Cloud and Virtualization Essentials for Auditors

http://www.enterprisegrc.com
Virtualization and Cloud Essentials™
Readiness , An Auditor Spin
CompTIA™ & ITpreneurs Certification Readiness and
Auditor Centric Discussion, Presented by Robin Basham

Agenda?
Your Presenter, Robin Basham, M.Ed, M.IT, CISA, ITSM, CGEIT,
CRISC, ACC, CRP, VRP, Blah, Blah, Blah, Cloud, Blah

What Is Cloud Services?
4
Cloud enables resources to serve multiple
needs for multiple consumers, rather than
dedicating resources for individual
infrastructure, software, or platforms
Cloud Computing
Where is it?
What is it?
Cloud delivers IT capabilities that scale with
demand, rather than being defined by a fixed set
of assets.
Cloud is delivered as a well-defined
service, instead of as a product that
needs system administrators and
maintenance.
Cloud is typically based on open Internet
technology, which increases its
interoperability.
Cloud is priced according to
recurring subscriptions or has
usage-based charges, rather than
having an up-front cost

Three Terms We Will Say A Lot
 Virtualization:
 Abstractions compute services away
from their physical hardware and allow
them to be treated as data. (The
technology)
 Cloud:
 Builds on this abstraction by allowing
services to be flexibly sourced from a
number of providers and delivered over
a number of channels. (The business)
 Asset Efficiency:
 resulting savings from buying, housing,
and supporting fewer devices, (a.k.a
benefit of Virtualization)
5©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved

While Camps Debate Over The Safety Of Cloud
Computing
 Auditors and the business have to
collaborate in refining existing risk
scenarios, address new areas of
configuration management, modify change
policies to prevent common pitfalls known
to the adoption of any new technology,
(i.e., loss of availability, integrity and
reputation).
 Cloud and Virtualization pose
unprecedented essential business value,
(such as avoiding downtime, improving
availability, reducing cost of operations and
speeding product to markets) companies
that rush to leverage cost savings, are also
likely to experience our next biggest losses
of all time.

Controlling Risk in Virtualized Environments
 Controlling Risk in Virtualized
Environments session points to a few
practical education and Information
Technology approaches providing
strategies for effective risk
management in Virtualization and
Cloud adoption.
 Please visit
to find more.
 If there was something you missed,
check out our facebook page,
because many ideas and images will
also be there.

Topics
 Your Context
 Key cloud concepts & terminology
 Cloud and virtualization project components
 Implications in Information Technology Service Management (ITSM)
 Security and legal aspects in governance.
 Outline steps to:
 increase their success rate of implementing cloud computing,
 improve in-house cloud competencies, and decrease dependence on
external consultants and services.
 Please note that tonight’s discussion will leveraging guidelines proposed in the
CompTIA™ Cloud and Virtualization Essentials™ curriculum
 Copyright for most of this information is EnterpriseGRC Solutions, ISACA,
ITpreneurs™ or CompTIA™

Critical ISACA Resource

You’re in the Cloud – Let’s Talk About What that
Means to IT Audit

Mapping Cloud Assurance to Existing CobiT
Assessment

Standards Referenced – Refresh ITIL Lifecycle
Stages, ISACA, NIST and CSA
 Service Management - (ITIL):
 Cloud computing as a set of
technologies and an approach to
IT service delivery
 Governance – (COBIT):
 Detailing ways that risks should be
mitigated such that investments
generate value
 Information Security- (ISO/IEC 27001):
 “Risk Management or
Governance” through specific
“Policy” where information
security ensures that information
in the cloud is safe and secure
 NIST
http://www.enterprisegrc.com/index.php?option=com_wrapper&view=wrapp
er&Itemid=160
 Cloud Security Alliance
Https://Cloudsecurityalliance.Org/
 ISACA - Controls Assurance In The
Cloud http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-
Computing-Controls-and-Assurance-in-the-Cloud.aspx
Service
Strategy
Demand
Management
Service
Portfolio
Management
Finance
Management
Service
Design
Service
Catalogue
Management
Service Level
Management
Supplier
Management
Capacity
Management
Availability
Management
Information
Security
Management
Service
Operations
Request
Fulfillment
Event
Management
Incident
Management
Problem
Management
Access
Management
Service
Transition
Change
Management
Service Asset
and
Configuration
Management
Knowledge
Management
Deployment,
Decommission,
and Transfer

