Virtualization and cloud impact overview auditor spin enterprise gr-cv3

http://www.enterprisegrc.com

Virtualization and Cloud Essentials™ Readiness , An Auditor Spin CompTIA™ & ITpreneurs Certification Readiness and Auditor Centric Discussion, Presented by Robin Basham

http://www.enterprisegrc.com/



Agenda?

Your Presenter, Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT, CRISC, ACC, CRP, VRP, Blah, Blah, Blah, Cloud, Blah

http://enterprisegrc.com/



What Is Cloud Services?

4

Cloud enables resources to serve multiple needs for multiple consumers, rather than

dedicating resources for individual infrastructure, software, or platforms

Cloud Computing Where is it? What is it?

Cloud delivers IT capabilities that scale with demand, rather than being defined by a fixed set

of assets.

Cloud is delivered as a well-defined service, instead of as a product that

needs system administrators and maintenance.

Cloud is typically based on open Internet technology, which increases its

interoperability.

Cloud is priced according to recurring subscriptions or has

usage-based charges, rather than having an up-front cost




Three Terms We Will Say A Lot

Virtualization: Abstractions compute services away

from their physical hardware and allow them to be treated as data. (The technology)

Cloud: Builds on this abstraction by allowing

services to be flexibly sourced from a number of providers and delivered over a number of channels. (The business)

Asset Efficiency: resulting savings from buying, housing,

and supporting fewer devices, (a.k.a benefit of Virtualization)

5 ©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved




While Camps Debate Over The Safety Of Cloud Computing Auditors and the business have to

collaborate in refining existing risk scenarios, address new areas of configuration management, modify change policies to prevent common pitfalls known to the adoption of any new technology, (i.e., loss of availability, integrity and reputation). Cloud and Virtualization pose

unprecedented essential business value, (such as avoiding downtime, improving availability, reducing cost of operations and speeding product to markets) companies that rush to leverage cost savings, are also likely to experience our next biggest losses of all time.




http://www.theregister.co.uk/2012/01/13/tieto_emc_crash/


Controlling Risk in Virtualized Environments

Controlling Risk in Virtualized Environments session points to a few practical education and Information Technology approaches providing strategies for effective risk management in Virtualization and Cloud adoption. Please visit

to find more. If there was something you missed,

check out our facebook page, because many ideas and images will also be there.





http://www.facebook.com/entgrcsolutions

http://www.facebook.com/entgrcsolutions

https://twitter.com/


Topics

Your Context Key cloud concepts & terminology Cloud and virtualization project components Implications in Information Technology Service Management (ITSM) Security and legal aspects in governance. Outline steps to:

increase their success rate of implementing cloud computing, improve in-house cloud competencies, and decrease dependence on

external consultants and services. Please note that tonight’s discussion will leveraging guidelines proposed in the

CompTIA™ Cloud and Virtualization Essentials™ curriculum Copyright for most of this information is EnterpriseGRC Solutions, ISACA,

ITpreneurs™ or CompTIA™





Critical ISACA Resource




You’re in the Cloud – Let’s Talk About What that Means to IT Audit



http://www.enterprisegrc.com/index.php?option=com_content&view=article&id=110:cloud-companies&catid=32:languages&Itemid=157

http://cloudtimes.org/wp-content/uploads/2011/11/Clouds.cloudtimes.png





Mapping Cloud Assurance to Existing CobiT Assessment




Standards Referenced – Refresh ITIL Lifecycle Stages, ISACA, NIST and CSA Service Management - (ITIL):

Cloud computing as a set of technologies and an approach to IT service delivery

Governance – (COBIT): Detailing ways that risks should be

mitigated such that investments generate value

Information Security- (ISO/IEC 27001): “Risk Management or

Governance” through specific “Policy” where information security ensures that information in the cloud is safe and secure

NIST http://www.enterprisegrc.com/index.php?option=com_wrapper&view=wrapper&Itemid=160

Cloud Security Alliance Https://Cloudsecurityalliance.Org/

ISACA - Controls Assurance In The Cloud http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspx


