Virtual Server Sprawl: FUD or FACT?

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

Virtual Server Sprawl: FUD or FACT?

posted on Wednesday, October 01, 2008 3:43 AM

At Interop this week, security experts have begun sounding the drum regarding the security risks of virtualization and reminding us that virtual server sprawl magnifies that risk because, well, there are more virtual servers to manage at risk.

Virtual sprawl isn't defined by numbers; it's defined as the proliferation of virtual machines without adequate IT control, [David] Lynch said.

That's good, because the numbers as often cited just don't add up. A NetworkWorld article in December 2007 cited two different sets of numbers from Forrester Research on the implementation of virtualization in surveyed organizations.

First we are told that:

IT departments already using virtualization have virtualized 24% of servers, and that number is expected to grow to 45% by 2009.

And later in the article we are told:

The latest report finds that 37% of IT departments have virtualized servers already, and another 13% plan to do so by July 2008. An additional 15% think they will virtualize x86 servers by 2009.

It's not clear where the first data point is coming from, but it appears to come from a Forrester Research survey cited in the first paragraph while the latter data set appears to come from the same recent study. The Big Hairy Question is: how many virtual servers does that mean?

This sounds a lot like the great BPM (Business Process Management) scare of 2005 when it was predicted that business users would be creating SOA-based composite applications willy nilly using BPM tools because it required no development skills, just a really good mouse finger with which you could drag and drop web services to create your own customized application.

Didn't happen. Or if it did, it happened in development and test and local environments and never made it to the all important production environment, where IT generally maintains strict control. Every time you hear virtual server sprawl mentioned it goes something like this: "When your users figure out how easy it is..."

"Users", whether IT or business, are not launching virtual servers in production in the data center. If they are, then an organization has bigger concerns on their hands than the issue of sprawl. Are they launching virtual servers on their desktop? Might be. On a test or development machine? Probably. In production? Not likely. And that's where management and capacity issues matter; that's where the bottom line is potentially impacted from a technological black plague like virtual server sprawl; that's where the biggest security and management risks associated with virtualization are going to show themselves.

None of the research cited ever discusses the number of virtual servers running, just the number of organizations in which virtualization has been implemented. That could mean 1 or 10 or 100 virtual servers. We just don't know because no one has real numbers to back it up; nothing but limited anecdotal evidence has been presented to indicate that there is a problem with virtual server sprawl.

I see problems with virtualization. I see the potential for virtualizing solutions that shouldn't be virtualized for myriad reasons. I see the potential problems inherent in virtualizing everything from the desktop to the data center. But I don't see virtual server sprawl as the Big Hairy Monster hiding under the virtual bed.

So as much as I'd like to jump on the virtual sprawl bandwagon and make scary faces in your general direction about the dangers that lie within the virtual world - because many of them are very real and you do need to be aware of them - there just doesn't seem to be any real data to back up the claim that virtual sprawl is - or will become - a problem.

Technorati Tags: MacVittie,F5,virtual server sprawl,server sprawl,virtualization,consolidation,security,capacity,management,Interop,NetworkWorld

del.icio.us

Feedback

10/1/2008 5:10 AM
		You've read the two italicized excerpts incorrectly. The first says that those IT departments that _are_ already using virtualization are virtualizing about 24% of their servers. The other says 37% of _all_ IT departments are using virtualization. The two excerpts combined: 37% of all IT departments virtualize, and on average they virtualize 24% of their servers. By 2009, 50% of all IT departments will virtualize, and on average they will virtualize about 45% of their servers. I stopped reading after that.
MilesZS

10/1/2008 5:18 AM
		@MilesZS I see what you're saying. When you string the excerpts together it becomes much clearer. Unfortunately, the excerpts in the original article aren't anywhere near each other, and the wording makes it ... fuzzy. Thanks for pointing it out. That makes things a bit more clear - at least in terms of what the Forrester Research is saying. As is often the case, part of the problem is the use of the stats to promote an idea, not the statistics themselves.
Lori MacVittie

