Implementing Policy in the Virtual Environment and Cloud

When you read books on virtualization, cloud computing, security, or software product sheets a common word that shows up is Policy. Tools often claim to implement Policy, while books urge you to read or write your Policy. But what does Policy imply?

Webster (webster.com) defines policy as:

1 a : prudence or wisdom in the management of affairs b : management or procedure based primarily on material interest
2 a : a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions b : a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body

When you read policy in product literature and books we are looking at definition number 2 and often a over b. But what does this mean to those who administer and run virtual environments or make use of cloud services?

In these settings, having a robust policy is required. Such a policy should include nearly every aspect of the environment.  Most large companies have written policies about how people should deal with one another, how they should deal with computing resources, how security interacts with their lives within the organization and sometimes out side. In essence, it is The Book to which you refer if there is any doubt or you wish to know exactly how to proceed. In the military The Book guides your ever action, and all falls back to The Book.

I am finding more and more companies are relying on tools to provide policy instead of having their own written policy. A written Policy leads to written Procedures that may make use of tools. For example, I am sure there is a Backup Policy in place within your organization that states in its simplest form that backups will be made, be tested, and be stored offsite. The Procedures for doing all this may or may not be within the Policy, but there are tools that can assist in all these policy requirements, they do not replace Policy.

Virtualization Requirements for The Book

In the physical world of computing, there was always a process for purchasing new hardware, tracking hardware via asset tags, and ensuring that the physical resources were disposed of properly when at the end of life. I have been through a number of scrambles around inventory time to find misplaced machines or ones that have been destroyed.

In the virtual world, this translates into handling sprawl, so one of our Policies for the book needs to be the lifecycle of a virtual machine, how to dispose of the VM, track the VM, and determination if the VM actually needs new hardware resources. Collectively this could be known as Capacity Management or Lifecycle Management, no matter the name you use, there should be a written policy in The Book that covers this. Lifecycle Management and Capacity Management are tied together. Let me present an example:

Manager A requests a large VM (8 vCPUs, 64GBs of Memory, 4TBs Disk, and 10Gb of Network). Your virtual environment does not have nearly that capacity so what do you do?

Your policy should be robust enough to handle this case. So you fall back to The Book and work out the details on how to proceed. One company I consulted at had the right idea. Their policy was:

Treat a request for a new VM as if it was a physical resource as it may end up requiring new physical resources.

This worked for them as the policy for new Resources was extremely well understood and required fairly systematic review such as:

  1. Architectural Review of the Request to determine  the need for new servers or could one be reused. In the case of virtual machines they were looking at need as well as the REAL resources required by the VM (which are quite a bit less).
  2. Capacity Review to determine if the server could even be placed within the environment (power requirements, etc.) For a VM they were looking to determine if new resources would need to be purchased to fit the VM into the current infrastructure.
  3. Resource Consumption Review to determine how many resources the server would use in the future and whether that would require new resources and by when.
  4. Security Review to determine where the server would live within the environment and which security controls to place upon the server and application. Was this a PCI environment, DMZ system, etc. What trust zone did it belong to as well as Roles and Permissions for access.

In essence, there was much more involved with putting out a server. Capacity planning, Future Resource Consumption, and Security were major components of their policy, and it was all documented within The Book. In addition, each server had its own architectural review document on file that could be updated as details changed.

The last area of interest, this customer did not do, was determine how to charge back the resource utilization to the owner of the server.

In all this, the customer interchanged the words server and VM, so that they could make the most use of their existing policies. If you are writing new policies you may be able to streamline this process even more. Tools such as HyTrust, vKernel and Hyper9 help with the Capacity analysis component of your policies but do not replace the written policy.

Cloud Computing Requirements for The Book

I am not sure much changes when you discuss the cloud over a virtual environment but there are some obvious differences. The first is that as a user of the cloud the capacity review component is part of the Cloud Provider but I would hazzard to guess that most of the rest will stay the same. So let’s look at the Capacity Review component.

In our example, that type of VM would most likely be difficult for a cloud provider to provide easily so the Capacity Review needs to include communication with the Cloud Provider to determine if the capacity exists. Perhaps the cloud provider exposes tools like vkernel and Hyper9 to the Cloud user, or they have their own frontend to do so. In order to place businesses within the cloud, Capacity reviews will be required. As business grow their needs they will need to plan their capacity with the cloud provider.

This is one more thing the cloud provider must expose to the cloud user via the cloud portal software. Without such it would be very difficult to place a business within the cloud.

The other aspect of Policy that is within the hands of the cloud providers is security, when you perform a Security Review as part of your deployment of a VM or application, how will you know that the proper controls are in place to protect your trust zones? This is one other aspect of the cloud, the providers will need to expose. CloudAudit.org is working on some of this, but the responsibility will end up being the owner’s of the data within the cloud. If the provider exposes HyTrust and other security tools, perhaps you can gain the control.

So if you are using the cloud, or plan to use the cloud update your Policy (The Book) to include how to determine if your cloud provider can meet your current and future capacity as well as security requirements.

Edward Haletky (362 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

Connect with Edward Haletky:

Tags: , , , , , ,

3 Responses to Implementing Policy in the Virtual Environment and Cloud

  1. July 26, 2010 at 3:44 PM

    Nice article! All companies—large and small—should have their version of “The Book” that they rely on for policy guidance. I agree that one of the policies should be “Capacity Management.” But, within this policy I would add a guide to tackling virtual sprawl, detailing how deployment automation can help. This is an important addition because determining power requirements and the need for resources involves awareness of the tools IT departments can use to handle virtualization challenges. Do you agree that when going through capacity planning, IT departments should be informed of automated procedures and their ability to control virtual sprawl when deploying applications?

  2. July 26, 2010 at 3:56 PM

    Hello,

    Yes I do agree, automated tools for Capacity Management are a must as is a Lifecycle Management process/policy and tool. However, tools are not the real issue here, the issue is that many companies do not even have a policy and just rely on the tools. The two go hand in hand, there is no replacement for a good policy for handling capacity management. The tools just augment that existing policy and remove the human factor from the equation. In fact, I believe Capacity Management tools should be integral into the provisioning of VMs, as if you over provision VMs, then you will impact performance by using too many resources. I.e. If the tool says you will go over capacity, require permissions or just deny the ability to even provision the VM. It would depend on your Capacity Management tool response and how far in advance they look for bottlenecks and issues.

    Best regards,
    Edward L. Haletky aka Texiwill

  3. July 29, 2010 at 11:27 AM

    Good point – having a policy in place is an important first step. As you say though, automated tools remove the human factor from the equation, which is often where many of the costly errors occur. Even a solid policy cannot account for all the manual errors that inevitably result during deployments and processes, which is another benefit of automating such tools. However, you’re right, these tools cannot be a replacement for putting company policies in place. Looking forward to reading more from you on this.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Share

Featured Solutions