Service Strategy

Demand Management

Service Portfolio

Management

Finance Management

Service Design

Service Catalogue

Management

Service Level Management

Supplier Management

Capacity Management

Availability Management

Information Security

Management

Service Operations

Request Fulfillment

Event Management

Incident Management

Problem Management

Access Management

Service Transition

Change Management

Service Asset and

Configuration Management

Knowledge Management

Deployment, Decommission,

and Transfer



http://www.enterprisegrc.com/index.php?option=com_wrapper&view=wrapper&Itemid=160

http://www.enterprisegrc.com/index.php?option=com_wrapper&view=wrapper&Itemid=160

https://cloudsecurityalliance.org/

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspx




Cloud Deployment Methods SaaS, PaaS, IaaS So

ftw

are

as a

Ser

vice

SaaS is the capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure; the applications are accessible from various client devices through a thin client interface. such as a Web browser (for example, Web-based e-mail); the consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings Examples are on line applications like Gmail, Salesforce.com and Microsoft

Plat

form

as a

Ser

vice

PaaS is the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Examples are specialized software libraries, (API and Programming interfaces)

Infr

astr

uctu

re a

s a S

ervi

ce IaaS is the capability provided to

the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications; the consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control over select networking components (for example, host firewalls) Examples are Servers, Virtual machines running as a service





Virtualization is an enabling technology

Virtualization is an enabling technology for cloud computing and cloud computing services. For cloud computing to occur, it is necessary to separate

resources from their physical location. Without virtualization, the cloud becomes very difficult to manage. Cloud computing is a business model where ownership

of physical resources rests with one party, and the service users are billed for their real use. An organization can use virtualization for internal customers. Cloud computing presupposes external service users. The Cloud Model is a transformation in how IT is

delivered.





Business value can be something positive that has been added, but it can also be something negative that is reduced. When considering Cloud and Virtualization, here are

some of business and IT concerns.

Business Impact


Cost

including capital cost for servers,

storage, network, software, and so

on, and the operational cost

involved in running the IT

systems consumes a large

portion of a business budget.

Maintenance

current applications not

only involves money and time, but also quite a

bit of management

attention.

Security and Risk

Management

regulatory and legal reasons and

for business continuity

User Experience

determines the enthusiasm with

which applications will be integrated in the day-to-day

business

Flexibility

Businesses expands and

contracts. For most

organizations, the flexibility of IT plays a crucial

role in facilitating growth.

Expansion

IT systems continue to

expand beyond the physical

borders of the organization




Cloud providers can deliver lower cost because they enjoy economies of scale. Clients don't have to purchase large amounts of hardware; instead, they are able to invest in cost-saving operational procedures, which are easy to justify.

CapEx and OpEx – Reasons for Using Cloud Providers


Capital expenses (CapEx): Cloud computing drives greater optimization

and utilization of IT assets, allowing you to do more with less and to realize

significant cost reduction. You can take on IT capital investments in increments of required capacity instead of building

for maximum, or burst, capacity.

Operating expenses (OpEx): Although IT would continue to make capital

investments, Public cloud offerings are billed to the enterprise on a pay-per-use basis, and private clouds can be treated as OpEx by consuming business units. Through automation, cloud computing reduces the amount of time and effort

needed to provision and scale IT resources.




Business Value in Virtualization





Discussion Perspectives: User, Vendor and Technology

User Perspective: involves some of the following goals of technology and business:


User

•Server consolidation and asset efficiency

•Migration to an industry-standard X86 hardware architecture

•Speeding up the provisioning of servers and storage

•Reduction in capital expenditure

•Enabling a more mobile workforce

Vendor

• Is a framework or methodology of dividing the resources of a computer into multiple executions environments by applying concepts or technologies.

•Examples include hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation and quality of service.

Technology

•Enables IT groups to deploy and manage resources as logical services instead of physical resources.

•Using network virtualization, IT administrators can segment and align IT services to meet the specific user and group network needs.

•Logical, secure segmentation helps IT comply with regulations for resource specific security.




New Tools, New Processes, New RunBooks – Asset, Release, Patch, Backup Restore, and Monitor

The introduction of virtualization brings many changes that need to be reflected in the tools that administrators use to manage systems. Some examples of the types of changes that need to be addressed include: Servers and workstations no longer are tied to

a particular, known location. Releasing software patches is different in a

virtual environment. Backup and restore - central location as

opposed to execution on the machine. Monitoring tools that are used to correlating

hardware and software events may no longer understand where dependencies lie. In addition, each virtual platform has its own

management tools, which need to be integrated into operations.


Help Desk Tools

Configuration Management Databases

Monitoring and Alerting Tools

Security Audit Tools

Citrix Desktop Director

VMware View Manager

Cisco UCS Manager

RHEV-M




Virtualization Simplifies Application Development Process


Agile Development

Agile Development, which calls for rapid, incremental delivery of new code in a running system driven by specific test cases, can be

greatly streamlined by virtualization. The developer can clone an environment to

hand over to testers and continue to work without

having to spend time laboriously recreating

environments for testing.

