Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4


Published on

Controlling Risk in Virtualized Environments session discusses practical education and Information Technology approaches providing strategies for effective risk management in Virtualization and Cloud adoption. The topic will cover key cloud concepts & terminology, cloud and virtualization project components and their implications in Information Technology Service Management (ITSM), as well as security and legal aspects in governance. The discussion will be interactive.
Leveraging guidelines proposed in the CompTIA Cloud™ and ITpreneurs Virtualization Essentials™ curriculum, this hour will also outline steps organization should take to increase their success rate of implementing cloud computing, improve in-house cloud competencies, and decrease dependence on external consultants and services.
Discussion points include:
Service Management - (ITIL):
Cloud computing as a set of technologies and an approach to IT service delivery.
Governance – (COBIT): Detailing ways that risks should be mitigated such that investments generate value.
Information Security- (ISO/IEC 27001):
"Risk Management or Governance" through specific "Policy" where information security ensures that information in the cloud is safe and secure.
Participants in this class will be provided with the ING Cloud Case Study, which they may find useful in preparing for their own Corporate Cloud Strategy

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4

  1. 1. ©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  2. 2. Virtualization and Cloud Essentials™ Readiness , An Auditor Spin CompTIA™ & ITpreneurs Certification Readiness and Auditor Centric Discussion, Presented by Robin Basham©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  3. 3. Nice to meet you Your Presenter, Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT, CRISC, ACC, CRP, VRP, CEO EnterpriseGRC Solutions, Blah, Blah, Blah, Cloud, Blah, Blah, Blah, Cloud, Blah, Blah©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  4. 4. Topics  Your Context  Key cloud concepts & terminology  Standards and Frameworks for Cloud Implementation, Audit and Security  Implications in Information Technology Service Management (ITSM)  Security and legal aspects in governance  Outline steps to:  Increase success rate implementing cloud computing,  improve in-house cloud competencies, decrease dependence on external consultants and services  Cloud and virtualization project components  Please note that discussion will leverage guidelines proposed in the CompTIA™ Cloud and Virtualization Essentials™ curriculum  Copyrights for slide contents include EnterpriseGRC Solutions, ISACA®, ITpreneurs™ , CompTIA™ , and NIST.  Some slides presented are also a part of the Holistic Information Security Practitioner Overview Training.  We express our gratitude to ISACA, HISPI, CSA, Itpreneurs and CompTIA©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 4
  5. 5. Cloud will create 14 Millions Jobs by 2014 Login New Threats Login Bury Login Login Twitter - tweet Digg Questionnaire LinkedIn Share Digg New Fraud Like New Like Markets©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  6. 6. Cloud Computing Definition  National Institute of Standards and Technology (NIST Special Publication 800-145 (Draft)  Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)  Rapidly provisioned and released with minimal management effort or service provider interaction  Composed of 5 essential characteristics, 3 service models, and 4 deployment models.  Source: 020111.cfm©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  7. 7. What Is Cloud Computing? Essential Characteristics 5. Cloud enables resources to serve 1. Cloud delivers IT capabilities that scale multiple needs for multiple consumers, with demand, rather than being defined by rather than dedicating resources for a fixed set of assets. individual infrastructure, software, or platforms 2. Cloud is delivered as a well- Cloud Computing defined service, instead of as a Where is it? product that needs system 4. Cloud is priced according What is it? administrators and maintenance. to recurring subscriptions or has usage-based charges, rather than having an up- front cost 3. Cloud is typically based on open Internet technology, which increases its interoperability.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 7
  8. 8. 3 Service Models, SaaS, PaaS, IaaS SaaS is the capability PaaS is the capability IaaS is the capability Infrastructure as a Service Software as a Service Platform as a Service provided to the consumer is provided to the consumer is provided to the consumer to use the provider’s to deploy onto the cloud to provision processing, applications running on a infrastructure consumer- storage, networks, and cloud infrastructure; the created or acquired other fundamental applications are accessible applications created using computing resources where from various client devices programming languages and the consumer is able to through a thin client tools supported by the deploy and run arbitrary interface. such as a Web provider. The consumer software, which can include browser (for example, Web- does not manage or control operating systems and based e-mail); the the underlying cloud applications; the consumer consumer does not manage infrastructure including does not manage or control or control the underlying network, servers, operating the underlying cloud cloud infrastructure, systems, or storage, but has infrastructure but has including network, servers, control over the deployed control over operating operating systems, storage, applications and possibly systems, storage, deployed or even individual application hosting applications, and possibly application capabilities, environment configurations. limited control over select with the possible exception Examples are specialized networking components of limited user-specific software libraries, (API and (for example, host firewalls) application configuration Programming interfaces) settings Examples are Servers, Examples Gmail, Virtual machines running as and a service Microsoft©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 8