Cloud Deployment Methods SaaS, PaaS, IaaSSoftwareasaService
SaaS is the capability provided to
the consumer is to use the
provider’s applications running
on a cloud infrastructure; the
applications are accessible from
various client devices through a
thin client interface. such as a
Web browser (for example, Web-
based e-mail); the consumer
does not manage or control the
underlying cloud infrastructure,
including network, servers,
operating systems, storage, or
even individual application
capabilities, with the possible
exception of limited user-specific
application configuration
settings
Examples are on line applications
like Gmail, Salesforce.com and
Microsoft
PlatformasaService
PaaS is the capability provided to
the consumer is to deploy onto
the cloud infrastructure
consumer-created or acquired
applications created using
programming languages and
tools supported by the provider.
The consumer does not manage
or control the underlying cloud
infrastructure including network,
servers, operating systems, or
storage, but has control over the
deployed applications and
possibly application hosting
environment configurations.
Examples are specialized
software libraries, (API and
Programming interfaces)
InfrastructureasaService
IaaS is the capability provided to
the consumer to provision
processing, storage, networks,
and other fundamental
computing resources where the
consumer is able to deploy and
run arbitrary software, which
can include operating systems
and applications; the consumer
does not manage or control the
underlying cloud infrastructure
but has control over operating
systems, storage, deployed
applications, and possibly limited
control over select networking
components (for example, host
firewalls)
Examples are Servers, Virtual
machines running as a service

Virtualization is an enabling technology
 Virtualization is an enabling technology for cloud
computing and cloud computing services.
 For cloud computing to occur, it is necessary to separate
resources from their physical location. Without
virtualization, the cloud becomes very difficult to
manage.
 Cloud computing is a business model where ownership
of physical resources rests with one party, and the
service users are billed for their real use. An organization
can use virtualization for internal customers. Cloud
computing presupposes external service users.
 The Cloud Model is a transformation in how IT is
delivered.

 Business value can be something positive that has been
added, but it can also be something negative that is
reduced.
 When considering Cloud and Virtualization, here are
some of business and IT concerns.
Business Impact
Cost
includingcapital
cost for servers,
storage, network,
software, and so
on, and the
operational cost
involved in
running the IT
systems
consumes a large
portion of a
business budget.
Maintenance
current
applications not
only involves
money and time,
but also quite a
bit of
management
attention.
Security and
Risk
Management
regulatoryand
legal reasons and
for business
continuity
User
Experience
determinesthe
enthusiasm with
which
applications will
be integrated in
the day-to-day
business
Flexibility
Businesses
expands and
contracts. For
most
organizations,the
flexibilityof IT
plays a crucial
role in facilitating
growth.
Expansion
IT systems
continue to
expand beyond
the physical
borders of the
organization

 Cloud providers can deliver lower cost because they enjoy economies of scale. Clients don't have to
purchase large amounts of hardware; instead, they are able to invest in cost-saving operational
procedures, which are easy to justify.
CapEx and OpEx – Reasons for Using Cloud Providers
Capital expenses (CapEx): Cloud
computing drives greater optimization
and utilization of IT assets, allowing you
to do more with less and to realize
significant cost reduction. You can take
on IT capital investments in increments
of required capacity instead of building
for maximum, or burst, capacity.
Operating expenses (OpEx): Although IT
would continue to make capital
investments, Public cloud offerings are
billed to the enterprise on a pay-per-use
basis, and private clouds can be treated
as OpEx by consuming business units.
Through automation, cloud computing
reduces the amount of time and effort
needed to provision and scale IT
resources.

Business Value in Virtualization

Discussion Perspectives: User, Vendor and Technology
 User Perspective: involves some of the following goals of technology and business:
User
•Server consolidation and
asset efficiency
•Migration to an industry-
standard X86 hardware
architecture
•Speeding up the
provisioning of servers and
storage
•Reduction in capital
expenditure
•Enabling a more mobile
workforce
Vendor
•Is a framework or
methodology of dividing the
resources of a computer into
multiple executions
environments by applying
concepts or technologies.
•Examples include hardware
and software partitioning,
time-sharing, partial or
complete machine
simulation, emulation and
quality of service.
Technology
•Enables IT groups to deploy
and manage resources as
logical services instead of
physical resources.
•Using network virtualization,
IT administrators can
segment and align IT
services to meet the specific
user and group network
needs.
•Logical, secure
segmentation helps IT
comply with regulations for
resource specific security.

New Tools, New Processes, New RunBooks
– Asset, Release, Patch, Backup Restore, and Monitor
 The introduction of virtualization brings many
changes that need to be reflected in the tools
that administrators use to manage systems.
Some examples of the types of changes that
need to be addressed include:
 Servers and workstations no longer are tied to
a particular, known location.
 Releasing software patches is different in a
virtual environment.
 Backup and restore - central location as
opposed to execution on the machine.
 Monitoring tools that are used to correlating
hardware and software events may no longer
understand where dependencies lie.
 In addition, each virtual platform has its own
management tools, which need to be
integrated into operations.
Help Desk Tools
ConfigurationManagement Databases
Monitoringand Alerting Tools
Security Audit Tools
Citrix Desktop
Director
VMware View
Manager
Cisco UCS
Manager
RHEV-M

