Unmanaged virtualisation riskier, costlier than physical: Veeam

Despite high adoption rates of virtualisation, many businesses aren't implementing it in a cost-effective and secure manner. Instead, they are opening themselves up to more serious issues.
Written by Michael Lee, Contributor

Many organisations haven't realised that looking after virtual machines requires a different approach to looking after physical ones — and doing so may actually create more work for than not using virtualisation, according to Veeam technical director, APAC, Charles Clarke.

Clarke pointed out that even though virtualisation, on the surface, appears to cut down on the number of servers that need to be managed, the reality is that there are actually several more servers — they just don't exist physically.

"A question I often ask customers is, 'So you're virtualised. Do you have more servers to worry about or less servers to worry about?' It's always more," Clarke said in an interview with ZDNet at VMware's vForum 2012.

And although the additional servers might be virtualised, Clarke said that many organisations are creating problems for themselves by treating them like physical ones.

"They're still looking at a management layer, and often that security layer the old way. We talk to customers that are still deploying agents inside every VM and then for antivirus, for backup, for data protection, for anything. Not only is the virtualisation layer having to carry the weight from a performance perspective, but the organisation as a whole is creating this huge management hangover that it never really had to worry about in the physical days."

Management issues aside, Clarke also pointed out that the organisations could significantly impact any cost saving that they might achieve through virtualisation, or even increase their costs.

"It's very expensive, because they're having to license each agent and each component of each agent individually. Then [they realise] they're creating security and availability risks by not having a process in place that successfully manages new services [and] successfully decommissions old services [that] no longer exist on a day to day basis."

With regards to security, Clarke said that IT's job of protecting the end point is significantly harder, considering how easy it is to spin up a virtual machine.

"Brand-new machines, brand-new services spin up, [but] nobody tells the security team, nobody tells the backup team, and then all of a sudden there's an exposure there that they've created without even realising it," he said.

"They certainly need to ensure that they're not creating entry points" for hackers.

Clarke pointed to better workflows, processes, and management tools as a means to help track and manage virtual machines, but did admit that on the security front, there are risks that administrators should be aware of.

"Virtualisation presents a single point of breach if, potentially, a rogue virtual machine can be spun up in there, [but] it also presents a single point of protection. If firewalling and antivirus and all those other things are able to wrap entirely around the virtualised environment, then you can build that into multiple layers. I think there's a risk in having all your eggs in one basket, but if I can pad that basket with all sorts of bubble wrap and all sorts of good stuff, then it's a little easier than trying to deal with all the eggs individually."

Veeam's own products, which focus on data backups and virtualisation management, do offer encryption for data in transit, but Clarke acknowledged that backups at rest, which may be stored on Amazon, Windows Azure, VMware Cloud, or any number of cloud providers that it works closely with, aren't encrypted, and rely on the trust that the end users places in the provider.

Clarke isn't aware of any plans for Veeam to provide encryption at rest, but indicated that at the moment, Australian customers don't consider their data to be insecure, even when stored in the US and with such issues as the Patriot Act.

"I'm not 100 percent sure that the marketplace and our customer base is ready to make that kind of decision [to require encryption at rest in foreign clouds]. They'll either want it in Australia, or they'll be happy enough to say, 'You know what? It's in the US, I trust it, that's fine.'"

Editorial standards