Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4

http://www.enterprisegrc.com

Virtualization and Cloud Essentials™
Readiness , An Auditor Spin
CompTIA™ & ITpreneurs Certification Readiness and
Auditor Centric Discussion, Presented by Robin Basham

Nice to meet you

Your Presenter, Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT, CRISC,
ACC, CRP, VRP, CEO EnterpriseGRC Solutions, Blah, Blah, Blah, Cloud,
Blah, Blah, Blah, Cloud, Blah, Blah



Topics
 Your Context
 Key cloud concepts & terminology
 Standards and Frameworks for Cloud Implementation, Audit and Security
 Implications in Information Technology Service Management (ITSM)
 Security and legal aspects in governance
 Outline steps to:
 Increase success rate implementing cloud computing,

 improve in-house cloud competencies, decrease dependence on
external consultants and services
 Cloud and virtualization project components

 Please note that discussion will leverage guidelines proposed in the
CompTIA™ Cloud and Virtualization Essentials™ curriculum
 Copyrights for slide contents include EnterpriseGRC Solutions, ISACA®,
ITpreneurs™ , CompTIA™ , and NIST.
 Some slides presented are also a part of the Holistic Information
Security Practitioner Overview Training.
 We express our gratitude to ISACA, HISPI, CSA, Itpreneurs and CompTIA


©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 4

Cloud will create 14 Millions Jobs by 2014

Login New
Threats

Login
Bury
Login

Login
Twitter
- tweet

Digg Questionnaire
LinkedIn
Share

Digg New Fraud
Like
New Like
Markets


Cloud Computing Definition
 National Institute of Standards and
Technology
(NIST Special Publication 800-145 (Draft)
 Model for enabling ubiquitous, convenient,
on-demand network access to a shared
pool of configurable computing resources
(e.g., networks, servers, storage,
applications, and services)
 Rapidly provisioned and released with
minimal management effort or service
provider interaction
 Composed of 5 essential characteristics, 3
service models, and 4 deployment
models.
 Source: http://www.nist.gov/itl/csd/cloud-
020111.cfm



What Is Cloud Computing? Essential Characteristics

5. Cloud enables resources to serve 1. Cloud delivers IT capabilities that scale
multiple needs for multiple consumers, with demand, rather than being defined by
rather than dedicating resources for a fixed set of assets.
individual infrastructure, software, or
platforms

2. Cloud is delivered as a well-
Cloud Computing
defined service, instead of as a
Where is it? product that needs system
4. Cloud is priced according
What is it? administrators and maintenance.
to recurring subscriptions or
has usage-based charges,
rather than having an up-
front cost
3. Cloud is typically based on
open Internet technology, which
increases its interoperability.



3 Service Models, SaaS, PaaS, IaaS
SaaS is the capability PaaS is the capability IaaS is the capability

Infrastructure as a Service
Software as a Service

Platform as a Service
provided to the consumer is provided to the consumer is provided to the consumer
to use the provider’s to deploy onto the cloud to provision processing,
applications running on a infrastructure consumer- storage, networks, and
cloud infrastructure; the created or acquired other fundamental
applications are accessible applications created using computing resources where
from various client devices programming languages and the consumer is able to
through a thin client tools supported by the deploy and run arbitrary
interface. such as a Web provider. The consumer software, which can include
browser (for example, Web- does not manage or control operating systems and
based e-mail); the the underlying cloud applications; the consumer
consumer does not manage infrastructure including does not manage or control
or control the underlying network, servers, operating the underlying cloud
cloud infrastructure, systems, or storage, but has infrastructure but has
including network, servers, control over the deployed control over operating
operating systems, storage, applications and possibly systems, storage, deployed
or even individual application hosting applications, and possibly
application capabilities, environment configurations. limited control over select
with the possible exception Examples are specialized networking components
of limited user-specific software libraries, (API and (for example, host firewalls)
application configuration Programming interfaces)
settings
Examples are Servers,
Examples Gmail, Virtual machines running as
Salesforce.com and a service
Microsoft



4 Deployment Models
1. Private
PRIVATE cloud. The cloud infrastructure is
operated solely for an organization.
PRIVATE COMMUNITY PUBLIC
Community cloud. The cloud infrastructure is
COMMUNITY
2.
shared by several organizations and supports a
specific community that has shared concerns
(e.g., mission, security requirements, policy,
and compliance considerations).