Multi-tier Environments

When dealing with code that runs in different environments, as in commercial software or even when sharing an application between geographies or business units in a single company, it can be hard to replicate bugs and test whether fixes work. Virtualization can aid here in a number of ways: •maintain multiple testing

environments without expensive, rarely used hardware.

•Ability to keep literally all versions of the software run ready

•Virtual snapshot of a customer's running system and bring it intact into the lab for testing.

Packaging and Installation

Conventional approaches to packaging and installation can leave customers and

systems administrators with the complex task of

installing the application and its dependencies and properly configuring the software. With careful planning, this kind of

repetitive systems administration task can

become a thing of the past as development teams

deploy software as virtual appliances ready to run in a

server virtualization environment. With

contemporary virtualization platforms, even

sophisticated multi-tier applications can be

packaged and released, ready to install and go.

Defect Management

Some software defects can be extremely hard to track down when they involve networks of application

code on different machines performing unpredictably.

Defects can be greatly dependent on timing, and

so-called Heisenbugs can be incredibly hard to isolate.

When an entire network of machines is virtualized and run on a single machine for

test purposes, advanced debugging systems like Sun Microsystems' DTRACE can

greatly reduce the complexity of the problem.

Werner Heisenberg, a key figure in the development of modern physics, posited that when you observe a system you change its state. The development community uses the term "Heisenbug" to denote a bug that disappears when you try to measure or isolate it.




Cloud Journey – IT Operational Viewpoint

Level Adoption Migration Operation Virtualization Technology

4 - Enabled Physical hosts are only used in very exceptional circumstances

Migration is largely completed, but tools are available if required

Operations model has been adopted to take full advantage of automation and self service. Support organization is service focused rather than technology focused

Self-service portals Orchestration Reporting frameworks

3 - Managed

VM is the default choice and is approved for all classes of use, including production

Large-scale mass migration exercises using automated tools are in progress or have completed

Virtualization support responsibilities are clearly defined. An operational center of virtualization expertise exists.

Management frameworks Capacity Management tools

2 - Adopting VM approved for some functions, for example, dev/ test

Migration is largely manual and small scale

Organization has not changed to reflect virtualization, but existing functions can provide basic support

Product specific management and migration tools

1 - Evaluating Limited Pilots Migration tools under evaluation

Virtualization is supported largely by the engineering function Hypervisor

0 - Un-adopted

No engineered or supported VM hosts No activity Process takes no account of

virtualization None





Types of Infrastructure, Network and Site Risk




Risks and Actions to Mitigate in Enterprise Virtualization




Strategic Drivers

Programmers are no longer able to take advantage of this much power with conventional programming techniques. This was earthshaking news back in 2005 when it seemed that programmers would all have to be retrained, or the new hardware would remain underutilized. Applications increasingly need to be concurrent in order to

fully exploit the continuing exponential CPU throughput gains. Concurrent programming is complicated, subtle, and requires both training and experience. Virtualization allows us to keep these incredibly fast

machines busy with programs written by normal programmers without these specialized skills. In large part, this factor is what is behind the recent acceleration of virtualization.





Legacy • Data Center

Hardware Server-Oriented

Virtualization • Data Center • Workplace

Virtualization

Cloud • Infrastructure as a

Service • Platform as a Service • Software as a Service

Virtualization and cloud computing are steps on a journey towards a more flexible and cost-efficient way of delivering IT. To move physical hardware and software to the cloud, a transition in IT Delivery must be made. The move will require new expertise, processes, and technologies.

25

Enabling the Technology Journey

©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved

Problems that are Overcome through Use of Virtualization:

Running out of capacity.

Having costly, superfluous capacity.

Having too much capital tied up in server hardware.




IT Delivery Requirements and Strategic Consideration

Moves from physical to virtual space requires changes in people and technology, mandating virtualization specialists, shared hardware, and hypervisors. (People and Technology)


Virtualization Specialists:

•staff must acquire specialized skills in the management of new technology, such as hypervisors, remote desktops, and virtualized storage. These new platforms not only require a different approach, they must also be integrated with the rest of the organization.

• (People)

Shared Hardware:

•Virtualization makes in-house infrastructure vastly more efficient by allowing teams to share hardware that is underutilized or utilized only at specific peak periods. The resulting savings from buying, housing, and supporting fewer devices, termed Asset Efficiency, is one of the great benefits of Virtualization. (cont.)