Virtualization Simplifies Application Development
Process
Agile Development
Agile Development, which
calls for rapid, incremental
deliveryof new code in a
running system driven by
specifictest cases, can be
greatly streamlinedby
virtualization.The developer
can clone an environment to
hand over to testers and
continue to work without
having to spend time
laboriouslyrecreating
environmentsfor testing.
Multi-tier
Environments
When dealing with code that
runs in different environments,
as in commercial software or
even when sharing an
applicationbetween
geographiesor business units in
a single company, it can be
hard to replicate bugs and test
whether fixes work.
Virtualizationcan aid here in a
number of ways:
•maintain multipletesting
environmentswithout
expensive,rarely used
hardware.
•Abilityto keep literally all
versions of the software run
ready
•Virtualsnapshot of a
customer's running system
and bring it intact into the lab
for testing.
Packaging and
Installation
Conventional approaches to
packagingand installation
can leave customers and
systems administrators with
the complex task of
installingthe application
and its dependencies and
properlyconfiguring the
software. With careful
planning, this kind of
repetitivesystems
administrationtask can
become a thing of the past
as development teams
deploy software as virtual
appliances ready to run in a
server virtualization
environment. With
contemporaryvirtualization
platforms, even
sophisticated multi-tier
applications can be
packaged and released,
ready to install and go.
Defect Management
Some software defects can
be extremely hard to track
down when they involve
networks of application
code on different machines
performingunpredictably.
Defects can be greatly
dependent on timing, and
so-called Heisenbugs can be
incrediblyhard to isolate.
When an entire network of
machines is virtualizedand
run on a single machine for
test purposes, advanced
debuggingsystems like Sun
Microsystems' DTRACE can
greatly reduce the
complexityof the problem.
Werner Heisenberg, a key figure in the development of modern physics, posited that when you observe a system you change its state.
The development community uses the term "Heisenbug" to denote a bug that disappears when you try to measure or isolate it.

Cloud Journey – IT Operational Viewpoint
Level Adoption Migration Operation Virtualization
Technology
4 - Enabled
Physical hosts are only
used in very exceptional
circumstances
Migration is largely
completed, but
tools are available
if required
Operations model has been adopted to
take full advantage of automation and
self service. Support organization is
service focused rather than
technology focused
Self-service portals
Orchestration
Reporting frameworks
3 - Managed
VM is the default choice
and is approved for all
classes of use, including
production
Large-scale mass
migration
exercises using
automated tools
are in progress or
have completed
Virtualization support responsibilities
are clearly defined. An operational
center of virtualization expertise exists.
Management
frameworks
Capacity Management
tools
2 - Adopting
VM approved for some
functions, for example,
dev/ test
Migration is largely
manual and small
scale
Organization has not changed to reflect
virtualization, but existing functions
can provide basic support
Product specific
management and
migration tools
1 - Evaluating Limited Pilots
Migration tools
under evaluation
Virtualization is supported largely by
the engineering function
Hypervisor
0 - Un-
adopted
No engineered or
supported VM hosts
No activity
Process takes no account of
virtualization
None

Types of Infrastructure, Network and Site Risk

Risks and Actions to Mitigate in Enterprise Virtualization

Strategic Drivers
 Programmers are no longer able to take advantage of this
much power with conventional programming techniques.
This was earthshaking news back in 2005 when it seemed
that programmers would all have to be retrained, or the new
hardware would remain underutilized.
 Applications increasingly need to be concurrent in order to
fully exploit the continuing exponential CPU throughput
gains. Concurrent programming is complicated, subtle, and
requires both training and experience.
 Virtualization allows us to keep these incredibly fast
machines busy with programs written by normal
programmers without these specialized skills. In large part,
this factor is what is behind the recent acceleration of
virtualization.

Legacy
• Data Center
Hardware
Server-Oriented
Virtualization
• Data Center
• Workplace
Virtualization
Cloud
• Infrastructure as a
Service
• Platform as a Service
• Software as a Service
Virtualization and cloud computing are steps on a journey towards a more flexible and
cost-efficient way of delivering IT. To move physical hardware and software to the
cloud, a transition in IT Delivery must be made. The move will require new expertise,
processes, and technologies.
25
Enabling the Technology Journey
©Copyright EnterpriseGRC Solutions™ , Inc. 2012, All Rights Reserved
Problems that are Overcome through Use of Virtualization:
Running out of capacity.
Having costly, superfluous capacity.
Having too much capital tied up in server hardware.