ACCESSIBILITY
Shared with General
Single Common Public / Large
3.
PUBLICPublic cloud. The cloud infrastructure is made Organization Interests / Industry
Requirements Group
available to the general public or a large
industry group and is owned by an
organization selling cloud services.
4. Hybrid
HYBRID cloud. The cloud infrastructure is a

MANAGEMENT
composition of two or more clouds (private, Organization
or Third Party
Organization
or Third Party
Cloud
Provider
community, or public) that remain unique
entities but are bound together by
standardized or proprietary technology that
enables data and application portability (e.g., HOST
On or Off
Premise
On or Off
Premise
On or Off
Premise
cloud bursting for load balancing between
clouds). http://www.enterprisegrc.com


The Test Answer: What is Cloud?
1. On-demand self-service: A consumer can unilaterally provision computing capabilities, such as
server time and network storage, as needed automatically without requiring human interaction
with each service’s provider.
2. Broad network access: Capabilities are available over the network and accessed through standard
mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile
phones, laptops, and PDAs).
3. Resource pooling: The provider’s computing resources are pooled to serve multiple consumers
using a multi-tenant model, with different physical and virtual resources dynamically assigned and
reassigned according to consumer demand. There is a sense of location independence in that the
customer generally has no control or knowledge over the exact location of the provided resources
but may be able to specify location at a higher level of abstraction (e.g., country, state, or
datacenter). Examples of resources include storage, processing, memory, network bandwidth, and
virtual machines.
4. Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases
automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the
capabilities available for provisioning often appear to be unlimited and can be purchased in any
quantity at any time.
5. Measured Service: Cloud systems automatically control and optimize resource use by leveraging a
metering capability at some level of abstraction appropriate to the type of service (e.g., storage,
processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled,
and reported, providing transparency for both the provider and consumer of the utilized service.


To Have a Conversation about Cloud, there are
Three Terms We Will Say A Lot
 Virtualization: channels. (The business)
Abstractions compute  Asset Efficiency: Resulting
services away from their savings from buying,
physical hardware and housing, and supporting
allow them to be treated fewer devices, (a.k.a
as data. (The technology) benefit of Virtualization)
 Cloud: Builds on this
abstraction by allowing
services to be flexibly
sourced from a number of
providers and delivered
over a number of


Camps Debate Over The Safety Of Cloud Computing

Business and Government are already heavily invested
Cloud and Virtualization pose Auditors and the business must
unprecedented business value  Refine existing risk scenarios,
 Companies that rush to  Address new areas of
leverage cost savings, configuration management,
however, are also likely to  Modify change policies
experience our next biggest
 Align with new regulations
losses of all time.

http://www.theregister.co.uk/2
http://www.ftc.gov/os/2012/ 012/01/13/tieto_emc_crash/
03/120326privacyreport.pdf



You’re Already in the Cloud
– Let’s Talk About What that Means to IT Audit



Emerging Privacy Issues – Do Not Track

 Google

 Twitter

 Facebook

 SOPA Online Piracy Act
 ACTA, The Anti-
www.EPIC.ORG
Counterfeiting Trade
Agreement



Security and Legal Aspects
Issues Affecting Privacy



Privacy and Security In US & Global Laws,
Frameworks and Standards
Legal Consideration, Regulations, Investigations and Compliance

Domains Topic or Scope Industry Reach Law Standard Framework

Information
International Organization for Standards 27001:2005/27002:2005 All World  
Security

Health Insurance Portability and Accountability Act (HIPAA) Pub.L. 107-204 Privacy Medical USA 

Gramm-Leach-Bliley Act (GLBA) key rules under the Act The Financial
Privacy Rule (Subtitle A: Disclosure of Nonpublic Personal Information, Financial All USA 
codified at 15 U.S.C. §§ 6801–6809)

Sarbanes-Oxley Act of 2002 (SOX) Emphasis to section 17a-4, sections 302 Financial
Public USA 
& 404, Pub.L. 107-204 Assurance

Identity,
Fair and Accurate Credit Transactions Act of 2003 (FACTA) Pub.L. 108-159 Consumers USA 
Fraud

Payment Card Industry (PCI) Data Security Standard PCI DSS v2 2010
Entities
Information Security Information
processing World 
Security cardholder data

State Breach Laws such as California Senate Bill 1386 (SB-1386) (New York,
Privacy All data USA/ CA 
Nevada, Montana similar)

global
Basel III, Basel Committee on Banking Supervision capital adequacy Banking 
regulatory

Digital Millennium Copyright Act (DMCA), implements 1996 treaties World All digital
Copyright USA 
Intellectual Property Organization (WIPO) property


Privacy and Security In US & Global Laws, Frameworks and Standards
(Cont.)

Legal Consideration, Regulations, Investigations and Compliance
Law/
Domains Topic or Scope Industry Reach
Mandate
Standard Framework

Personal Information Protection and Electronic Documents Act
Privacy Electronic
(PIPEDA) and MODEL CODE FOR THE PROTECTION OF PERSONAL Documents
Private Sector Canada 
INFORMATION, CAN/CSA-Q830-96 (PIPA)

Canadian Office of the Superintendent of Financial Institutions Financial Banks, Insurance, 
Canada
(OSFI)(Compare to SEC) Assurance Pensions etc.