Hypervisors:

•Virtualization introduces a new layer between the server hardware and the operating system of the traditional IT stack. This new layer requires technical expertise to manage. It also means that organizational decisions regarding the server hardware and operating systems must be reexamined.

• (Technology)




Physical to Virtual Space – IT Delivery (People)

You need Sourcing Expertise and Common IT Business Strategy, as well as Federation and Security processes. Cloud management platforms must be adopted, and people should think about service and not hardware.


Sourcing Expertise

• Virtualization introduces the possibility, and Cloud Computing further requires that externally sourced IT services play a greater role in the overall IT mix.

• Organizations need staff with vendor management and partner relationships skills, that is, sourcing expertise.

Common IT and Business Strategy:

• IT strategy is always formulated in support of the business, but as an organization matures and engages in both sourcing in and delivering out capabilities in a cloud environment, IT decisions become decisions about who and where the company does business. IT and business strategy become inseparable. For staff to engage in successful strategy, they need to understand both the business they work in and IT.




Physical to Virtual Space – IT Delivery Common Challenges, Federation, Security (Process)


Federation:

• When applications are supplied by a number of independent providers, the need arises to ensure a consistent view of critical underlying data across these providers.

• One common challenge is identity federation, where multiple services trust each other's user information, such as access rights and preferences.

• Another challenge is master data federation, where common corporate data, such as product inventories or customer data, is shared across a number of applications.

Security and Risk:

• Because cloud computing involves moving from an environment completely under in-house control to one in which a number of external vendors are relied upon, it poses unique challenges to the confidentiality, integrity, and availability of data and processes with significant bearing on the risk profile of the organization.




Common Benefits: Service Model for Platforms and the overall Service Catalogue (Technology)


Cloud Management Platforms:

• A company that adopts cloud computing must bring together diverse services from a variety of vendors, as well as in-house capabilities, in a consistent and consistently managed way. The emerging category of cloud management provides the capability to realize the potential of anytime, anywhere cloud computing.

Service, Not Hardware:

• As an organization becomes comfortable with virtualization, they stop talking about their servers and instead talk about the capacity they need and where it must be located. A company that adopts cloud computing can own few servers while being able to deliver any number of virtual servers for just as long as their developers need them.




Virtualization and cloud computing share People Benefits Virtualization and cloud computing share the need for

cross-silo expertise, dynamic environments, usage metering, self-service, automation, and management tools.


Cross-Silo Expertise:

• As an organization gains experience with virtualization, roles within IT delivery are redefined.

• Historically, planning, provisioning, and troubleshooting required a combination of skills such as networking and UNIX system administration, which in a conventional enterprise, were often found in separate IT silos.

Dynamic Environment:

• In a typical company, processes such as server installation and inventory management orient around configuration changes that, once provisioned, will last for years.

• Virtualized and cloud environments scale up and down dynamically and require supporting processes to handle changes that might last for only minutes or hours. • For example, a developer might bring up a

network of fifty VMs to test a batch job after lunch and be done with them at 5 o'clock.




Virtualization and cloud computing share Process Benefits


Self-Service:

• In a complex organization, conventional procedures to buy equipment or make configuration changes can take months to complete.

• Manually intensive; requests can become "lost in the mail."

• A balanced approach to self-service, which maintains control over financial, operational, and technical constraints and delivers quickly when a standard request is made, is typical of the benefits virtualization and cloud computing bring to business and IT users alike.

Usage Metering:

• Before virtualization, hardware and software assets were typically allocated to an individual business area within a company. The owning group bore the cost of purchase, housing, and support. However, as sharing increases with virtualization and cloud computing, it becomes necessary to collect usage statistics to allocate costs fairly. The design of this metering is critical for the discipline of demand management, which keeps costs under control.




Virtualization and cloud computing share Technology Challenges and Benefits

Automation:

• The move from physical to virtual allows the automation of a much greater proportion of the IT workload than in a conventional environment.

• Separating the process of resource allocation in hardware purchase allows a much-more streamlined and efficient process for delivering customer requests for capacity and change.

Management Tools:

• Most enterprises have invested in a set of management tools to handle IT configurations, help-desk processes, monitoring, and other familiar IT challenges.