  9. 9. 4 Deployment Models 1. Private PRIVATE cloud. The cloud infrastructure is operated solely for an organization. PRIVATE COMMUNITY PUBLIC Community cloud. The cloud infrastructure is COMMUNITY 2. shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). ACCESSIBILITY Shared with General Single Common Public / Large 3. PUBLICPublic cloud. The cloud infrastructure is made Organization Interests / Industry Requirements Group available to the general public or a large industry group and is owned by an organization selling cloud services. 4. Hybrid HYBRID cloud. The cloud infrastructure is a MANAGEMENT composition of two or more clouds (private, Organization or Third Party Organization or Third Party Cloud Provider community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., HOST On or Off Premise On or Off Premise On or Off Premise cloud bursting for load balancing between clouds).©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  10. 10. The Test Answer: What is Cloud? 1. On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider. 2. Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). 3. Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. 4. Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. 5. Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  11. 11. To Have a Conversation about Cloud, there are Three Terms We Will Say A Lot  Virtualization: channels. (The business) Abstractions compute  Asset Efficiency: Resulting services away from their savings from buying, physical hardware and housing, and supporting allow them to be treated fewer devices, (a.k.a as data. (The technology) benefit of Virtualization)  Cloud: Builds on this abstraction by allowing services to be flexibly sourced from a number of providers and delivered over a number of©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 11
  12. 12. Camps Debate Over The Safety Of Cloud Computing Business and Government are already heavily invested Cloud and Virtualization pose Auditors and the business must unprecedented business value  Refine existing risk scenarios,  Companies that rush to  Address new areas of leverage cost savings, configuration management, however, are also likely to  Modify change policies experience our next biggest  Align with new regulations losses of all time. 012/01/13/tieto_emc_crash/ 03/120326privacyreport.pdf©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 12
  13. 13. You’re Already in the Cloud – Let’s Talk About What that Means to IT Audit©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  14. 14. Emerging Privacy Issues – Do Not Track  Google  Twitter  Facebook  SOPA Online Piracy Act  ACTA, The Anti- www.EPIC.ORG Counterfeiting Trade Agreement©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  15. 15. Security and Legal Aspects Issues Affecting Privacy©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  16. 16. Privacy and Security In US & Global Laws, Frameworks and Standards Legal Consideration, Regulations, Investigations and Compliance Domains Topic or Scope Industry Reach Law Standard Framework Information International Organization for Standards 27001:2005/27002:2005 All World   Security Health Insurance Portability and Accountability Act (HIPAA) Pub.L. 107-204 Privacy Medical USA  Gramm-Leach-Bliley Act (GLBA) key rules under the Act The Financial Privacy Rule (Subtitle A: Disclosure of Nonpublic Personal Information, Financial All USA  codified at 15 U.S.C. §§ 6801–6809) Sarbanes-Oxley Act of 2002 (SOX) Emphasis to section 17a-4, sections 302 Financial Public USA  & 404, Pub.L. 107-204 Assurance Identity, Fair and Accurate Credit Transactions Act of 2003 (FACTA) Pub.L. 108-159 Consumers USA  Fraud Payment Card Industry (PCI) Data Security Standard PCI DSS v2 2010 Entities Information Security Information processing World  Security cardholder data State Breach Laws such as California Senate Bill 1386 (SB-1386) (New York, Privacy All data USA/ CA  Nevada, Montana similar) global Basel III, Basel Committee on Banking Supervision capital adequacy Banking  regulatory Digital Millennium Copyright Act (DMCA), implements 1996 treaties World All digital Copyright USA  Intellectual Property Organization (WIPO) property©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  17. 