On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer <[email protected]> wrote: > Most people have said "no" to question #2. > > > > I would say that there is a definite impact. Your virtualisation team are > pretty much now an additional "god" in the organisation. For smaller shops > this isn't an issue. For bigger shops, or where compliance/auditing/change > control are important, then this is another layer of people who have > significant privileges, who must be worked into your change control > process. > > > > Cheers > > Ken >
I don't see a lot of difference here between virtual environment vs physical. A) The guest virtual machines have the same security as their physical counterparts. (ie you still need a login/password to get into the operating systems). Same in a physical environment. It's the same as walking up to a KVM or logging into an IP KVM. B) If you have access to the virtual environment, you could power off the machines (reboot, etc). It's the same if you have physical access to the data center/server room/etc or access to a remote PDU (aka walk up and press the off button on a machine). The only difference is that you could change resource allocation, but in a compliance/audit scenario, you're not accessing the actual data or the guest OS itself, just the "box" itself. Changing resources does affect change control, but so would someone removing RAM out of a physical box or adding a CPU. I'm only speaking for VMWare here (since that's what I know and run), but you can set up a lot of different levels of access in the virtual environment. You can group the machines, set administrators for those groups, or break it down to only allow certain groups to have access to certain machines. For example, I myself have full access to the entire network, but I only allow my programmers to have access to only a couple of machines, and only restart ability to those. When they log in, all they see are their machines only. Their only options are console or power on/off/reboot, the same access they've had when the servers where physical. It ties into Active Directory, and you can set groups to as much or as little access as you want. I do agree, there is some security concerns that you'll need to address, but virtualizing your servers won't give anyone any more additional access to the machines over walking into the server room IMO. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