• Virtualization, together with the virtual and cloud-operating models, means that the systems that underpin in-house systems management must evolve to support both the new technologies and the new, more-dynamic operating model. (Using clouds helps to meet this challenge)





Virtualization is Not Appropriate for All Cases

There are a number of considerations when evaluating a candidate for virtualization, and for determining whether the time is right for making the leap. Organizational considerations for assessing virtualization readiness include the need for:


whether there exists a high rate of IT change and critical use or a relatively static one

the extent to which capital is expensive

or unavailable

a skilled IT workforce




Good Candidate Organization

• Skilled IT Workforce: •A skilled workforce is able and willing to take on

the technical and operational challenges posed by virtualization. Furthermore, skilled workers want to work at an innovative and leading organization. This is a strong positive indicator for virtualization readiness.

•Capital Expensive or Unavailable: •One of the easiest financial benefits to achieve

with virtualization is a reduction or avoidance of capital expense by deferring the purchase of new servers and the related items—data centers, networks, and so on—that they require. This is a strong positive indicator for virtualization readiness.

•High Rate of IT Change and Critical Use: •Virtualization, done right, can greatly reduce the

time it takes to deliver an IT service. It can also greatly streamline major projects, such as premises moves and merger integration. This is a strong positive indicator for virtualization readiness.

Think Carefully Organization

• Lack of In-house Skill Set: •Virtualization requires specific technical skills on

the new platforms. It also changes the way existing processes—data backup, virus protection, software distribution, and so on—should operate. Management must seek to improve the staff's skill set through training, retraining, or outsourcing. This is a weak negative indicator for virtualization readiness.

•Relatively Static IT: • For many organizations IT is a key enabler, but

some organizations' needs are minimal and without variation. If a business provides only the most basic services, then now may not be the time to virtualize. Nevertheless, over time, it is likely that all services will be provided in a virtual environment. This is a negative indicator of virtualization readiness.

34

Organizational Readiness





Virtualization is Not Appropriate for All Cases

Process considerations for assessing virtualization readiness include a service management culture, difficulty sharing among business units, and weak processes and controls.


service management culture

difficulty sharing among

business units

weak processes and

controls




Good Candidate Process

• Service Management Culture: • Virtualization requires a

proactive approach to service management and IT assurance. Problems would quickly arise from ineffective controls supporting performance and functionality targets.

• Having a strong service-management mentality is a key success factor and a strong positive indicator for virtualization readiness.

• Difficulty Sharing: • users can be isolated from

each other with well-proven technology. If the root cause of inability to share is poor change management problems, virtualization can help.

Considerations Either Way Process

• Difficulty Sharing Among Business Units: Complex organizations often have great difficulty sharing IT assets among separately managed business units. This can be due to organizational contention for scarce resources, or it can be due to externally imposed pressures affecting change windows and the ability to be flexible.

• Virtual infrastructure is shared infrastructure, but with one important difference—the users can be isolated from each other with well-proven technology.

Think Carefully Process

• Difficulty Sharing: • If the problem lies in a shortage of resources,

the solution is stronger governance and not a technical fix.

• Weak Processes and Controls: • lacks defined processes and should tread

carefully into virtualization. Processes must be in place and adhered to or problems will arise.

• The most critical processes to review include: • Capacity Management: It is important not to

over-provision the virtual environment, or everyone's performance will suffer, and with it the reputation and viability of the virtual IT services.

• Service-Level Management: It is important to set expectations with users and provide follow-up to ensure their expectations are met, especially when rolling out a new technology.

• Incident and Problem Management: Virtualization isolates services from their underlying hardware and enables a great degree of consolidation and efficiency, but this can also mean that there are a lot of eggs in one basket.

36

Process Readiness – CobiT Maturity DS3, DS1, DS8





Virtualization is Not Appropriate for All Cases Technological considerations for assessing

virtualization readiness include: Endemic poor utilization, lifecycle management problems, highly utilized infrastructure, input/output – intensive application, third-party support issues, and custom hardware dependency.


highly utilized infrastructure, input/output – intensive

application

lifecycle management

problems Third party

dependency Custom Hardware

Endemic poor utilization




Technology Readiness Good Candidate

Technology

• Endemic poor utilization, Virtualization can directly address poor utilization of servers, storage, and networks. This is a strong positive signal for virtualization readiness.

• Lifecycle Management Problems: In many cases, organizations find themselves unable to keep software versions up to date due to a lack of resources, including the availability of environments for test and development, and because of downtime for upgrades.

• Virtualization simplifies software maintenance by enabling multiple environments to run in parallel, making testing and, in the event of a problem, rollback much easier. This is a strong positive signal for virtualization readiness.