17. Privacy and Security In US & Global Laws, Frameworks and Standards (Cont.) Legal Consideration, Regulations, Investigations and Compliance Law/ Domains Topic or Scope Industry Reach Mandate Standard Framework Personal Information Protection and Electronic Documents Act Privacy Electronic (PIPEDA) and MODEL CODE FOR THE PROTECTION OF PERSONAL Documents Private Sector Canada  INFORMATION, CAN/CSA-Q830-96 (PIPA) Canadian Office of the Superintendent of Financial Institutions Financial Banks, Insurance,  Canada (OSFI)(Compare to SEC) Assurance Pensions etc. Can issue Cease & Desist Federal Trade Commission Act 15 U.S.C §§ 41-58 to large Corporations US Trade US  Canada Bill 198 (CSOX) Corporate Disclosure Securities Ontario, CA  European Network and Information Security Agency (ENISA) EU processing of personal European Union Europe  Data Privacy data directive Information Security Federal / US - adopted NIST SP800-53 and NIST SP 800-37R1 R.Assessment Government internationally    international Multi National The Anti-Counterfeiting Trade Agreement (ACTA) Privacy / IP standard Treaty  CobiT, Control Objectives for Information Technology IT Governance Enterprise International  v4.1 and v5 Technology COSO The Committee Of Sponsoring Organizations Of The Corporate Enterprise Governance US (Japan, India, CA)   Treadway Commission Governance FedRamp, Proposed Security Assessment & Authorization for Security Assessment US Government US - adopted  U.S. Government Cloud Computing Cloud internationally Enterprise ITIL v3 (Associated to BS1500, OGC) IT Governance Technology International ©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  18. 18. Who’s Working on This?©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  19. 19. CSA CollaborationTrainingSBOs Cloud Security Alliance with  National Institute of Standards and Technology (NIST)  European Network and Information Security Agency (ENISA)  Common Assurance Maturity Model (CAMM)  International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Joint Technical Committee 1 / Subcommittee 27 and 38 (ISO/IEC JTC1/SC 27 and 38)  Information Systems Audit and Control Association (ISACA)  ITU Telecommunication Standardization Sector (ITU-T) (reprinted from August 2011 – Becky Swain, Co-Founder/Chair, CSA CCM, Board Member, CSA Silicon Valley Chapter)©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  20. 20. Critical ISACA Resource enable Cloud Audit ISACA Cloud Audit Methodology, in three domains, 17 controls, and 140 detail testing objectives. Every test is mapped to CobiT Cloud Audit Detail Control and Testing  Planning and Scoping the Audit 1.1 Define the audit/assurance objectives  Governing the Cloud 1.2 Define the boundaries of review 1.3 Identify and document risks  Operating in the Cloud 1.4 Define the change process 1.5 Define assignment success 1.6 Define the audit/assurance resources required 1.7 Define deliverables 1.8 Communications 2.1 Governance and Enterprise Risk Management (ERM) 2.2 Legal and Electronic Discovery 2.3 Compliance and Audit 2.4 Portability and Interoperability 3.1 Incident Response, Notification and Remediation 3.2 Application Security 3.3 Data Security and Integrity 3.4 Identity and Access Management 3.5 Virtualization©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  21. 21. Mapping Cloud Assurance to Existing CobiT Assessment©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  22. 22. Standards Referenced – Refresh ITIL Lifecycle Stages, ISACA, NIST and CSA  Service Management - (ITIL):  Cloud computing as a set of technologies and an approach to Service Service Service Service IT service delivery Strategy Design Operations Transition  Governance – (COBIT):  Detailing ways that risks should be mitigated such that investments Service Request generate value Catalogue Management Fulfillment Change Demand Management  Information Security- (ISO/IEC 27001): Management Service Level  “Risk Management or Management Event Management Service Asset Governance” through specific and “Policy” where information Supplier Management Configuration Management security ensures that information Service Portfolio Incident Management in the cloud is safe and secure Management Capacity Management Knowledge  NIST Management Problem er&Itemid=160 Management Availability  Cloud Security Alliance Management Https://Cloudsecurityalliance.Org/ Finance Deployment, Management Information Access Decommission,  ISACA - Controls Assurance In The Security Management and Transfer Cloud Management Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud- Computing-Controls-and-Assurance-in-the-Cloud.aspx©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 22
  23. 23. Virtualization is an enabling technology  Virtualization is an enabling technology for cloud computing and cloud computing services.  For cloud computing to occur, it is necessary to separate resources from their physical location. Without virtualization, the cloud becomes very difficult to manage.  Cloud computing is a business model where ownership of physical resources rests with one party, and the service users are billed for their real use. An organization can use virtualization for internal customers. Cloud computing presupposes external service users.  The Cloud Model is a transformation in how IT is delivered.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 23
  24. 24. Business Impact  Business value can be something positive that has been added, but it can also be something negative that is reduced.  When considering Cloud and Virtualization, here are some of business and IT concerns. Security and User Cost Maintenance Risk Flexibility Expansion Experience Management including capital cost for servers, Businesses storage, network, current determines the expands and software, and so applications not IT systems enthusiasm with contracts. For on, and the only involves regulatory and continue to which most operational cost money and time, legal reasons and expand beyond applications will organizations, the involved in but also quite a for business the physical be integrated in flexibility of IT running the IT bit of continuity borders of the the day-to-day plays a crucial systems management organization business role in facilitating consumes a large attention. growth. portion of a business budget.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 24
