T 2.148 Poor planning of the virtualisation

The introduction of virtualisation servers in a computer centre means that a new class of IT systems must be put into service. A virtualisation server is usually not only a server allowing for operating virtual IT systems. Rather, it integrates the virtual IT systems into the computer centre and, in so doing, it controls their connection to further infrastructure elements such as networks and storage networks. From the virtual IT systems' point of view, the virtualisation server is therefore a part of the computer centre infrastructure.

In a classic IT infrastructure, the (physical) IT systems are often administrated in a specialised process. The individual structure elements of the IT infrastructure are operated by administrators specialised and focused on the IT systems supported by them. On the contrary, individual structure elements of the previously separate infrastructure are consolidated in a virtualisation server in a virtualised IT infrastructure. This may possibly shift a part of the operating responsibility for these computer centre resources from the specialised administrators to the administrators of the virtualisation servers.

The introduction of virtualisation also changes the perspective on an information system as a whole. If infrastructure components and a large number of (virtual) servers and (virtual) workstations are mapped within a virtualisation server, the differences between a physical and a logical information system are unperceivable. For this reason, the logical structure can no longer be defined clearly.

Missing or poor planning of the roles and responsibilities

Virtualisation servers also usually contain a large part of the infrastructure components required for operating a virtual IT system in virtual form. These infrastructure components such as switches or network-attached storage systems are otherwise provided by dedicated components. This means that network connections of a virtualised IT system are not established, administrated, and monitored by a switch, as usual, but normally by the virtualisation server. The same applies to storage capacity in storage networks and other resources.

If the way the servers are to be integrated into the computer centre from a technical and organisational point of view is not planned when using the virtualisation servers, there is the risk that

• the responsibilities for different areas such as applications, operating systems, and network components will not be clearly defined,
• the responsibilities for different areas will overlap, or
• a matching rights structure for separating administrative access options for the different areas will be not present.

For infrastructure elements such as switches or storage networks, different persons with separate roles are frequently responsible in the classic computer centre. However, these role concepts for administration may be undermined by poorly designed virtualisation. For example, the administrators of the virtual infrastructure are granted comprehensive access to the guest systems, to their communication links, and to the information processed and provided by these systems. If ambiguous or even no regulations at all regarding the distribution and delegation of the tasks between the administrators are imposed or if important aspects are overlooked and not taken into consideration during the planning phase, responsible persons may lack the required information. As a consequence, errors such as

• poor determination of the resource requirements for the virtualisation infrastructure,
• poor analysis of the performance requirements regarding the systems to be virtualised,
• poor planning and procurement of infrastructure components for networks and storage networks,
• poor adaptation of the infrastructure components to the virtual infrastructure, and
• a lack of integration of the virtualisation software, as well as its virtual infrastructure components and the virtual IT systems into existing monitoring systems may cause comprehensive, negative consequences for the entire information system.

Missing planning of the use of virtualisation servers

If it is not ensured that the virtual IT systems are operated on uniformly configured virtualisation servers and therefore have a uniform infrastructure, problems may occur while operating the virtual IT systems. The virtualisation technology Live Migration shall be mentioned as an example. It allows migration of a virtual IT system from one virtualisation server to another virtualisation server:

• If a virtual IT system is migrated in the virtualisation structure, it may possibly access resources it should not be able to access for reasons of confidentiality and integrity.
• On the other hand, a virtual IT system may no longer be able to access a required resource such as name resolution (DNS) after Live Migration due to a poorly planned virtualisation infrastructure. This may have direct consequences for the availability of a virtual IT system.

If the hardware equipment of the virtualisation servers is not planned in detail and if there are no specifications regarding the procurement of the required hardware components, components incompatible with the selected virtualisation product may be procured. This may entail disadvantages for manufacturer support regarding the selected product. Moreover, it is possible that certain processor properties such as Intel VT and AMD-V absolutely required for operating the virtualisation solution are missing.