Considerations Either Way Technology

• Infrastructure is Highly Utilized: One of virtualization's major benefits is increasing utilization through consolidation. If the infrastructure is already highly utilized, this would seem to be a negative signal. However, it is possible that demand is unevenly spread across the IT estate; in this case, virtualization can make it easier to migrate IT services and can help address the issue.

• Input/Output – Intensive Application: In the past, virtualization systems were challenged to deliver performance for IO-intensive applications. Although great strides have been made in improving IO throughput with application, server, and hardware-level virtualization technology, there may still be issues dependent on the IO workload in question. This is generally a neutral indicator.

Think Carefully

• Third-Party Support Issues: Some applications may not be supported, or may not be fully supported, in a virtual environment. An example of this is Microsoft Active Director, which is fully supported on Microsoft's own Hyper-V virtualization platform but is not fully supported on other platforms. Applications with this characteristic are poor candidates for virtualization.

• Custom Hardware Dependency: Some applications are tied to custom hardware. The attached hardware might be as simple as a dongle for license management, or as complex as a device-control interface or a modem rack. Applications with this characteristic are poor candidates for virtualization.





Data Center Virtualization Characteristics

Regardless of whether the applications need the resources at any given time, the typical corporate data center is full of expensive equipment, most of which is dedicated to specific applications.


Management Tools

Server virtualization

Storage virtualization

Network virtualization




Workplace Virtualization Characteristics

In the workplace, virtualization also applies to the familiar workplace environment of personal computers and desktop applications. A typical workplace has a large number of computers scattered throughout the premises, each needing to be managed and kept current with the latest software.

It is important to note that when we say workplace we are focused on the desktop and mobile data applications in the workplace. While concepts in virtualization also apply to other aspects of the workplace such as the physical office, telephones, and meeting rooms, those are not specifically covered in this course.


Workplace virtualization

virtual desktop

infrastructure

server-based computing

workstation virtualization

application virtualization




Return on Investment in Adopting Virtualization Underpinned by common management tools and

processes All aspects of systems management must account for

virtualization. Not only must the chosen set of virtualization technologies itself be managed as a platform, but the enterprise tools associated with Monitoring Provisioning Incident And Problem Management Inventory Management , and Software Development And Releases, must all be

integrated to ensure that they work well in a virtual environment.

Although it is possible to treat virtual infrastructure as if it were only physical infrastructure and not change the organization's way of working, this eliminates much of the benefits of virtualization in the first place.

Adopting a new, virtual, infrastructure operating model is critical to achieve Return on Investment (ROI).


MONITORING

PROVISIONING

INCIDENT AND PROBLEM

MANAGEMENT

INVENTORY MANAGEMENT

SOFTWARE DEVELOPMENT AND RELEASES




IP addresses might need changing in configuration files and certificates might need to be updated. Issues that are expressly problematic for virtualization include

requirements for particular hardware, such as hardware dongles or RS232 connections. Applications with very high I/O requirements, life-critical

applications, and real-time applications, such as applications that have interfaces to special hardware with demanding time requirements.

If an application is consuming a large amount of CPU or memory resources, it might not be a candidate for consolidation even if it can be virtualized. Benefits likely to still outweigh the risk: downtime

avoidance, disaster recovery, and increased availability.

Audit Watch for Migration Problems





When introducing adoption of virtualization, people initially have some concerns.

Concerns and Solutions - Three Camps


• putting multiple applications on a single server will greatly increase the impact of a hardware failure. This concern is valid and should be addressed by careful placement and cluster design to ensure that the impact of specific failures is well understood and that the cluster provides appropriate failover capabilities.

Proven Technology - Solutions Careful Placement and Cluster

Design

• virtual infrastructure will become so swamped with applications that performance will be impacted. To address this, it is important that organizations introduce monitoring and service reporting to demonstrate that the infrastructure is operating within capacity and effective governance mechanisms to take action when it is not.

Performance - Solutions Monitoring, Service

Reporting, Governance Mechanisms

• Enterprise-scale virtualization should be viewed as a new service. It will require formal service definitions and the establishment of appropriate Service Level Agreements (SLAs) and Operational Level Agreements (OLAs). It will also require appropriate education of the workforce and is likely to need a degree of reorganization within the data center.

Cultural Solutions - (Control, Service Definition, Technology

Knowledge) Education and Reorganization

Is it Proven? Will it Perform? Can we adapt this to our Culture?