  25. 25. CapEx and OpEx – Reasons for Using Cloud Providers  Cloud providers can deliver lower cost because they enjoy economies of scale. Clients dont have to purchase large amounts of hardware; instead, they are able to invest in cost-saving operational procedures, which are easy to justify. Capital expenses (CapEx): Cloud computing drives greater optimization and utilization of IT assets, allowing you to do more with less and to realize significant cost reduction. You can take on IT capital investments in increments of required capacity instead of building for maximum, or burst, capacity. Operating expenses (OpEx): Although IT would continue to make capital investments, Public cloud offerings are billed to the enterprise on a pay-per-use basis, and private clouds can be treated as OpEx by consuming business units. Through automation, cloud computing reduces the amount of time and effort needed to provision and scale IT resources.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 25
  26. 26. Business Value in Virtualization©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 26
  27. 27. Discussion Perspectives: User, Vendor and Technology  User Perspective: involves some of the following goals of technology and business: User Vendor Technology • Server consolidation and • Is a framework or • Enables IT groups to deploy asset efficiency methodology of dividing the and manage resources as • Migration to an industry- resources of a computer into logical services instead of standard X86 hardware multiple executions physical resources. architecture environments by applying • Using network virtualization, • Speeding up the concepts or technologies. IT administrators can provisioning of servers and • Examples include hardware segment and align IT storage and software partitioning, services to meet the specific • Reduction in capital time-sharing, partial or user and group network expenditure complete machine needs. simulation, emulation and • Logical, secure • Enabling a more mobile quality of service. segmentation helps IT workforce comply with regulations for resource specific security.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 27
  28. 28. New Tools, New Processes, New RunBooks – Asset, Release, Patch, Backup Restore, and Monitor  The introduction of virtualization brings many Help Desk Tools changes that need to be reflected in the tools that administrators use to manage systems. Configuration Management Databases Some examples of the types of changes that Monitoring and Alerting Tools need to be addressed include:  Servers and workstations no longer are tied to Security Audit Tools a particular, known location.  Releasing software patches is different in a Citrix Desktop Director virtual environment.  Backup and restore - central location as VMware View opposed to execution on the machine. Manager  Monitoring tools that are used to correlating hardware and software events may no longer Cisco UCS understand where dependencies lie. Manager  In addition, each virtual platform has its own management tools, which need to be RHEV-M integrated into operations.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 28
  29. 29. Virtualization Simplifies Application Development Process Agile Development Multi-tier Packaging and Defect Management Environments Installation Conventional approaches to packaging and installation When dealing with code that can leave customers and runs in different environments, systems administrators with Some software defects can as in commercial software or even when sharing an the complex task of be extremely hard to track application between installing the application down when they involve Agile Development, which geographies or business units in and its dependencies and networks of application calls for rapid, incremental a single company, it can be properly configuring the code on different machines delivery of new code in a hard to replicate bugs and test software. With careful performing unpredictably. running system driven by whether fixes work. planning, this kind of Defects can be greatly specific test cases, can be Virtualization can aid here in a repetitive systems dependent on timing, and greatly streamlined by number of ways: administration task can so-called Heisenbugs can be virtualization. The developer •maintain multiple testing become a thing of the past incredibly hard to isolate. can clone an environment to environments without as development teams When an entire network of hand over to testers and expensive, rarely used deploy software as virtual machines is virtualized and continue to work without hardware. appliances ready to run in a run on a single machine for having to spend time •Ability to keep literally all server virtualization test purposes, advanced laboriously recreating versions of the software run environment. With debugging systems like Sun environments for testing. ready contemporary virtualization Microsystems DTRACE can •Virtual snapshot of a customers running system platforms, even greatly reduce the and bring it intact into the lab sophisticated multi-tier complexity of the problem. for testing. applications can be packaged and released, ready to install and go. Werner Heisenberg, a key figure in the development of modern physics, posited that when you observe a system you change its state. The development community uses the term "Heisenbug" to denote a bug that disappears when you try to measure or isolate it. 29©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  30. 