There has been rapid adoption of virtualization with Gartner reporting in their July 2015 Magic Quadrant for x86 Server Virtualization Infrastructure report as “75 percent of x86 workloads are virtualized.” The agility, flexibility and cost-savings from virtualizing are well proven and no one questions or “gets fired” for virtualizing. However in our experience with many in Federal, Healthcare, Financial, Retail and High Tech industries, we have seen that the last 1-20 percent of physical servers and applications pose the biggest struggle to virtualize. The initial dramatic cost savings from virtualizing tapers off fairly quickly, shown in the graphic below, as security and compliance requirements for the virtual infrastructure increase and become more complex as the criticality of workloads change. Enterprises must consider a programmatic approach and develop best practices, making virtualization a core part of the enterprise platform that satisfy all those requirements and leverage the virtualization eco-system technologies to efficiently manage and protect.

There are many reasons causing the angst but the most prevalent are:

• Maturity: typically virtualization adoption takes off in a small environment, such as development and testing environments, then non-critical applications such as print services, to limited production or core corporate services, and so on to finally get to virtualization as a standard Enterprise platform. Depending on the Enterprise’s virtualization journey they may still be planning, implementing and managing in an ad-hoc fashion, and not leveraging the full benefits that virtualization provides, such as rapid provisioning with master golden images, orchestration of complex workflows to provide capacity when needed, to quick recovery or fail-over in case of an incident or disaster. We found virtualizing mission-critical workloads such as Microsoft Domain Controllers is usually left to the last, not for performance reasons, but concerns over access control and data protection.

• Mindset: there are many who still believe that virtualization still lacks the performance necessary for their application and prefer to remain on physical servers. Perhaps a little of ‘box hugger’ mentality. There are legitimate cases but the virtualization platforms have advanced significantly and so has the underlying hardware. Very few commercial applications remain that cannot be virtualized. Also, Type 1 hypervisors, such as VMware vSphere ESXi, exact little or no performance penalty, and there is hardware-assisted virtualization functionality that can be leveraged to enhance performance further, as described in the “Performance Best Practices for VMware vSphere 6.0” whitepaper. At a minimum we highly recommend that when your hardware is due for a refresh that virtualization is seriously considered and the new hardware purchases include these functionality, and a Trusted Platform Module (TPM) and Intel’s Trusted Execution Technology (TXT) to also enhance security by leveraging hardware-based root-of-trust.

• Security and Compliance: as the criticality of the application and sensitivity of the data increases so do security and compliance requirements. Native virtualization platforms can satisfy some of these requirements but not all. For example, we have long had centralized AAA servers (Authentication, Authorization and Accounting) for users who access network services. The network could provide some level of these capabilities but it becomes a nightmare to manage and audit unless it can be independently verified and of course centrally managed and enforced. Similarly as the number of virtualized systems increases with a varying class of applications and data so does the need for independently and centrally managed security and compliance solutions. The good news is that security and compliance vendors have caught up and there are a number of solutions that can help achieve the ‘fully virtualized’ nirvana.

• Pace of Innovation: to keep abreast of all the emerging technologies is challenging for all, but when the pace outstrips your ability to understand, design, and implement then its feels like a constant roller coaster. This is true for the innovations taking place in this area. Compute virtualization, such as VMware vSphere ESXi, is fairly mature, well understood and widely deployed. Network virtualization, both Software-Defined Networking and Network Function Virtualization are still in the early stages of adoption, and with all the ways they will change the way we deliver Infrastructure as a Service, essentially core IT services has not yet being fully understood. Software-Defined Data Center, Converged infrastructure and even Hyper-converged infrastructure, are all making IT infrastructure easier to manage, more cost and operationally efficient and able to perform at scale. With all this innovation, there are amazing times ahead. Enterprise IT personnel should be freed up from the mundane, and allowed to become the pathfinders who continue experimenting and adopting new technologies at a rapid pace. This is absolutely needed to remain competitive in all industries.

Of course enterprises can always adopt a hybrid or public cloud infrastructure, and not build their own, with the viability of this option depending on the maturity of the cloud providers and their ability to meet enterprise requirements. Keep in mind, though, that you lose a lot of control when you outsource your infrastructure, although regardless of who owns and runs the infrastructure fiduciary and governance responsibilities remain always with the enterprise. You lose flexibility in terms of what controls you can implement, you lose at least some visibility and meanwhile gain concerns around the security controls implemented for multi-tenancy and sharing underlying hardware with other organizations. Recently a number of articles have been published stating that the recovery costs for security incidents double with virtualized infrastructure. Yet we find surprisingly VM encryption is not as widely used as you might hope to protect the application and data regardless of the private, hybrid or public cloud environment being used. Solutions are available, solutions that are easy to manage, easy to deploy and that do not impact performance and yet many organizations have still not yet implemented encryption for data that absolutely needs protection. This is an area that IT should review and consider standardizing. IT should also consider implementing a comprehensive set of controls that protect their assets, applications and data in any environment.

The industry has come a long way, with the majority of workloads now running in virtual machines. As the end-game of nearly complete virtualization comes into view there are still opportunities for significant savings, but it is vital that those savings not come at the cost of security, compliance or operational best practices. Fortunately, there are tools and technologies including encryption, policy control, and automation for virtualized environments that can help organizations achieve if not full virtualization then at least more complete virtualization.