Virtual Machine Sprawl Will Challenge IT Management SkillsVirtual Machine Sprawl Will Challenge IT Management Skills

Software developers like to use virtual machines because they can cheaply mimic a target environment.

Testers like virtual machines because they can test more combinations of new software with parts of the infrastructure in virtual machines.

Department heads like virtual appliances -- applications teamed up with an operating system in virtual machine-ready file format -- because they can be downloaded off the Internet, tried out, and pressed into service immediately, without the usual delays.

And each of these examples illustrates how virtualizing the enterprise leads to uncontrolled, virtual machine sprawl, with IT managers not knowing how many virtual machines they're running, where they're running, whether they're offline and stored away, or whether they're secure.

"I've had asset managers in some organizations tell me horror stories about how they're asked to license a virtual appliance in the next 24 hours because the trial period is about to expire, and the software is already in production," said Anil Desai, an independent consultant and author of the white paper "Controlling VM Sprawl."

"Those virtual appliances were never intended to go into production," because they haven't been configured by the IT managers for a given enterprise production environment. Nevertheless, he said in an inteview, "it happens all the time" that virtual machines and virtual appliances get deployed without the knowledge of IT staffs.

Desai also is the former solutions architect at Surgient, the virtual lab software supplier and hosting service in Austin, Texas. Desai added 350 servers during his 2004-2005 stint at Surgient as it became a host where Adobe Systems, BEA Systems, Microsoft, Siebel, and other firms demonstrated their software in virtual environments. As the hosting service grew, Desai ended up managing 3,500 virtual machines, averaging eight per server.

After leaving Surgient, Desai became an author and consultant focused on virtualization, Web services, and Windows Server technologies. At Surgient, he managed both VMware ESX Server and Windows Virtual Server virtual machines. He is the author of the books, "The Rational Guide To Managing Virtual Server" and "The Rational Guide To Scripting Virtual Server" (Rational Press, 2006).

As a frequent blogger and writer on virtualization, he was contacted by Embotics, a virtual machine management software firm, to write the Controlling VM Sprawl paper that was published Dec.18.

Deploying virtual machines needs to be viewed throughout the organization as a process that is "at least as risky as deploying a physical machine," he said.

A department head or test lab manager wouldn't think of setting up new servers in the data center and attaching them to the network without knowing the patch level of the operating system or what security measures were in place. But virtual machines are easy to clone, move to a new server, rename, or just initiate from scratch. Even employees without other technical skills can launch them, he warned.

What's lacking is IT oversight and, in some cases, IT understanding of what's already running. If an enterprise is just getting started in virtualization, it's a good time to employ strict controls over who generates them, who reviews them for proper configuration and security, and who deploys them.

Control Slips Away
In small- and medium-sized companies where IT is understaffed and not always visible at business management meetings, the control of virtual machine deployment can slip away. Even in large companies, policies not only need to be formulated but strictly enforced. "That's the hard part," Desai said.

A variety of management tools now help IT managers discover virtual machines while they're running and, in some cases, query VMware ESX Servers on whether they have any offline VMs under their purview. That way, an inventory of all virtual machines can be built up.

Developers, with their technical know-how and impatience to meet project deadlines, are particularly prone to generate unauthorized virtual machines, he warned. "I'll admit, I've done it," he said.

The main thing, he said, is to impose IT oversight on virtual machines, keep tracking them as they move around, and set policies on when a virtual machine's useful life is over. That way, you're less likely to end up with virtual machines running silently in the background for weeks or months at a time with no one knowing they're there.

They're not only consuming resources, they're an open door to an intruder if he finds one and uses it to get inside a host server. Then network connections to databases and other resources become available and what was a minor trespass becomes a threatening situation.

Desai is in the process of finishing an e-book for systems management software supplier CA, entitled, "The Definitive Guide To Virtual Platform Management."