30. Cloud Journey – IT Operational Viewpoint Level Adoption Migration Operation Virtualization Technology Operations model has been adopted to Migration is largely Physical hosts are only take full advantage of automation and Self-service portals completed, but 4 - Enabled used in very exceptional self service. Support organization is Orchestration tools are available circumstances service focused rather than Reporting frameworks if required technology focused Large-scale mass VM is the default choice migration Management Virtualization support responsibilities and is approved for all exercises using frameworks 3 - Managed are clearly defined. An operational classes of use, including automated tools Capacity Management center of virtualization expertise exists. production are in progress or tools have completed Product specific VM approved for some Migration is largely Organization has not changed to reflect management and 2 - Adopting functions, for example, manual and small virtualization, but existing functions migration tools dev/ test scale can provide basic support Migration tools Virtualization is supported largely by 1 - Evaluating Limited Pilots Hypervisor under evaluation the engineering function 0 - Un- No engineered or Process takes no account of No activity None adopted supported VM hosts virtualization©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 30
  31. 31. Types of Infrastructure, Network and Site Risk©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  32. 32. Risks and Actions to Mitigate in Enterprise Virtualization©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
  33. 33. Strategic Drivers  Programmers are no longer able to take advantage of this much power with conventional programming techniques. This was earthshaking news back in 2005 when it seemed that programmers would all have to be retrained, or the new hardware would remain underutilized.  Applications increasingly need to be concurrent in order to fully exploit the continuing exponential CPU throughput gains. Concurrent programming is complicated, subtle, and requires both training and experience.  Virtualization allows us to keep these incredibly fast machines busy with programs written by normal programmers without these specialized skills. In large part, this factor is what is behind the recent acceleration of virtualization.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 33
  34. 34. Concerns and Solutions - Three Camps  When introducing adoption of virtualization, people should have some concerns. Can we Will it Is it Proven? adapt this to Perform? our Culture?©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 34
  35. 35. Enabling the Technology Journey Virtualization and cloud computing are steps on a journey towards a more flexible and cost-efficient way of delivering IT. To move physical hardware and software to the cloud, a transition in IT Delivery must be made. The move will require new expertise, processes, and technologies. Legacy Virtualization Cloud • Data Center • Data Center • Infrastructure as a Hardware • Workplace Service Server-Oriented Virtualization • Platform as a Service • Software as a Service Problems that are Overcome through Use of Virtualization: Running out of capacity. Having costly, superfluous capacity. Having too much capital tied up in server hardware.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 35
  36. 36. Cloud & Vituralization Concerns and Solutions Proven Technology • putting multiple applications on a single server will greatly increase - Solutions the impact of a hardware failure. This concern is valid and should be addressed by careful placement and cluster design to ensure that the Careful Placement impact of specific failures is well understood and that the cluster and Cluster Design provides appropriate failover capabilities. Performance - • virtual infrastructure will become so swamped with applications that Solutions performance will be impacted. To address this, it is important that Monitoring, Service organizations introduce monitoring and service reporting to Reporting, demonstrate that the infrastructure is operating within capacity and Governance effective governance mechanisms to take action when it is not. Mechanisms Cultural Solutions - • Enterprise-scale virtualization should be viewed as a new service. It (Control, Service will require formal service definitions and the establishment of Definition, Technology appropriate Service Level Agreements (SLAs) and Operational Level Knowledge) Education Agreements (OLAs). It will also require appropriate education of the and Reorganization workforce and is likely to need a degree of reorganization within the data center.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 36
  37. 37. IT Delivery Requirements and Strategic Consideration  Moves from physical to virtual space requires changes in people and technology, mandating virtualization specialists, shared hardware, and hypervisors. (People and Technology) Virtualization Specialists: Shared Hardware: Hypervisors: • staff must acquire • Virtualization makes in- • Virtualization introduces a specialized skills in the house infrastructure vastly new layer between the management of new more efficient by allowing server hardware and the technology, such as teams to share hardware operating system of the hypervisors, remote that is underutilized or traditional IT stack. This new desktops, and virtualized utilized only at specific peak layer requires technical storage. These new periods. The resulting expertise to manage. It also platforms not only require a savings from buying, means that organizational different approach, they housing, and supporting decisions regarding the must also be integrated with fewer devices, termed Asset server hardware and the rest of the organization. Efficiency, is one of the operating systems must be • (People) great benefits of reexamined. Virtualization. (cont.) • (Technology)©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 37
