As people who deal with virtualization every day — you work with it, I write about it — it’s easy to get caught up in the idea that it’s a ubiquitous technology with infinite use cases and unending appeal.
Well, in the words of Lee Corso:
There are still quite a few people out there who don’t feel totally comfortable virtualizing everything. And they’re not all newbies who don’t know what they’re talking about.
Case in point: Joshua Corman, the principal security strategist for IBM, a company you may have heard of before. He made headlines at Interop when he told attendees, “I highly recommend you don’t adopt virtualization for any regulated project.”
Server virtualization makes it difficult for organizations to show regulatory compliance, especially when they’re regularly provisioning and deprovisioning virtual machines. And it opens up a whole new Pandora’s box of risks, especially when live migration and other advanced technologies are involved, Corman said, according to Network World.
“You have to do all the maintenance, management and control of [virtual] machines that you normally do [on physical machines],” he said.
Some users also have their concerns. Mike Mucha, the information security officer for Stanford Hospital and Clinics, told InfoWorld last week that a recent virtualization deployment has muddied the waters around his organization’s security decision-making process.
“Virtualization tends to be … led by the server team,” he said. “The server people are taking on non-traditional roles, making decisions about network architecture.”
But at TechEd I also spoke to several IT managers and systems administrators who said their servers are or soon will be 100% virtualized. And these weren’t at rinky-dink mom-and-pop shops. Some were large organizations in sensitive verticals like healthcare and government.
When they were telling me about this, I thought, “Wow, that’s pretty cool that you’ve done so much with virtualization!” But after reading what Corman said about virtualization security and compliance, I wonder if my response should have been, “What? Are you nuts?”
The truth probably lies somewhere in between.
Maybe some longtime virtualization users have found ways to secure their environments and show regulatory compliance. Or maybe some think they have and are in for a rude awakening. Maybe Corman is completely right about virtualization’s risks. Or maybe he’s spreading some good, old-fashioned FUD.