A Myth of (Virtual) Fingerprints
I was sitting in a cafe minding my own business the other day when I overheard a couple of network administrators discussing the benefits of virtualizing their server room. As this is a topic about which I am quite passionate I was delighted to hear the 'buzz'... the fact that organizations were discussing implementing solutions revolving around virtualization technologies, including the soon to be released Microsoft Hyper-V Server.
I listened with half an ear mostly because I am interested in hearing what real IT pros are thinking candidly when 'the guy from Microsoft' is not around (I have not quite yet given up explaining that I do not work for Microsoft). They discussed the advantages of Hyper-V over Virtual Server, the pros and cons of using a Microsoft solution over a third-party virtualization technology (no I am not afraid to say VMWare!), and the licensing advantages of purchasing Windows Server 2008 Enterprise Edition over Standard Edition.
Then they mentioned a perceived advantage that is unfortunately a very real misconception in the real world: '...and my favorite advantage of virtualizing the servers is that I only have to secure, monitor, and patch the parent server... on a virtual parent with four virtual machines I save eighty percent of my work!'
I can no longer say I am surprised because this is a very prevalent misunderstanding in the IT world. it is vital that every IT administrator understand one thing about virtualizing above all else: Treat your virtual machines as you treat your physical machines... always.
Virtualization is a tool to create a machine within a machine, it is true. It allows IT departments to consolidate and save often huge amounts on hardware while minimizing wasted resources. However excepting the fact that they share resources and coexist within the same physical space, a child operating system is completely independent and segregated from the parent operating system (in the Virtual Server vernacular the guest and host OSes are equally segregated).
I have heard virtual security compared to securing rooms in a house, wherein if the perimeter is secure then likewise the inner walls are equally secure. This is true, as long as you are only applying the analogy to physical security, wherein if the parent is physically stolen then the child is equally lost.
Server maintenance is so much more than physical security. Of course the environment is important, and issues such as temperature, humidity, and ventilation have to be considered in addition to physical security. However the OS is so much more than that, and issues such as firewalls, monitoring, and patch management apply equally to every instance of an operating system, whether physical or virtual. Microsoft (as well as third party ISVs) provide the tools for those and yes in many cases it will involve higher licensing costs... but if your environment has System Center Operations Manager monitoring your servers, System Center Configuration Manager and Windows Server Update Services handling system security and patch management, and a backup solution protecting your servers and data then you need all of these securing, monitoring, and patching all of your servers, whether they be parent, child, host, or guest OS.
Hyper-V will offer us all a plethora of benefits, whether for lab or production environments. We should definitely discuss and make use of those advantages and appreciate that there are enough that we do not have to make up others. If you are unsure then it might pay for you to invest in a consult... we cannot all be experts in every new technology out there... if you do not know of anyone then go out to a local IT Pro user group meeting and hear what your peers have to say. In the case of security and stability, it will be a very worthwhile investment!