IT Delivery Requirements and Strategic Consideration
 Moves from physical to virtual space requires changes in
people and technology, mandating virtualization
specialists, shared hardware, and hypervisors. (People
and Technology)
Virtualization Specialists:
•staff must acquire
specialized skills in the
management of new
technology, such as
hypervisors, remote
desktops, and virtualized
storage. These new
platforms not only require a
different approach, they
must also be integrated with
the rest of the organization.
•(People)
Shared Hardware:
•Virtualization makes in-
house infrastructure vastly
more efficient by allowing
teams to share hardware
that is underutilized or
utilized only at specific peak
periods. The resulting
savings from buying,
housing, and supporting
fewer devices, termed Asset
Efficiency, is one of the
great benefits of
Virtualization. (cont.)
Hypervisors:
•Virtualization introduces a
new layer between the
server hardware and the
operating system of the
traditional IT stack. This new
layer requires technical
expertise to manage. It also
means that organizational
decisions regarding the
server hardware and
operating systems must be
reexamined.
•(Technology)

Physical to Virtual Space – IT Delivery (People)
 You need Sourcing Expertise and Common IT Business
Strategy, as well as Federation and Security processes.
Cloud management platforms must be adopted, and
people should think about service and not hardware.
Sourcing Expertise
• Virtualization introduces the possibility,
and Cloud Computing further requires that
externally sourced IT services play a
greater role in the overall IT mix.
• Organizations need staff with vendor
management and partner relationships
skills, that is, sourcing expertise.
Common IT and Business Strategy:
• IT strategy is always formulated in support
of the business, but as an organization
matures and engages in both sourcing in
and delivering out capabilities in a cloud
environment, IT decisions become
decisions about who and where the
company does business. IT and business
strategy become inseparable. For staff to
engage in successful strategy, they need to
understand both the business they work in
and IT.

Physical to Virtual Space – IT Delivery
Common Challenges, Federation, Security (Process)
Federation:
• When applications are supplied by a
number of independent providers, the
need arises to ensure a consistent view
of critical underlying data across these
providers.
• One common challenge is identity
federation, where multiple services
trust each other's user information,
such as access rights and preferences.
• Another challenge is master data
federation, where common corporate
data, such as product inventories or
customer data, is shared across a
number of applications.
Security and Risk:
• Because cloud computing involves
moving from an environment
completely under in-house control to
one in which a number of external
vendors are relied upon, it poses
unique challenges to the
confidentiality, integrity, and
availability of data and processes with
significant bearing on the risk profile of
the organization.

Common Benefits: Service Model for Platforms and
the overall Service Catalogue (Technology)
Cloud Management Platforms:
• A company that adopts cloud
computing must bring together
diverse services from a variety
of vendors, as well as in-house
capabilities, in a consistent and
consistently managed way. The
emerging category of cloud
management provides the
capability to realize the
potential of anytime,
anywhere cloud computing.
Service, Not Hardware:
• As an organization becomes
comfortable with
virtualization, they stop talking
about their servers and instead
talk about the capacity they
need and where it must be
located. A company that
adopts cloud computing can
own few servers while being
able to deliver any number of
virtual servers for just as long
as their developers need them.

Virtualization and cloud computing share People
Benefits
 Virtualization and cloud computing share the need for
cross-silo expertise, dynamic environments, usage
metering, self-service, automation, and management
tools.
Cross-Silo Expertise:
• As an organization gains
experience with virtualization,
roles within IT delivery are
redefined.
• Historically, planning, provisioning,
and troubleshooting required a
combination of skills such as
networking and UNIX system
administration, which in a
conventional enterprise, were
often found in separate IT silos.
Dynamic Environment:
• In a typical company, processes such as server
installation and inventory management orient
around configuration changes that, once
provisioned, will last for years.
• Virtualized and cloud environments scale up
and down dynamically and require supporting
processes to handle changes that might last
for only minutes or hours.
• For example, a developer might bring up a
network of fifty VMs to test a batch job
after lunch and be done with them at 5
o'clock.

Virtualization and cloud computing share Process
Benefits
Self-Service:
• In a complex organization,
conventional procedures to buy
equipment or make configuration
changes can take months to
complete.
• Manually intensive; requests can
become "lost in the mail."
• A balanced approach to self-service,
which maintains control over
financial, operational, and technical
constraints and delivers quickly
when a standard request is made, is
typical of the benefits virtualization
and cloud computing bring to
business and IT users alike.
Usage Metering:
• Before virtualization, hardware and
software assets were typically
allocated to an individual business
area within a company. The owning
group bore the cost of purchase,
housing, and support. However, as
sharing increases with virtualization
and cloud computing, it becomes
necessary to collect usage statistics
to allocate costs fairly. The design of
this metering is critical for the
discipline of demand management,
which keeps costs under control.