Can issue Cease & Desist
Federal Trade Commission Act 15 U.S.C §§ 41-58 to large Corporations
US Trade US 

Canada Bill 198 (CSOX) Corporate Disclosure Securities Ontario, CA 

European Network and Information Security Agency (ENISA) EU processing of personal European Union
Europe 
Data Privacy data directive

Information Security Federal / US - adopted
NIST SP800-53 and NIST SP 800-37R1 R.Assessment Government internationally
  

international Multi National
The Anti-Counterfeiting Trade Agreement (ACTA) Privacy / IP
standard Treaty


CobiT, Control Objectives for Information Technology IT Governance
Enterprise
International 
v4.1 and v5 Technology

COSO The Committee Of Sponsoring Organizations Of The Corporate
Enterprise Governance US (Japan, India, CA)  
Treadway Commission Governance

FedRamp, Proposed Security Assessment & Authorization for Security Assessment
US Government
US - adopted

U.S. Government Cloud Computing Cloud internationally

Enterprise
ITIL v3 (Associated to BS1500, OGC) IT Governance
Technology
International 



Who’s Working on This?



CSA CollaborationTrainingSBOs
Cloud Security Alliance with

 National Institute of Standards and Technology (NIST)
 European Network and Information Security Agency (ENISA)
 Common Assurance Maturity Model (CAMM)
 International Organization for Standardization (ISO) /
International Electrotechnical Commission (IEC) Joint
Technical Committee 1 / Subcommittee 27 and 38 (ISO/IEC
JTC1/SC 27 and 38)
 Information Systems Audit and Control Association (ISACA)
 ITU Telecommunication Standardization Sector (ITU-T)
(reprinted from August 2011 – Becky Swain, Co-Founder/Chair, CSA CCM, Board
Member, CSA Silicon Valley Chapter)



Critical ISACA Resource enable Cloud Audit
ISACA Cloud Audit Methodology, in three domains, 17 controls, and
140 detail testing objectives. Every test is mapped to CobiT
Cloud Audit Detail Control and Testing  Planning and Scoping the Audit
1.1 Define the audit/assurance objectives  Governing the Cloud
1.2 Define the boundaries of review
1.3 Identify and document risks
 Operating in the Cloud
1.4 Define the change process
1.5 Define assignment success
1.6 Define the audit/assurance resources required
1.7 Define deliverables
1.8 Communications
2.1 Governance and Enterprise Risk Management (ERM)
2.2 Legal and Electronic Discovery
2.3 Compliance and Audit
2.4 Portability and Interoperability
3.1 Incident Response, Notification and Remediation
3.2 Application Security
3.3 Data Security and Integrity
3.4 Identity and Access Management
3.5 Virtualization


Mapping Cloud Assurance to Existing CobiT
Assessment



Standards Referenced – Refresh ITIL Lifecycle
Stages, ISACA, NIST and CSA
 Service Management - (ITIL):
 Cloud computing as a set of
technologies and an approach to
Service Service Service Service
IT service delivery
Strategy Design Operations Transition
 Governance – (COBIT):
 Detailing ways that risks should be
mitigated such that investments Service
Request
generate value Catalogue
Management Fulfillment Change
Demand Management
 Information Security- (ISO/IEC 27001): Management
Service Level
 “Risk Management or Management Event
Management Service Asset
Governance” through specific and
“Policy” where information Supplier
Management
Configuration
Management
security ensures that information Service
Portfolio
Incident
Management
in the cloud is safe and secure Management
Capacity
Management Knowledge
 NIST Management
http://www.enterprisegrc.com/index.php?option=com_wrapper&view=wrapp Problem
er&Itemid=160 Management
Availability
 Cloud Security Alliance Management
Https://Cloudsecurityalliance.Org/ Finance
Deployment,
Management Information Access Decommission,
 ISACA - Controls Assurance In The Security Management and Transfer
Cloud http://www.isaca.org/Knowledge- Management
Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-
Computing-Controls-and-Assurance-in-the-Cloud.aspx


Virtualization is an enabling technology
 Virtualization is an enabling technology for cloud
computing and cloud computing services.
 For cloud computing to occur, it is necessary to separate
resources from their physical location. Without
virtualization, the cloud becomes very difficult to
manage.
 Cloud computing is a business model where ownership of
physical resources rests with one party, and the service
users are billed for their real use. An organization can use
virtualization for internal customers. Cloud computing
presupposes external service users.
 The Cloud Model is a transformation in how IT is
delivered.


Business Impact
 Business value can be something positive that has been
added, but it can also be something negative that is
reduced.
 When considering Cloud and Virtualization, here are
some of business and IT concerns.
Security and
User
Cost Maintenance Risk Flexibility Expansion
Experience
Management

including capital
cost for servers,
Businesses
storage, network, current
determines the expands and
software, and so applications not IT systems
enthusiasm with contracts. For
on, and the only involves regulatory and continue to
which most
operational cost money and time, legal reasons and expand beyond
applications will organizations, the
involved in but also quite a for business the physical
be integrated in flexibility of IT
running the IT bit of continuity borders of the
the day-to-day plays a crucial
systems management organization
business role in facilitating
consumes a large attention.
growth.
portion of a
business budget.