  38. 38. Physical to Virtual Space – IT Delivery (People)  You need Sourcing Expertise and Common IT Business Strategy, as well as Federation and Security processes. Cloud management platforms must be adopted, and people should think about service and not hardware. Sourcing Expertise Common IT and Business Strategy: • Virtualization introduces the possibility, • IT strategy is always formulated in support and Cloud Computing further requires that of the business, but as an organization externally sourced IT services play a matures and engages in both sourcing in greater role in the overall IT mix. and delivering out capabilities in a cloud • Organizations need staff with vendor environment, IT decisions become management and partner relationships decisions about who and where the skills, that is, sourcing expertise. company does business. IT and business strategy become inseparable. For staff to engage in successful strategy, they need to understand both the business they work in and IT.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 38
  39. 39. Physical to Virtual Space – IT Delivery Common Challenges, Federation, Security (Process) Federation: Security and Risk: • When applications are supplied by a • Because cloud computing involves number of independent providers, the moving from an environment need arises to ensure a consistent view completely under in-house control to of critical underlying data across these one in which a number of external providers. vendors are relied upon, it poses • One common challenge is identity unique challenges to the federation, where multiple services confidentiality, integrity, and trust each others user information, availability of data and processes with such as access rights and preferences. significant bearing on the risk profile of • Another challenge is master data the organization. federation, where common corporate data, such as product inventories or customer data, is shared across a number of applications.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 39
  40. 40. Common Benefits: Service Model for Platforms and the overall Service Catalogue (Technology) Cloud Management Platforms: Service, Not Hardware: • A company that adopts cloud • As an organization becomes computing must bring together comfortable with diverse services from a variety virtualization, they stop talking of vendors, as well as in-house about their servers and instead capabilities, in a consistent and talk about the capacity they consistently managed way. The need and where it must be emerging category of cloud located. A company that management provides the adopts cloud computing can capability to realize the own few servers while being potential of anytime, able to deliver any number of anywhere cloud computing. virtual servers for just as long as their developers need them.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 40
  41. 41. Virtualization and cloud computing share People Benefits  Virtualization and cloud computing share the need for cross-silo expertise, dynamic environments, usage metering, self-service, automation, and management tools. Cross-Silo Expertise: Dynamic Environment: • As an organization gains • In a typical company, processes such as server experience with virtualization, installation and inventory management orient roles within IT delivery are around configuration changes that, once redefined. provisioned, will last for years. • Historically, planning, provisioning, • Virtualized and cloud environments scale up and troubleshooting required a and down dynamically and require supporting combination of skills such as processes to handle changes that might last networking and UNIX system for only minutes or hours. administration, which in a • For example, a developer might bring up a conventional enterprise, were network of fifty VMs to test a batch job often found in separate IT silos. after lunch and be done with them at 5 oclock.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 41
  42. 42. Virtualization and cloud computing share Process Benefits Self-Service: Usage Metering: • In a complex organization, • Before virtualization, hardware and conventional procedures to buy software assets were typically equipment or make configuration allocated to an individual business changes can take months to area within a company. The owning complete. group bore the cost of purchase, • Manually intensive; requests can housing, and support. However, as become "lost in the mail." sharing increases with virtualization • A balanced approach to self-service, and cloud computing, it becomes which maintains control over necessary to collect usage statistics financial, operational, and technical to allocate costs fairly. The design of constraints and delivers quickly this metering is critical for the when a standard request is made, is discipline of demand management, typical of the benefits virtualization which keeps costs under control. and cloud computing bring to business and IT users alike.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 42