Virtualization and cloud computing share Technology
Challenges and Benefits
Automation:
• The move from physical to
virtual allows the automation of
a much greater proportion of
the IT workload than in a
conventional environment.
• Separating the process of
resource allocation in hardware
purchase allows a much-more
streamlined and efficient
process for delivering customer
requests for capacity and
change.
Management Tools:
• Most enterprises have invested
in a set of management tools to
handle IT configurations, help-
desk processes, monitoring, and
other familiar IT challenges.
• Virtualization, together with the
virtual and cloud-operating
models, means that the systems
that underpin in-house systems
management must evolve to
support both the new
technologies and the new, more-
dynamic operating model.
(Using clouds helps to meet this
challenge)

Virtualization is Not Appropriate for All Cases
 There are a number of considerations when
evaluating a candidate for virtualization,
and for determining whether the time is
right for making the leap. Organizational
considerations for assessing virtualization
readiness include the need for:
whether there exists a
high rate of IT change
and critical use or a
relatively static one
the extent to
which capital
is expensive
or
unavailable
a skilled IT
workforce

Good Candidate
Organization
• Skilled IT Workforce:
•A skilled workforce is able and willing to take on
the technical and operational challenges posed
by virtualization. Furthermore, skilled workers
want to work at an innovative and leading
organization. This is a strong positive indicator for
virtualization readiness.
• Capital Expensive or Unavailable:
•One of the easiest financial benefits to achieve
with virtualization is a reduction or avoidance of
capital expense by deferring the purchase of new
servers and the related items—data centers,
networks, and so on—that they require. This is a
strong positive indicator for virtualization
readiness.
• High Rate of IT Change and Critical Use:
•Virtualization, done right, can greatly reduce the
time it takes to deliver an IT service. It can also
greatly streamline major projects, such as
premises moves and merger integration. This is a
strong positive indicator for virtualization
readiness.
Think Carefully
Organization
• Lack of In-house Skill Set:
•Virtualization requires specific technical skills on
the new platforms. It also changes the way
existing processes—data backup, virus
protection, software distribution, and so on—
should operate. Management must seek to
improve the staff's skill set through training,
retraining, or outsourcing. This is a weak negative
indicator for virtualization readiness.
• Relatively Static IT:
•For many organizations IT is a key enabler, but
some organizations' needs are minimal and
without variation. If a business provides only the
most basic services, then now may not be the
time to virtualize. Nevertheless, over time, it is
likely that all services will be provided in a virtual
environment. This is a negative indicator of
34
Organizational Readiness

 Process considerations for assessing
virtualization readiness include a service
management culture, difficulty sharing
among business units, and weak processes
and controls.
service management
culture
difficulty
sharing
among
business
units
weak
processes and
controls

Good Candidate
Process
• Service Management Culture:
• Virtualization requires a
proactive approach to service
management and IT
assurance. Problems would
quickly arise from ineffective
controls supporting
performance and
functionality targets.
• Having a strong service-
management mentality is a
key success factor and a
strong positive indicator for
• Difficulty Sharing:
• users can be isolated from
each other with well-proven
technology. If the root cause
of inability to share is poor
change management
problems, virtualization can
help.
Considerations Either Way
Process
• Difficulty Sharing Among
Business Units: Complex
organizations often have great
difficulty sharing IT assets
among separately managed
business units. This can be due
to organizational contention for
scarce resources, or it can be
due to externally imposed
pressures affecting change
windows and the ability to be
flexible.
• Virtual infrastructure is shared
infrastructure, but with one
important difference—the
users can be isolated from each
other with well-proven
technology.
Think Carefully
Process
• Difficulty Sharing:
• If the problem lies in a shortage of resources,
the solution is stronger governance and not a
technical fix.
• Weak Processes and Controls:
• lacks defined processes and should tread
carefully into virtualization. Processes must be
in place and adhered to or problems will arise.
• The most critical processes to review include:
• Capacity Management: It is important not to
over-provision the virtual environment, or
everyone's performance will suffer, and with
it the reputation and viability of the virtual IT
services.
• Service-Level Management: It is important to
set expectations with users and provide
follow-up to ensure their expectations are
met, especially when rolling out a new
technology.
• Incident and Problem Management:
Virtualization isolates services from their
underlying hardware and enables a great
degree of consolidation and efficiency, but
this can also mean that there are a lot of eggs
in one basket.
36
Process Readiness – CobiT Maturity DS3, DS1, DS8

 Technological considerations for assessing
virtualization readiness include:
 Endemic poor utilization,
 lifecycle management problems,
 highly utilized infrastructure,
 input/output – intensive application,
 third-party support issues, and
 custom hardware dependency.
highly utilized infrastructure,
input/output – intensive
application
lifecycle
management
problems
Third party
dependency
Custom Hardware
Endemic poor
utilization