If the hardware components procured for a farm of virtualisation servers are not equipped uniformly, the availability and integrity of the virtual IT systems may be endangered. For example, differing processor equipment of the virtualisation servers may cause stability issues of the virtual IT systems. If certain processor properties are not available on a virtualisation server when a virtual IT system is migrated to this server using Live Migration, the virtual IT system may crash.

Incorrect network integration

Regarding computer centre operations, certain procedures for integrating servers and similar systems into the network infrastructure have emerged. These procedures, e.g. MAC filters, serve for protecting the availability, as well as the integrity and confidentiality of the network connections. If these procedures are not taken into account and not adapted properly, it is possible that safeguards suitable for physical systems have adverse effects on the operation of virtual systems. If MAC filters are configured improperly on the switch ports of the virtualisation servers, some virtualisation functions such as Live Migration, i.e. the migration of running virtual IT systems between virtualisation servers, may be inoperable. In such a case, the migrated virtual machine loses its network connection, since its (virtual) MAC address is rejected on the switch port of the new virtualisation server.

Improper integration into storage networks

The particularities of the virtualisation servers when accessing storage networks must already be taken into consideration appropriately in the planning stages. Virtualisation servers require access to all iSCSI and Fibre Channel resources of a storage network required for operating the virtual IT systems. Normally, virtual IT systems do not use their own iSCSI or Fibre Channel interfaces in order to access such resources, but use the corresponding interfaces of the virtualisation servers to this end. Therefore, the virtualisation servers also require access to resources which are actually only intended for the virtual IT systems, since the virtualisation servers may not be able to provide the virtual systems with these resources otherwise. Therefore, if ambiguous regulations are imposed prior to commissioning or if functional and time requirements are not addressed in the planning stages, failures regarding availability, confidentiality, and integrity are possible during the further lifecycle of the virtualisation environment.

If virtualisation servers are to be used in the computer centre, there is the risk that a segmentation of the storage network (SAN) which is not adapted to virtualisation may cause risks. For example, virtual IT systems are no longer able to access required resources if they are migrated between virtualisation servers. The availability of the services provided by the virtual IT systems is endangered. On the other hand, poor planning of the storage network integration may cause the granting of excessively comprehensive access rights to the storage networks. This may endanger the confidentiality of the information stored to these storage networks.

Lack of planning of the use of virtual IT systems

Planning errors may also occur in other areas where existing procedures are not checked when virtualisation is to be used. If the procedures usual in the computer centre are not adapted in the fields of server procurement and provision, as well as operating system installation, one or several of the following problems may occur:

• The lack of suitability of individual operating systems, services, or applications regarding the selected virtualisation environment can never be ruled out completely. Moreover, adaptations of the virtualisation servers to the virtual IT systems operated on them and/or their operating systems and applications may be required. This could remain undiscovered in the event of inadequate verification performed by qualified skilled personnel, as well as an inappropriate synchronisation of all persons involved in the project. As a consequence, performance issues or processing errors may occur during further operation of the virtualisation servers and/or the virtual IT systems that are based on incompatibilities of the applications used regarding the virtualisation solution used. This particularly endangers the integrity and availability of the information processed on the virtual IT systems.
• If it is not checked whether the applications to be operated on virtual IT systems require certain hardware components (such as software protection modules (Dongles) or ISDN cards) that may be used in combination with the selected virtualisation solution, this may result in significant delays when installing these IT systems. It may also be possible that such a system cannot be virtualised at all or a component compatible with the virtualisation solution must be procured first.
• If virtual IT systems (virtual servers, workstations, and switches) are not inventoried completely, there is no overview of the IT systems actually operated in the computer centre. This may result in the following:
  • a lack of present operating system or application licenses, for example, resulting in the organisation being under-licensed.
  • the operation of IT systems without any available operating documentation or not included in the security concepts of the organisation,
  • the operation of IT systems, the purpose of which is unknown (see also T 5.66 Unauthorised connection of IT systems to a network),
  • the initial operation of IT systems without the required planning and operating preparations,
  • the withdrawal from operation or the deletion from inventory lists of IT systems in contradiction to the general rules of the organisation.