  43. 43. Virtualization and cloud computing share Technology Challenges and Benefits Automation: Management Tools: • The move from physical to • Most enterprises have invested virtual allows the automation of in a set of management tools to a much greater proportion of handle IT configurations, help- the IT workload than in a desk processes, monitoring, and conventional environment. other familiar IT challenges. • Separating the process of • Virtualization, together with the resource allocation in hardware virtual and cloud-operating purchase allows a much-more models, means that the systems streamlined and efficient that underpin in-house systems process for delivering customer management must evolve to requests for capacity and support both the new change. technologies and the new, more- dynamic operating model. (Using clouds helps to meet this challenge)©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 43
  44. 44. Virtualization is Not Appropriate for All Cases  There are a number of considerations when evaluating a candidate for virtualization, a skilled IT and for determining whether the time is workforce right for making the leap. Organizational considerations for assessing virtualization readiness include the need for: the extent to which capital is expensive or unavailable whether there exists a high rate of IT change and critical use or a relatively static one©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 44
  45. 45. Organizational Readiness Good Candidate Think Carefully Organization Organization • Skilled IT Workforce: • Lack of In-house Skill Set: • A skilled workforce is able and willing to take on • Virtualization requires specific technical skills on the technical and operational challenges posed the new platforms. It also changes the way by virtualization. Furthermore, skilled workers existing processes—data backup, virus want to work at an innovative and leading protection, software distribution, and so on— organization. This is a strong positive indicator for should operate. Management must seek to virtualization readiness. improve the staffs skill set through training, • Capital Expensive or Unavailable: retraining, or outsourcing. This is a weak negative • One of the easiest financial benefits to achieve indicator for virtualization readiness. with virtualization is a reduction or avoidance of • Relatively Static IT: capital expense by deferring the purchase of new • For many organizations IT is a key enabler, but servers and the related items—data centers, some organizations needs are minimal and networks, and so on—that they require. This is a without variation. If a business provides only the strong positive indicator for virtualization most basic services, then now may not be the readiness. time to virtualize. Nevertheless, over time, it is • High Rate of IT Change and Critical Use: likely that all services will be provided in a virtual • Virtualization, done right, can greatly reduce the environment. This is a negative indicator of time it takes to deliver an IT service. It can also virtualization readiness. greatly streamline major projects, such as premises moves and merger integration. This is a strong positive indicator for virtualization readiness.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 45
  46. 46. Virtualization is Not Appropriate for All Cases  Process considerations for assessing virtualization readiness include a service weak management culture, difficulty sharing processes and among business units, and weak processes controls and controls. difficulty sharing among business units service management culture©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 46
  47. 47. Process Readiness – CobiT Maturity DS3, DS1, DS8 Good Candidate Considerations Either Way Think Carefully Process Process Process • Service Management Culture: • Difficulty Sharing Among • Difficulty Sharing: • Virtualization requires a Business Units: Complex • If the problem lies in a shortage of resources, proactive approach to service organizations often have great the solution is stronger governance and not a management and IT difficulty sharing IT assets technical fix. assurance. Problems would among separately managed • Weak Processes and Controls: quickly arise from ineffective business units. This can be due • lacks defined processes and should tread controls supporting to organizational contention for carefully into virtualization. Processes must be performance and scarce resources, or it can be in place and adhered to or problems will arise. functionality targets. due to externally imposed pressures affecting change • The most critical processes to review include: • Having a strong service- windows and the ability to be • Capacity Management: It is important not to management mentality is a flexible. over-provision the virtual environment, or key success factor and a • Virtual infrastructure is shared everyones performance will suffer, and with strong positive indicator for infrastructure, but with one it the reputation and viability of the virtual IT virtualization readiness. important difference—the services. • Difficulty Sharing: users can be isolated from each • Service-Level Management: It is important to • users can be isolated from set expectations with users and provide other with well-proven each other with well-proven follow-up to ensure their expectations are technology. technology. If the root cause met, especially when rolling out a new of inability to share is poor technology. change management • Incident and Problem Management: problems, virtualization can Virtualization isolates services from their help. underlying hardware and enables a great degree of consolidation and efficiency, but this can also mean that there are a lot of eggs in one basket.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 47