Technology Readiness
Good Candidate
Technology
• Endemic poor utilization,
Virtualization can directly address
poor utilization of servers, storage,
and networks. This is a strong
positive signal for virtualization
readiness.
• Lifecycle Management Problems:
In many cases, organizations find
themselves unable to keep
software versions up to date due
to a lack of resources, including
the availability of environments for
test and development, and
because of downtime for
upgrades.
• Virtualization simplifies software
maintenance by enabling multiple
environments to run in parallel,
making testing and, in the event of
a problem, rollback much easier.
This is a strong positive signal for
Considerations Either Way
Technology
• Infrastructure is Highly Utilized:
One of virtualization's major
benefits is increasing utilization
through consolidation. If the
infrastructure is already highly
utilized, this would seem to be a
negative signal. However, it is
possible that demand is unevenly
spread across the IT estate; in this
case, virtualization can make it
easier to migrate IT services and
can help address the issue.
• Input/Output – Intensive
Application: In the past,
virtualization systems were
challenged to deliver performance
for IO-intensive applications.
Although great strides have been
made in improving IO throughput
with application, server, and
hardware-level virtualization
technology, there may still be
issues dependent on the IO
workload in question. This is
generally a neutral indicator.
Think Carefully
• Third-Party Support Issues: Some
applications may not be
supported, or may not be fully
supported, in a virtual
environment. An example of this is
Microsoft Active Director, which is
fully supported on Microsoft's own
Hyper-V virtualization platform but
is not fully supported on other
platforms. Applications with this
characteristic are poor candidates
for virtualization.
• Custom Hardware Dependency:
Some applications are tied to
custom hardware. The attached
hardware might be as simple as a
dongle for license management, or
as complex as a device-control
interface or a modem rack.
Applications with this
characteristic are poor candidates
for virtualization.

Data Center Virtualization Characteristics
 Regardless of whether the applications need the
resources at any given time,
 the typical corporate data center is full of
expensive equipment, most of which is
dedicated to specific applications.
Management Tools
Server
virtualization
Storage
virtualization
Network
virtualization

Workplace Virtualization Characteristics
 In the workplace, virtualization also applies to the familiar workplace
environment of personal computers and desktop applications. A typical
workplace has a large number of computers scattered throughout the
premises, each needing to be managed and kept current with the latest
software.
 It is important to note that when we say workplace we are focused on the
desktop and mobile data applications in the workplace. While concepts in
virtualization also apply to other aspects of the workplace such as the
physical office, telephones, and meeting rooms, those are not specifically
covered in this course.
Workplace virtualization
virtual
desktop
infrastructure
server-based
computing
workstation
virtualization
application
virtualization

Return on Investment in Adopting Virtualization
 Underpinned by common management tools and
processes
 All aspects of systems management must account for
virtualization. Not only must the chosen set of
virtualization technologies itself be managed as a
platform, but the enterprise tools associated with
 Monitoring
 Provisioning
 Incident And Problem Management
 Inventory Management , and
 Software Development And Releases, must all be
integrated to ensure that they work well in a virtual
environment.
 Although it is possible to treat virtual infrastructure
as if it were only physical infrastructure and not
change the organization's way of working, this
eliminates much of the benefits of virtualization in
the first place.
 Adopting a new, virtual, infrastructure operating
model is critical to achieve Return on Investment
(ROI).
MONITORING
PROVISIONING
INCIDENT AND
PROBLEM
MANAGEMENT
INVENTORY
MANAGEMENT
SOFTWARE
DEVELOPMENT
AND RELEASES

 IP addresses might need changing in configuration files and
certificates might need to be updated.
 Issues that are expressly problematic for virtualization include
requirements for particular hardware, such as hardware
dongles or RS232 connections.
 Applications with very high I/O requirements, life-critical
applications, and real-time applications, such as applications
that have interfaces to special hardware with demanding time
requirements.
 If an application is consuming a large amount of CPU or
memory resources, it might not be a candidate for
consolidation even if it can be virtualized.
 Benefits likely to still outweigh the risk: downtime
avoidance, disaster recovery, and increased availability.
Audit Watch for Migration Problems

 When introducing adoption of virtualization, people initially have some concerns.
Concerns and Solutions - Three Camps
• putting multiple applications on a single server will greatly increase the impact of a
hardware failure. This concern is valid and should be addressed by careful
placement and cluster design to ensure that the impact of specific failures is well
understood and that the cluster provides appropriate failover capabilities.
Proven Technology - Solutions
Careful Placement and Cluster
Design
• virtual infrastructure will become so swamped with applications that performance
will be impacted. To address this, it is important that organizations introduce
monitoring and service reporting to demonstrate that the infrastructure is operating
within capacity and effective governance mechanisms to take action when it is not.
Performance - Solutions
Monitoring, Service
Reporting, Governance
Mechanisms
• Enterprise-scale virtualization should be viewed as a new service. It will require
formal service definitions and the establishment of appropriate Service Level
Agreements (SLAs) and Operational Level Agreements (OLAs). It will also require
appropriate education of the workforce and is likely to need a degree of
reorganization within the data center.
Cultural Solutions - (Control,
Service Definition, Technology
Knowledge) Education and
Reorganization
Is it Proven? Will it Perform? Can we adapt this to our Culture?

