uses when it meets with IT leaders to discuss common management risks and problems with virtualization. The list reflects actual problems that Embotics has found while helping multiple customers audit and secure virtualized server environments.

I find this list thought-provoking, realistic and worth sharing. Check out the below questions and ask yourself: Could any of these problems be hiding in my virtualized environment?

As for how these problems arose in the first place, virtualization bubbled up from a few people in the server or application development group at many companies, instead of being planned top down from the CIO. Then virtualization spread quickly, and spread further into the production IT environment, because IT and business teams liked the results. As that spread continues, IT finds itself now having to step back and get more formal about managing virtualization, to avoid management complexity and security risks.

"Most of our customers have been very busy operationally," Lynch says, "now they are starting to have to deal with issues of control."

Now, on to Embotics' top 10 list of potential troublemakers lurking in virtualized environments:

1. Rogue VMs

How tightly do you control who can create a virtual machine? It's a key security question. When you fire up inactive or suspicious VMs, you may find more than you expect. One Embotics customer fired up an offline VM to confirm what it was, and found a DHCP server which took down the production network, Lynch says.

2. Unpatched VMs

Remember, users can run VMs on their own PCs using downloadable software from VMware's website, for example. Audit all of your company's machines for such VMs and you may find what Embotics customers have, Lynch says: Unauthorized operating systems and a lack of security patches on those VMs.

3. VM Naming Messes

As you track all the VMs in your company, logical names will be helpful. But chances are, IT pros throughout your organization started naming VMs long before you realized how far virtualization would spread, long before anyone thought about imposing a naming system. Think about naming conventions now, Lynch advises.

4. Production Environment Border Problems

Most IT organizations run pre-production VMs (say for application development work, or software upgrade preparation) and production VMs at the same time. If you checked today, would you find any pre-production VMs running in your production environment? It's time to investigate and shore up this situation, Lynch says.

Related:
1 2 Page 1
Page 1 of 2
FREE Download: Get the Spring 2019 digital issue of CIO magazine!