CapEx and OpEx – Reasons for Using Cloud Providers
 Cloud providers can deliver lower cost because they enjoy economies of scale. Clients don't have to
purchase large amounts of hardware; instead, they are able to invest in cost-saving operational
procedures, which are easy to justify.

Capital expenses (CapEx): Cloud
computing drives greater optimization
and utilization of IT assets, allowing you
to do more with less and to realize
significant cost reduction. You can take
on IT capital investments in increments
of required capacity instead of building
for maximum, or burst, capacity.

Operating expenses (OpEx): Although IT
would continue to make capital
investments, Public cloud offerings are
billed to the enterprise on a pay-per-use
basis, and private clouds can be treated
as OpEx by consuming business units.
Through automation, cloud computing
reduces the amount of time and effort
needed to provision and scale IT
resources.



Business Value in Virtualization



Discussion Perspectives: User, Vendor and
Technology

 User Perspective: involves some of the
following goals of technology and business:
User Vendor Technology

• Server consolidation and • Is a framework or • Enables IT groups to deploy
asset efficiency methodology of dividing the and manage resources as
• Migration to an industry- resources of a computer into logical services instead of
standard X86 hardware multiple executions physical resources.
architecture environments by applying • Using network virtualization,
• Speeding up the concepts or technologies. IT administrators can
provisioning of servers and • Examples include hardware segment and align IT
storage and software partitioning, services to meet the specific
• Reduction in capital time-sharing, partial or user and group network
expenditure complete machine needs.
simulation, emulation and • Logical, secure
• Enabling a more mobile
quality of service. segmentation helps IT
workforce
comply with regulations for
resource specific security.



New Tools, New Processes, New RunBooks
– Asset, Release, Patch, Backup Restore, and Monitor
 The introduction of virtualization brings many Help Desk Tools

changes that need to be reflected in the tools
that administrators use to manage systems. Configuration Management Databases

Some examples of the types of changes that Monitoring and Alerting Tools
need to be addressed include:
 Servers and workstations no longer are tied to
Security Audit Tools

a particular, known location.
 Releasing software patches is different in a
Citrix Desktop
Director
virtual environment.
 Backup and restore - central location as
VMware View
opposed to execution on the machine. Manager
 Monitoring tools that are used to correlating
hardware and software events may no longer Cisco UCS
understand where dependencies lie. Manager
 In addition, each virtual platform has its own
management tools, which need to be RHEV-M
integrated into operations.


Virtualization Simplifies Application Development
Process
Agile Development Multi-tier Packaging and Defect Management
Environments Installation
Conventional approaches to
packaging and installation
When dealing with code that can leave customers and
runs in different environments, systems administrators with Some software defects can
as in commercial software or
even when sharing an the complex task of be extremely hard to track
application between installing the application down when they involve
Agile Development, which
geographies or business units in and its dependencies and networks of application
calls for rapid, incremental
a single company, it can be properly configuring the code on different machines
delivery of new code in a
hard to replicate bugs and test software. With careful performing unpredictably.
running system driven by whether fixes work. planning, this kind of Defects can be greatly
specific test cases, can be Virtualization can aid here in a repetitive systems dependent on timing, and
greatly streamlined by number of ways: administration task can so-called Heisenbugs can be
virtualization. The developer •maintain multiple testing become a thing of the past incredibly hard to isolate.
can clone an environment to environments without as development teams When an entire network of
hand over to testers and expensive, rarely used deploy software as virtual machines is virtualized and
continue to work without hardware. appliances ready to run in a run on a single machine for
having to spend time •Ability to keep literally all server virtualization test purposes, advanced
laboriously recreating versions of the software run environment. With debugging systems like Sun
environments for testing. ready
contemporary virtualization Microsystems' DTRACE can
•Virtual snapshot of a
customer's running system
platforms, even greatly reduce the
and bring it intact into the lab sophisticated multi-tier complexity of the problem.
for testing. applications can be
packaged and released,
ready to install and go.

Werner Heisenberg, a key figure in the development of modern physics, posited that when you observe a system you change its state.
The development community uses the term "Heisenbug" to denote a bug that disappears when you try to measure or isolate it.