ITIL Glossary Application service provider

Service Design (This term is now superseded by ‘SaaS service provider,’ though not exactly identical) (ITIL® phase: Service Design) An external service provider that provides IT services using applications running at the service provider’s premises; users access the applications by network connections to the service provider

Architecture Service Design (ITIL® phase: Service Design) The structure of a system or IT service, including the relationships of components to each other and to the environment they are in; architecture also includes the standards and guidelines, which guide the design and evolution of the system

Assets Service Strategy Asset: (ITIL® phase: Service Strategy) Any resource or capability; assets of a service provider include anything that could contribute to the delivery of a service; assets can be one of the following types: Management, Organization, Process, Knowledge, People, Information, Applications, Infrastructure, and Financial Capital

Availability Service Design (ITIL® phase: Service Design) Ability of a Configuration Item or IT service to perform its agreed function when required; availability is determined by reliability, maintainability, serviceability, performance, and security; availability is usually calculated as a percentage; this calculation is often based on agreed service time and downtime; it is best practice to calculate availability using measurements of the business output of the IT service

Backup Service Design (ITIL® phase: Service Design) (ITIL phase: Service Operation) Copying data to protect against loss of integrity or availability of the original

Business continuity management

Service Design (ITIL® phase: Service Design) The business process responsible for managing risks that could seriously impact the business; BCM safeguards the interests of key stakeholders, reputation, and brand and value-creating activities; the BCM process involves reducing risks to an acceptable level and planning for the recovery of business processes should a disruption to the business occur; BCM sets the objectives, scope, and requirements for IT Service Continuity Management

Capacity Service Design (ITIL® phase: Service Design) The maximum throughput that a Configuration Item or IT service can deliver while meeting agreed service level targets; for some types of CIs, capacity may be the size or volume, for example, a disk drive

Capacity Management Service Design (ITIL® phase: Service Design) The process responsible for ensuring that the capacity of IT services and the IT infrastructure is able to deliver agreed service level targets in a cost-effective and timely manner; Capacity Management considers all resources required to deliver the IT service and plans for short-, medium-, and long-term business requirements

Change Advisory Board

Service Transition (ITIL® phase: Service Transition) A group of people that advises the Change Manager in the assessment, prioritization, and scheduling of changes; this board is usually made up of representatives from all areas within the IT service provider, the business, and third parties, such as suppliers

Change Management Service Transition (ITIL® phase: Service Transition) The process responsible for controlling the lifecycle of all changes; the primary objective of Change Management is to enable beneficial changes to bemade, with minimum disruption to IT services

Charging Service Strategy (ITIL® phase: Service Strategy) Requiring payment for IT services; charging for IT services is optional, and many organizations choose to treat their IT service provider as a cost center

Confidentiality Service Design The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads; confidentiality covers data in storage, during processing, and in transit (ITIL phase: Service Design); a security principle that requires that data should only be accessed by authorized people

Configuration Service Transition (ITIL® phase: Service Transition) A generic term used to describe a group of Configuration Items that work together to deliver an IT service or a recognizable part of an IT service; configuration is also used to describe the parameter settings for one or more CIs




ITIL Glossary Configuration Management Database

Service Transition Configuration Management Database (ITIL® phase: Service Transition) A database used to store configuration records throughout their lifecycle; the Configuration Management System maintains one or more CMDBs, and each CMDB stores attributes of CIs and the relationships with other CIs

Deployment Service Transition (ITIL® phase: Service Transition) The activity responsible for movement of new or changed hardware, software, documentation, processes, and so on to the live environment; deploymentis part of the Release and Deployment Management process

Developer, development

Service Design Development: (ITIL® phase: Service Design) The process responsible for creating or modifying an IT service or application; also used to mean the role or group that carries out development work

Downtime Service Design (ITIL® phase: Service Design) (ITIL phase: Service Operation) The time when a Configuration Item or IT service is not available during its agreed service time; the availability of an IT service is often calculated from agreed service time and downtime

Environment Service Transition (ITIL® phase: Service Transition) A subset of the IT infrastructure that is used for a particular purpose; for example, live environment, test environment, and build environment.