ITIL Glossary
Applicationservice
provider
Service Design (Thisterm is now superseded by ‘SaaS service provider,’ though not exactly identical)(ITIL®phase: Service Design) An external
service provider that provides IT services using applicationsrunning at the service provider’s premises; users access the
applicationsby networkconnections to the service provider
Architecture Service Design (ITIL®phase: Service Design) The structure of a system or IT service, including the relationshipsof components to each other and
to the environment they are in; architecturealso includes the standards and guidelines,which guide the design and evolution of
the system
Assets Service Strategy Asset: (ITIL®phase: Service Strategy) Any resource or capability; assets of a service provider include anything that could
contributeto the delivery of a service; assets can be one of the following types: Management, Organization,Process,Knowledge,
People,Information,Applications,Infrastructure,and Financial Capital
Availability Service Design (ITIL®phase: Service Design) Ability of a ConfigurationItem or IT service to perform its agreed function when required;
availabilityis determined by reliability, maintainability,serviceability,performance, and security; availability is usually calculated
as a percentage;this calculation is often based on agreed service time and downtime; it is best practice to calculate availability
using measurements of the business output of the IT service
Backup Service Design (ITIL®phase: Service Design) (ITIL phase: Service Operation) Copying data to protect against loss of integrity or availability of the
original
Businesscontinuity
management
Service Design (ITIL®phase: Service Design) The business process responsible for managing risks that could seriously impact the business; BCM
safeguardsthe interestsof key stakeholders,reputation,and brand and value-creatingactivities; the BCM process involves
reducing risks to an acceptablelevel and planning for the recovery of business processes should a disruption to the business
occur; BCM sets the objectives,scope, and requirements for IT Service Continuity Management
Capacity Service Design (ITIL®phase: Service Design) The maximum throughputthat a Configuration Item or IT service can deliver while meeting agreed
service level targets; for some types of CIs, capacity may be the size or volume, for example, a disk drive
Capacity ManagementService Design (ITIL®phase: Service Design) The process responsible for ensuring that the capacity of IT services and the IT infrastructureis able
to deliver agreed service level targets in a cost-effectiveand timely manner; Capacity Management considers all resources
required to deliver the IT service and plans for short-, medium-, and long-term business requirements
Change Advisory
Board
Service Transition (ITIL®phase: Service Transition)A group of people that advises the Change Manager in the assessment,prioritization,and
schedulingof changes; this board is usually made up of representativesfrom all areas within the IT service provider, the
business,and third parties, such as suppliers
Change Management Service Transition (ITIL®phase: Service Transition)The process responsible for controlling the lifecycle of all changes; the primary objective of
Change Management is to enable beneficial changes to bemade, with minimum disruption to IT services
Charging Service Strategy (ITIL®phase: Service Strategy) Requiring payment for IT services; charging for IT services is optional, and many organizations
choose to treat their IT service provider as a cost center
Confidentiality Service Design The security goal that generates the requirement for protection from intentional or accidentalattempts to perform
unauthorizeddata reads; confidentialitycovers data in storage,during processing,and in transit (ITILphase: Service Design); a
security principle that requires that data should only be accessedby authorized people
Configuration Service Transition (ITIL®phase: Service Transition)A generic term used to describe a group of ConfigurationItems that work together to deliver an
IT service or a recognizable part of an IT service; configurationis also used to describe the parameter settings for one or more CIs