29


Cloud Journey – IT Operational Viewpoint
Level Adoption Migration Operation Virtualization
Technology
Operations model has been adopted to
Migration is largely
Physical hosts are only take full advantage of automation and Self-service portals
completed, but
4 - Enabled used in very exceptional self service. Support organization is Orchestration
tools are available
circumstances service focused rather than Reporting frameworks
if required
technology focused
Large-scale mass
VM is the default choice migration Management
Virtualization support responsibilities
and is approved for all exercises using frameworks
3 - Managed are clearly defined. An operational
classes of use, including automated tools Capacity Management
center of virtualization expertise exists.
production are in progress or tools
have completed

Product specific
VM approved for some Migration is largely Organization has not changed to reflect
management and
2 - Adopting functions, for example, manual and small virtualization, but existing functions
migration tools
dev/ test scale can provide basic support

Migration tools Virtualization is supported largely by
1 - Evaluating Limited Pilots Hypervisor
under evaluation the engineering function

0 - Un- No engineered or Process takes no account of
No activity None
adopted supported VM hosts virtualization



Types of Infrastructure, Network and Site Risk



Risks and Actions to Mitigate in Enterprise Virtualization



Strategic Drivers
 Programmers are no longer able to take advantage of this
much power with conventional programming techniques.
This was earthshaking news back in 2005 when it seemed
that programmers would all have to be retrained, or the new
hardware would remain underutilized.
 Applications increasingly need to be concurrent in order to
fully exploit the continuing exponential CPU throughput
gains. Concurrent programming is complicated, subtle, and
requires both training and experience.
 Virtualization allows us to keep these incredibly fast
machines busy with programs written by normal
programmers without these specialized skills. In large part,
this factor is what is behind the recent acceleration of
virtualization.



Concerns and Solutions - Three Camps
 When introducing adoption of virtualization,
people should have some concerns.

Can we
Will it
Is it Proven? adapt this to
Perform?
our Culture?



Enabling the Technology Journey
Virtualization and cloud computing are steps on a journey towards a more flexible and
cost-efficient way of delivering IT. To move physical hardware and software to the
cloud, a transition in IT Delivery must be made. The move will require new expertise,
processes, and technologies.

Legacy Virtualization Cloud
• Data Center • Data Center • Infrastructure as a
Hardware • Workplace Service
Server-Oriented Virtualization • Platform as a Service
• Software as a Service

Problems that are Overcome through Use of Virtualization:

Running out of capacity.

Having costly, superfluous capacity.

Having too much capital tied up in server hardware.



Cloud & Vituralization Concerns and Solutions

Proven Technology • putting multiple applications on a single server will greatly increase
- Solutions the impact of a hardware failure. This concern is valid and should be
addressed by careful placement and cluster design to ensure that the
Careful Placement impact of specific failures is well understood and that the cluster
and Cluster Design provides appropriate failover capabilities.

Performance -
• virtual infrastructure will become so swamped with applications that
Solutions
performance will be impacted. To address this, it is important that
Monitoring, Service organizations introduce monitoring and service reporting to
Reporting, demonstrate that the infrastructure is operating within capacity and
Governance effective governance mechanisms to take action when it is not.
Mechanisms

Cultural Solutions - • Enterprise-scale virtualization should be viewed as a new service. It
(Control, Service will require formal service definitions and the establishment of
Definition, Technology appropriate Service Level Agreements (SLAs) and Operational Level
Knowledge) Education Agreements (OLAs). It will also require appropriate education of the
and Reorganization workforce and is likely to need a degree of reorganization within the
data center.



IT Delivery Requirements and Strategic Consideration

 Moves from physical to virtual space requires changes in
people and technology, mandating virtualization
specialists, shared hardware, and hypervisors. (People
and Technology)

Virtualization Specialists: Shared Hardware: Hypervisors:

• staff must acquire • Virtualization makes in- • Virtualization introduces a
specialized skills in the house infrastructure vastly new layer between the
management of new more efficient by allowing server hardware and the
technology, such as teams to share hardware operating system of the
hypervisors, remote that is underutilized or traditional IT stack. This new
desktops, and virtualized utilized only at specific peak layer requires technical
storage. These new periods. The resulting expertise to manage. It also
platforms not only require a savings from buying, means that organizational
different approach, they housing, and supporting decisions regarding the
must also be integrated with fewer devices, termed Asset server hardware and
the rest of the organization. Efficiency, is one of the operating systems must be
• (People) great benefits of reexamined.
Virtualization. (cont.) • (Technology)



Physical to Virtual Space – IT Delivery (People)

 You need Sourcing Expertise and Common IT Business
Strategy, as well as Federation and Security processes.
Cloud management platforms must be adopted, and
people should think about service and not hardware.

Sourcing Expertise Common IT and Business Strategy:

• Virtualization introduces the possibility, • IT strategy is always formulated in support
and Cloud Computing further requires that of the business, but as an organization
externally sourced IT services play a matures and engages in both sourcing in
greater role in the overall IT mix. and delivering out capabilities in a cloud
• Organizations need staff with vendor environment, IT decisions become
management and partner relationships decisions about who and where the
skills, that is, sourcing expertise. company does business. IT and business
strategy become inseparable. For staff to
engage in successful strategy, they need to
understand both the business they work in
and IT.