  48. 48. Virtualization is Not Appropriate for All Cases  Technological considerations for assessing virtualization readiness Endemic poor include: utilization  Endemic poor utilization,  lifecycle management problems,  highly utilized infrastructure, lifecycle  input/output – intensive application, management problems  third-party support issues, and Third party dependency  custom hardware dependency. Custom Hardware highly utilized infrastructure, input/output – intensive application©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 48
  49. 49. Technology Readiness Good Candidate Considerations Either Way Think Carefully Technology Technology • Endemic poor utilization, • Infrastructure is Highly Utilized: • Third-Party Support Issues: Some Virtualization can directly address One of virtualizations major applications may not be poor utilization of servers, storage, benefits is increasing utilization supported, or may not be fully and networks. This is a strong through consolidation. If the supported, in a virtual positive signal for virtualization infrastructure is already highly environment. An example of this is readiness. utilized, this would seem to be a Microsoft Active Director, which is • Lifecycle Management Problems: negative signal. However, it is fully supported on Microsofts own In many cases, organizations find possible that demand is unevenly Hyper-V virtualization platform but themselves unable to keep spread across the IT estate; in this is not fully supported on other software versions up to date due case, virtualization can make it platforms. Applications with this to a lack of resources, including easier to migrate IT services and characteristic are poor candidates the availability of environments for can help address the issue. for virtualization. test and development, and • Input/Output – Intensive • Custom Hardware Dependency: because of downtime for Application: In the past, Some applications are tied to upgrades. virtualization systems were custom hardware. The attached • Virtualization simplifies software challenged to deliver performance hardware might be as simple as a maintenance by enabling multiple for IO-intensive applications. dongle for license management, or environments to run in parallel, Although great strides have been as complex as a device-control making testing and, in the event of made in improving IO throughput interface or a modem rack. a problem, rollback much easier. with application, server, and Applications with this This is a strong positive signal for hardware-level virtualization characteristic are poor candidates virtualization readiness. technology, there may still be for virtualization. issues dependent on the IO workload in question. This is generally a neutral indicator.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 49
  50. 50. Data Center Virtualization Characteristics  Regardless of whether the applications need the resources at any given time,  the typical corporate data center is full of expensive equipment, most of which is dedicated to specific applications. Management Tools Server Storage Network virtualization virtualization virtualization©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 50
  51. 51. Workplace Virtualization Characteristics  In the workplace, virtualization also applies to the familiar workplace environment of personal computers and desktop applications. A typical workplace has a large number of computers scattered throughout the premises, each needing to be managed and kept current with the latest software.  It is important to note that when we say workplace we are focused on the desktop and mobile data applications in the workplace. While concepts in virtualization also apply to other aspects of the workplace such as the physical office, telephones, and meeting rooms, those are not specifically covered in this course. Workplace virtualization virtual server-based workstation application desktop computing virtualization virtualization infrastructure©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 51
  52. 52. Return on Investment in Adopting Virtualization  Underpinned by common management tools and processes  All aspects of systems management must account for MONITORING virtualization. Not only must the chosen set of virtualization technologies itself be managed as a platform, but the enterprise tools associated with  Monitoring PROVISIONING  Provisioning  Incident And Problem Management  Inventory Management , and INCIDENT AND  Software Development And Releases, must all be PROBLEM integrated to ensure that they work well in a virtual MANAGEMENT environment.  Although it is possible to treat virtual infrastructure as if it were only physical infrastructure and not INVENTORY change the organizations way of working, this MANAGEMENT eliminates much of the benefits of virtualization in the first place.  Adopting a new, virtual, infrastructure operating SOFTWARE DEVELOPMENT AND model is critical to achieve Return on Investment RELEASES (ROI).©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 52
  53. 53. Audit Watch for Migration Problems  IP addresses might need changing in configuration files and certificates might need to be updated.  Issues that are expressly problematic for virtualization include requirements for particular hardware, such as hardware dongles or RS232 connections.  Applications with very high I/O requirements, life-critical applications, and real-time applications, such as applications that have interfaces to special hardware with demanding time requirements.  Ifan application is consuming a large amount of CPU or memory resources, it might not be a candidate for consolidation even if it can be virtualized.  Benefits likely to still outweigh the risk: downtime avoidance, disaster recovery, and increased availability.©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved 53