Identity Service Operation (ITIL® phase: Service Operation) A unique name that is used to identify a user, person, or role; the identity is used to grant rights to that user, person, or role; for example, identities might be the user name SmithJ or the role “change manager”

Integrity Service Design (ITIL® phase: Service Design) A security principle that ensures that data and Configuration Items are only modified by authorized personnel and activities; integrity considers all possible causes of modification, including software and hardware failure, environmental events, and human intervention

Middleware Service Design (ITIL® phase: Service Design) Software that connects two or more software components or applications; middleware is usually purchased from a supplier, rather than developed within the IT service provider

Outsourcing Service Strategy Contracting the services of outside suppliers instead of providing those services with the company’s own staff and assets; (ITIL phase: Service Strategy) Using an external service provider to manage IT services

Provider Service Strategy Service provider: (ITIL phase: Service Strategy) An organization supplying services to one or more internal customers or external customers

Request fulfillment Service Operation (ITIL® phase: Service Operation) The process responsible for managing the lifecycle of all service requests

Resilience Service Design (ITIL® phase: Service Design) The ability of a Configuration Item or IT service to resist failure or to recover quickly following a failure, for example, an armored cable will resist failure when put under stress

Resource Service Strategy (ITIL® phase: Service Strategy) A generic term that includes IT Infrastructure, people, money or anything else that might help to deliver an IT service; resources are considered to be the assets of an organization

Security Management Service Design ISM: (ITIL® phase: Service Design) The process that ensures the confidentiality, integrity, and availability of an organization’s assets, information, data, and IT services; Information Security Management usually forms part of an organizational approach to Security Management, which has a wider scope than the IT service provider, and includes handling of paper, building access, phone calls, and so on for the entire organization

Server Service Operation (ITIL® phase: Service Operation) A computer that is connected to a network and provides software functions that are used by other computers

Software release Service Transition (ITIL® phase: Service Transition) A collection of hardware, software, documentation, processes, or other components required to implement one or more approved changes to IT services; the contents of each release are managed, tested, and deployed as a single entity

Sourcing Service Strategy Service sourcing: (ITIL® phase: Service Strategy) The strategy and approach for deciding whether to provide a service internally or to outsource it to an external service provider; service sourcing also means the execution of this strategy




Vendor Landscape

Virtualization was a new software category a decade ago when VMware introduced its first products. Today, there are a number of leaders on the market, providing software suites that help virtualized data centers. VMware remains the market leader today, with Microsoft and Citrix rounding off the top three in terms of number of licenses shipped.

It is important for corporate users to understand the competitive landscape to select the right vendor for their needs and to negotiate the best terms for the total cost of the new capability.

Many vendors provide the virtualization technology and solutions, and all of them both compete and cooperate to a great extent. Recently, there has been a tremendous run of acquisitions as major players fortify their virtualization capabilities. As you learn about the details of data center and workplace virtualization, keep in mind that this industry is immature and evolving rapidly. Learn about the vendors and educate yourself so that you can make the right decisions about where to invest your company's efforts.


Server virtualization, vSphere, Desktop virtualization, free server

virtualization with free Vmware Server

RHEV (Red Hat Enterprise Virtualization for Servers) Linux market leader, Qumranet, also

supports Windows

Citrix, Xen Desktop and Xen Server, remote access and

workplace virtualization, focus on remote desktop enablement

Microsoft, built in virtualization capability Server 2008 R2




Since we only had one hour, there were a lot of topics we couldn’t discuss. Let’s keep the dialogue going on Facebook, LinkedIn and Twitter. Thanks for your time

This presentation was a sample of content found in Cloud Essentials™ and Virtualization Essentials™ Curriculum. Some views and all graphics are the copyright of EnterpriseGRC Solutions™ . For more information about copyrighted content from CompTIA™ and ITpreneurs™ , please visit http://www.enterprisegrc.com/index.php?option=com_content&view=article&id=49:edu&catid=37:edu&Itemid=62 EntepriseGRC Solutions™ is an Itpreneurs partner, Member of the Cloud Credential Council and (ten year) sponsor to the ITGI™



http://www.enterprisegrc.com/index.php?option=com_content&view=article&id=49:edu&catid=37:edu&Itemid=62

http://www.enterprisegrc.com/index.php?option=com_content&view=article&id=49:edu&catid=37:edu&Itemid=62

http://www.linkedin.com/in/robinbasham

https://twitter.com/intent/user?original_referer=http://www.enterprisegrc.com/index.php?option=com_content&view=article&id=5&Itemid=56&region=follow&screen_name=EntGRCSolutions&source=followbutton&variant=2.0

Virtualization and cloud impact overview auditor spin enterprise gr-cv3

Technology

Transcript of Virtualization and cloud impact overview auditor spin enterprise gr-cv3