Physical to Virtual Space – IT Delivery
Common Challenges, Federation, Security (Process)

Federation: Security and Risk:

• When applications are supplied by a • Because cloud computing involves
number of independent providers, the moving from an environment
need arises to ensure a consistent view completely under in-house control to
of critical underlying data across these one in which a number of external
providers. vendors are relied upon, it poses
• One common challenge is identity unique challenges to the
federation, where multiple services confidentiality, integrity, and
trust each other's user information, availability of data and processes with
such as access rights and preferences. significant bearing on the risk profile of
• Another challenge is master data the organization.
federation, where common corporate
data, such as product inventories or
customer data, is shared across a
number of applications.



Common Benefits: Service Model for Platforms and
the overall Service Catalogue (Technology)

Cloud Management Platforms: Service, Not Hardware:

• A company that adopts cloud • As an organization becomes
computing must bring together comfortable with
diverse services from a variety virtualization, they stop talking
of vendors, as well as in-house about their servers and instead
capabilities, in a consistent and talk about the capacity they
consistently managed way. The need and where it must be
emerging category of cloud located. A company that
management provides the adopts cloud computing can
capability to realize the own few servers while being
potential of anytime, able to deliver any number of
anywhere cloud computing. virtual servers for just as long
as their developers need them.



Virtualization and cloud computing share People
Benefits
 Virtualization and cloud computing share the need for
cross-silo expertise, dynamic environments, usage
metering, self-service, automation, and management
tools.
Cross-Silo Expertise: Dynamic Environment:

• As an organization gains • In a typical company, processes such as server
experience with virtualization, installation and inventory management orient
roles within IT delivery are around configuration changes that, once
redefined. provisioned, will last for years.
• Historically, planning, provisioning, • Virtualized and cloud environments scale up
and troubleshooting required a and down dynamically and require supporting
combination of skills such as processes to handle changes that might last
networking and UNIX system for only minutes or hours.
administration, which in a • For example, a developer might bring up a
conventional enterprise, were network of fifty VMs to test a batch job
often found in separate IT silos. after lunch and be done with them at 5
o'clock.



Virtualization and cloud computing share Process
Benefits

Self-Service: Usage Metering:

• In a complex organization, • Before virtualization, hardware and
conventional procedures to buy software assets were typically
equipment or make configuration allocated to an individual business
changes can take months to area within a company. The owning
complete. group bore the cost of purchase,
• Manually intensive; requests can housing, and support. However, as
become "lost in the mail." sharing increases with virtualization
• A balanced approach to self-service, and cloud computing, it becomes
which maintains control over necessary to collect usage statistics
financial, operational, and technical to allocate costs fairly. The design of
constraints and delivers quickly this metering is critical for the
when a standard request is made, is discipline of demand management,
typical of the benefits virtualization which keeps costs under control.
and cloud computing bring to
business and IT users alike.



Virtualization and cloud computing share Technology
Challenges and Benefits

Automation: Management Tools:

• The move from physical to • Most enterprises have invested
virtual allows the automation of in a set of management tools to
a much greater proportion of handle IT configurations, help-
the IT workload than in a desk processes, monitoring, and
conventional environment. other familiar IT challenges.
• Separating the process of • Virtualization, together with the
resource allocation in hardware virtual and cloud-operating
purchase allows a much-more models, means that the systems
streamlined and efficient that underpin in-house systems
process for delivering customer management must evolve to
requests for capacity and support both the new
change. technologies and the new, more-
dynamic operating model.
(Using clouds helps to meet this
challenge)


Virtualization is Not Appropriate for All Cases
 There are a number of considerations when
evaluating a candidate for virtualization,
a skilled IT
and for determining whether the time is
workforce right for making the leap. Organizational
considerations for assessing virtualization
readiness include the need for:

the extent to
which capital
is expensive
or
unavailable

whether there exists a
high rate of IT change
and critical use or a
relatively static one



Organizational Readiness
Good Candidate Think Carefully
Organization Organization
• Skilled IT Workforce: • Lack of In-house Skill Set:
• A skilled workforce is able and willing to take on • Virtualization requires specific technical skills on
the technical and operational challenges posed the new platforms. It also changes the way
by virtualization. Furthermore, skilled workers existing processes—data backup, virus
want to work at an innovative and leading protection, software distribution, and so on—
organization. This is a strong positive indicator for should operate. Management must seek to
virtualization readiness. improve the staff's skill set through training,
• Capital Expensive or Unavailable: retraining, or outsourcing. This is a weak negative
• One of the easiest financial benefits to achieve indicator for virtualization readiness.
with virtualization is a reduction or avoidance of • Relatively Static IT:
capital expense by deferring the purchase of new • For many organizations IT is a key enabler, but
servers and the related items—data centers, some organizations' needs are minimal and
networks, and so on—that they require. This is a without variation. If a business provides only the
strong positive indicator for virtualization most basic services, then now may not be the
readiness. time to virtualize. Nevertheless, over time, it is
• High Rate of IT Change and Critical Use: likely that all services will be provided in a virtual
• Virtualization, done right, can greatly reduce the environment. This is a negative indicator of
time it takes to deliver an IT service. It can also virtualization readiness.
greatly streamline major projects, such as
premises moves and merger integration. This is a
strong positive indicator for virtualization
readiness.