10/1/2008 10:23 AM
		Since implementation of virtualization (RHEL Xen) about 18 months ago we've jumped from 40 servers to about 110 if you include virtualized instances. There are a great many of factors that contribute to this. The greatest is being able to create more redundancy for services and additionally being able to create a throttled down server for business application that should be separated out but don't justify a full fledged server's resources.
SKahler

10/1/2008 10:37 AM
		@SKahler Excellent point about the redundancy. I hadn't deeply considered that one yet, will definitely have to think about how beneficial that is.
Lori MacVittie

10/2/2008 3:50 AM
		Lost in the discussion is that multiple virtual instances of the same server image don't count as "new servers" because they are identical replicants of the original image - if the original is secure, they are all secure; if the original is insecure, they are all identically insecure. In this way, counting virtual instances is useless; the numbers we want are really "systems with virtualization apps installed" and "unique virtual images available." Sprawl in the image files is the actual issue - less of a problem in a data center or server farm where they can be stored and administered centrally than when OS virtualization applications are installed on desktops and workgroup servers that aren't being managed centrally. While patching dormant guest OS images is an issue, it has less to do with virtualization being inherently dangerous and more to do with CIOs lacking the political juice to craft meaningful policies for using virtualization or IT operations groups being incompetent to manage desktop software. It is a basic truth for security hype-sters is that if you see a management failure happening, blaming a bit of technology that happens to be in view is a good way to generate the kind of fear that makes you rich, since people will try to buy their fear away even when they are loath to confront a management failure or change their own behavior.
Ian

10/2/2008 5:38 AM
		One other contributing factor to the sprawl is the admins are doing different things now. There's a lot of time saved in the traditional order a server, rack it, cable it, etc. Now admins can spend more time on more strategic projects (or playing golf). This means projects that you weren't getting to before because you ran out of space or power in the DC or you were waiting for servers to get there or your admins were tied up doing basic tasks - all that goes away (or gets reduced). This means the additional servers are actually new projects that are hopefully helping the company. Like SKahler said some of the servers are for redundancy as well. That happens a lot. A lot of times as well organizations don't know how many servers they actually have. I've personally been in the virtualization space for 6 1/2 years (I work for VMware BTW). I've helped over 4,000 different customers go virtual. I don't think one has reduced their server count. They've gotten rid of lots of physical hardware (servers) but the OS/App stack (the real server) count has always grown for the reasons discussed here. What's interesting is every time we start a project there's usually a discovery phase where we take a look at the existing physical servers to see what the utilization is, get a good count, etc. I always ask people throughout the IT org how many physical servers they have. They usually come to agreement on some number even though everyone initially gives a different number. What we find is that 8/10 times the organization has substantially more physical servers than they thought they did. Is that physical server sprawl? There's servers under people's desks. There's servers in storage closets. There's servers all over the place. I see it again and again. At least when you virtualize most of those things end up in the datacenter (unless you're using desktop virtualization software like VMware Workstation). Furthermore, there's usually only a handful of admins that actually have permission to create the VMs in the first place. Even though the technology for delegated administration has been there for a long time it's usually centrally controlled. So even though you get virtual server sprawl the admins are usually well aware of that fact so it's still "under control". Great article. Definitely an interesting topic for conversation.
Mike DiPetrillo

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 4 and 6 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		332		Comments		369
Stories		0		Trackbacks		37

	Tag Cloud
	acceleration AJAX application acceleration application delivery application delivery controller application delivery network application security applications architecture availability BIG-IP blog caching cloud computing cloud computing infrastructure developers development F5 Firefox Gartner Google HTTP infrastructure integration internet iRules Javascript load balancing load-balancing MacVittie Microsoft network networking optimization performance proxy scalability security server services SOA SSL TCP twitter virtualization VMWare web web 2.0 web application firewall XML more tags...

Post Categories

		General SOA
		SOA Delivery
		Randomness
		Web 2.0 Security
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing

Archives

		November, 2008 (16)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		onizo#
		The Virtual ADC

Random

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2008 F5 Networks, Inc. | Privacy Statement | Terms Of Use