ITIL Glossary
Configuration
Management
Database
Service Transition ConfigurationManagement Database (ITIL®phase: Service Transition)A databaseused to store configurationrecords throughout
their lifecycle; the ConfigurationManagement System maintains one or more CMDBs, and each CMDB stores attributes of CIs and
the relationships with other CIs
Deployment Service Transition (ITIL®phase: Service Transition)The activity responsible for movement of new or changed hardware, software,documentation,
processes,and so on to the live environment; deploymentis part of the Release and Deployment Management process
Developer,
development
Service Design Development: (ITIL®phase: Service Design) The process responsible for creating or modifying an IT service or application; also used
to mean the role or group that carries out development work
Downtime Service Design (ITIL®phase: Service Design) (ITIL phase: Service Operation) The time when a ConfigurationItem or IT service is not available during
its agreed service time; the availability of an IT service is often calculatedfrom agreed service time and downtime
Environment Service Transition (ITIL®phase: Service Transition)A subset of the IT infrastructurethat is used for a particular purpose; for example, live
environment,test environment, and build environment.
Identity Service Operation (ITIL®phase: Service Operation) A unique name that is used to identify a user, person, or role; the identity is used to grant rights to
that user, person, or role; for example, identities might be the user name SmithJ or the role “change manager”
Integrity Service Design (ITIL®phase: Service Design) A security principle that ensures that data and ConfigurationItems are only modified by authorized
personneland activities; integrity considers all possible causes of modification,including softwareand hardware failure,
environmentalevents, and human intervention
Middleware Service Design (ITIL®phase: Service Design) Software that connects two or more software components or applications;middleware is usually
purchasedfrom a supplier, rather than developed within the IT service provider
Outsourcing Service Strategy Contractingthe services of outside suppliers instead of providing those services with the company’s own staff and assets; (ITIL
phase: Service Strategy) Using an external service provider to manage IT services
Provider Service Strategy Service provider: (ITIL phase: Service Strategy) An organization supplying services to one or more internal customers or external
customers
Requestfulfillment Service Operation (ITIL®phase: Service Operation) The process responsible for managing the lifecycle of all service requests
Resilience Service Design (ITIL®phase: Service Design) The ability of a ConfigurationItem or IT service to resist failure or to recover quickly following a
failure,for example, an armored cable will resist failure when put under stress
Resource Service Strategy (ITIL®phase: Service Strategy) A generic term that includes IT Infrastructure,people, money or anything else that might help to
deliver an IT service; resources are considered to be the assets of an organization
Security Management Service Design ISM: (ITIL®phase: Service Design) The process that ensures the confidentiality,integrity,and availability of an organization’sassets,
information,data, and IT services; Information Security Management usually forms part of an organizationalapproach to Security
Management,which has a wider scope than the IT service provider, and includes handling of paper, building access,phone calls,
and so on for the entire organization
Server Service Operation (ITIL®phase: Service Operation) A computer that is connected to a network and provides software functions that are used by other
computers
Softwarerelease Service Transition (ITIL®phase: Service Transition)A collection of hardware, software,documentation,processes,or other components required to
implement one or more approved changes to IT services; the contents of each release are managed, tested, and deployed as a
single entity
Sourcing Service Strategy Service sourcing: (ITIL®phase: Service Strategy) The strategy and approach for deciding whether to provide a service internally or
to outsource it to an external service provider; service sourcing also means the execution of this strategy

Vendor Landscape
 Virtualization was a new
software category a decade
ago when VMware
introduced its first products.
Today, there are a number
of leaders on the market,
providing software suites
that help virtualized data
centers. VMware remains
the market leader today,
with Microsoft and Citrix
rounding off the top three
in terms of number of
licenses shipped.
 It is important for corporate
users to understand the
competitive landscape to
select the right vendor for
their needs and to negotiate
the best terms for the total
cost of the new capability.
 Many vendors provide the
virtualization technology
and solutions, and all of
them both compete and
cooperate to a great extent.
Recently, there has been a
tremendous run of
acquisitions as major
players fortify their
virtualization capabilities. As
you learn about the details
of data center and
workplace virtualization,
keep in mind that this
industry is immature and
evolving rapidly. Learn
about the vendors and
educate yourself so that you
can make the right decisions
about where to invest your
company's efforts.
Server virtualization, vSphere,
Desktop virtualization, free server
virtualization with free Vmware
Server
RHEV (Red Hat Enterprise
Virtualization for Servers) Linux
market leader, Qumranet, also
supports Windows
Citrix, Xen Desktop and Xen
Server, remote access and
workplace virtualization, focus on
remote desktop enablement
Microsoft, built in virtualization
capability Server 2008 R2

Since we only had one hour,
there were a lot of topics we
couldn’t discuss. Let’s keep
the dialogue going on
Facebook, LinkedIn and
Twitter.
Thanks for your time
This presentation was a sample of content found in Cloud Essentials™ and
Virtualization Essentials™ Curriculum. Some views and all graphics are the
copyright of EnterpriseGRC Solutions™ . For more information about
copyrighted content from CompTIA™ and ITpreneurs™ , please visit
http://www.enterprisegrc.com/index.php?option=com_content&view=article&i
d=49:edu&catid=37:edu&Itemid=62
EntepriseGRC Solutions™ is an Itpreneurs partner, Member of the Cloud
Credential Council and (ten year) sponsor to the ITGI™

Cloud and Virtualization Essentials for Auditors

Cloud and Virtualization Essentials for Auditors

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cloud and Virtualization Essentials for Auditors

Similar to Cloud and Virtualization Essentials for Auditors (20)

More from EnterpriseGRC Solutions, Inc.

More from EnterpriseGRC Solutions, Inc. (14)

Recently uploaded

Recently uploaded (20)

Cloud and Virtualization Essentials for Auditors