 Process considerations for assessing
virtualization readiness include a service
weak management culture, difficulty sharing
processes and among business units, and weak processes
controls and controls.

difficulty
sharing
among
business
units

service management
culture



Process Readiness – CobiT Maturity DS3, DS1, DS8

Good Candidate Considerations Either Way Think Carefully
Process Process Process
• Service Management Culture: • Difficulty Sharing Among • Difficulty Sharing:
• Virtualization requires a Business Units: Complex • If the problem lies in a shortage of resources,
proactive approach to service organizations often have great the solution is stronger governance and not a
management and IT difficulty sharing IT assets technical fix.
assurance. Problems would among separately managed • Weak Processes and Controls:
quickly arise from ineffective business units. This can be due
• lacks defined processes and should tread
controls supporting to organizational contention for
carefully into virtualization. Processes must be
performance and scarce resources, or it can be
in place and adhered to or problems will arise.
functionality targets. due to externally imposed
pressures affecting change • The most critical processes to review include:
• Having a strong service-
windows and the ability to be • Capacity Management: It is important not to
management mentality is a
flexible. over-provision the virtual environment, or
key success factor and a
• Virtual infrastructure is shared everyone's performance will suffer, and with
strong positive indicator for
infrastructure, but with one it the reputation and viability of the virtual IT
virtualization readiness.
important difference—the services.
• Difficulty Sharing:
users can be isolated from each • Service-Level Management: It is important to
• users can be isolated from set expectations with users and provide
other with well-proven
each other with well-proven follow-up to ensure their expectations are
technology.
technology. If the root cause met, especially when rolling out a new
of inability to share is poor technology.
change management
• Incident and Problem Management:
problems, virtualization can
Virtualization isolates services from their
help.
underlying hardware and enables a great
degree of consolidation and efficiency, but
this can also mean that there are a lot of eggs
in one basket.



 Technological considerations for
assessing virtualization readiness
Endemic poor
include:
utilization
 Endemic poor utilization,
 lifecycle management problems,
 highly utilized infrastructure,
lifecycle  input/output – intensive application,
management
problems  third-party support issues, and
Third party
dependency  custom hardware dependency.
Custom Hardware

highly utilized infrastructure,
input/output – intensive
application



Technology Readiness
Good Candidate Considerations Either Way
Think Carefully
Technology Technology
• Endemic poor utilization, • Infrastructure is Highly Utilized: • Third-Party Support Issues: Some
Virtualization can directly address One of virtualization's major applications may not be
poor utilization of servers, storage, benefits is increasing utilization supported, or may not be fully
and networks. This is a strong through consolidation. If the supported, in a virtual
positive signal for virtualization infrastructure is already highly environment. An example of this is
readiness. utilized, this would seem to be a Microsoft Active Director, which is
• Lifecycle Management Problems: negative signal. However, it is fully supported on Microsoft's own
In many cases, organizations find possible that demand is unevenly Hyper-V virtualization platform but
themselves unable to keep spread across the IT estate; in this is not fully supported on other
software versions up to date due case, virtualization can make it platforms. Applications with this
to a lack of resources, including easier to migrate IT services and characteristic are poor candidates
the availability of environments for can help address the issue. for virtualization.
test and development, and • Input/Output – Intensive • Custom Hardware Dependency:
because of downtime for Application: In the past, Some applications are tied to
upgrades. virtualization systems were custom hardware. The attached
• Virtualization simplifies software challenged to deliver performance hardware might be as simple as a
maintenance by enabling multiple for IO-intensive applications. dongle for license management, or
environments to run in parallel, Although great strides have been as complex as a device-control
making testing and, in the event of made in improving IO throughput interface or a modem rack.
a problem, rollback much easier. with application, server, and Applications with this
This is a strong positive signal for hardware-level virtualization characteristic are poor candidates
virtualization readiness. technology, there may still be for virtualization.
issues dependent on the IO
workload in question. This is
generally a neutral indicator.



Data Center Virtualization Characteristics

 Regardless of whether the applications need the
resources at any given time,
 the typical corporate data center is full of expensive
equipment, most of which is dedicated to specific
applications.

Management Tools

Server Storage Network
virtualization virtualization virtualization



Workplace Virtualization Characteristics
 In the workplace, virtualization also applies to the familiar workplace
environment of personal computers and desktop applications. A typical
workplace has a large number of computers scattered throughout the
premises, each needing to be managed and kept current with the latest
software.
 It is important to note that when we say workplace we are focused on the
desktop and mobile data applications in the workplace. While concepts in
virtualization also apply to other aspects of the workplace such as the
physical office, telephones, and meeting rooms, those are not specifically
covered in this course.

Workplace virtualization

virtual
server-based workstation application
desktop
computing virtualization virtualization
infrastructure



Return on Investment in Adopting Virtualization
 Underpinned by common management tools and
processes
 All aspects of systems management must account for MONITORING
virtualization. Not only must the chosen set of
virtualization technologies itself be managed as a
platform, but the enterprise tools associated with
 Monitoring PROVISIONING
 Provisioning
 Incident And Problem Management
 Inventory Management , and INCIDENT AND
 Software Development And Releases, must all be PROBLEM
integrated to ensure that they work well in a virtual MANAGEMENT
environment.
 Although it is possible to treat virtual infrastructure
as if it were only physical infrastructure and not INVENTORY
change the organization's way of working, this MANAGEMENT

eliminates much of the benefits of virtualization in
the first place.
 Adopting a new, virtual, infrastructure operating SOFTWARE
DEVELOPMENT AND
model is critical to achieve Return on Investment RELEASES
(ROI).


Audit Watch for Migration Problems
 IP addresses might need changing in configuration files and
certificates might need to be updated.
 Issues that are expressly problematic for virtualization include
requirements for particular hardware, such as hardware
dongles or RS232 connections.
 Applications with very high I/O requirements, life-critical
applications, and real-time applications, such as applications
that have interfaces to special hardware with demanding time
requirements.
 Ifan application is consuming a large amount of CPU or
memory resources, it might not be a candidate for
consolidation even if it can be virtualized.
 Benefits likely to still outweigh the risk: downtime
avoidance, disaster recovery, and increased availability.


ITIL Glossary
Application service Service Design (This term is now superseded by ‘SaaS service provider,’ though not exactly identical) (ITIL® phase: Service Design) An external
provider service provider that provides IT services using applications running at the service provider’s premises; users access the
applications by network connections to the service provider
Architecture Service Design (ITIL® phase: Service Design) The structure of a system or IT service, including the relationships of components to each other and
to the environment they are in; architecture also includes the standards and guidelines, which guide the design and evolution of
the system
Assets Service Strategy Asset: (ITIL® phase: Service Strategy) Any resource or capability; assets of a service provider include anything that could
contribute to the delivery of a service; assets can be one of the following types: Management, Organization, Process, Knowledge,
People, Information, Applications, Infrastructure, and Financial Capital
Availability Service Design (ITIL® phase: Service Design) Ability of a Configuration Item or IT service to perform its agreed function when required;
availability is determined by reliability, maintainability, serviceability, performance, and security; availability is usually calculated
as a percentage; this calculation is often based on agreed service time and downtime; it is best practice to calculate availability
using measurements of the business output of the IT service
Backup Service Design (ITIL® phase: Service Design) (ITIL phase: Service Operation) Copying data to protect against loss of integrity or availability of the
original
Business continuity Service Design (ITIL® phase: Service Design) The business process responsible for managing risks that could seriously impact the business; BCM
management safeguards the interests of key stakeholders, reputation, and brand and value-creating activities; the BCM process involves
reducing risks to an acceptable level and planning for the recovery of business processes should a disruption to the business
occur; BCM sets the objectives, scope, and requirements for IT Service Continuity Management

Capacity Service Design (ITIL® phase: Service Design) The maximum throughput that a Configuration Item or IT service can deliver while meeting agreed
service level targets; for some types of CIs, capacity may be the size or volume, for example, a disk drive

Capacity Management Service Design (ITIL® phase: Service Design) The process responsible for ensuring that the capacity of IT services and the IT infrastructure is able
to deliver agreed service level targets in a cost-effective and timely manner; Capacity Management considers all resources
required to deliver the IT service and plans for short-, medium-, and long-term business requirements

Change Advisory Service Transition (ITIL® phase: Service Transition) A group of people that advises the Change Manager in the assessment, prioritization, and
Board scheduling of changes; this board is usually made up of representatives from all areas within the IT service provider, the
business, and third parties, such as suppliers
Change Management Service Transition (ITIL® phase: Service Transition) The process responsible for controlling the lifecycle of all changes; the primary objective of
Change Management is to enable beneficial changes to be made, with minimum disruption to IT services

Charging Service Strategy (ITIL® phase: Service Strategy) Requiring payment for IT services; charging for IT services is optional, and many organizations
choose to treat their IT service provider as a cost center
Confidentiality Service Design The security goal that generates the requirement for protection from intentional or accidental attempts to perform
unauthorized data reads; confidentiality covers data in storage, during processing, and in transit (ITIL phase: Service Design); a
security principle that requires that data should only be accessed by authorized people
Configuration Service Transition (ITIL® phase: Service Transition) A generic term used to describe a group of Configuration Items that work together to deliver an
IT service or a recognizable part of an IT service; configuration is also used to describe the parameter settings for one or more CIs


Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4

Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (15)

Similar to Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4

Similar to Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4 (20)

More from EnterpriseGRC Solutions, Inc.

More from EnterpriseGRC Solutions, Inc. (7)

Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4