« Kudos to Vanity Fair. Nice job! | Main | Is Co-Administration the Answer? »

Critically Under-damped Oscillations

Chris Hoff has a great, common-sense post on security and where in the data center it will eventually end up residing.  (If you don't want me to give away the plot, go directly to the post.  Don't read the snippet I've enclosed.)

Along with the "dampened oscillation" graphic that he alludes to (but doesn't actually draw), I'd like to add my two-cents about where security resides when dealing with server virtualization, and the network.  Server virtualization, and particularly hot migration (likeVMware's VMotion), has definitely changed the relative workload and tsuris (a technical term of art) experienced within the data center by the persons responsible for, respectively, server administration, storage administration, and network administration. 

In the days before widespread adoption of server virtualization, making a new application "production ready" was a PITA (another term of art) for the server admin, who had to specify servers, install the apps, move the appropriate data for use by the apps, test, stage, re-test, etc. 

The storage admin had a modest workload, requiring attention to allocation of storage space, setting quotas, setting policies, ... but once done at the planning stage, required modest tweaking thereafter. 

The network admin had it easiest (IMHO).  Over the course of the weeks (if not months) it took to arrange for a new application to be put into production, the network admin might have to allocate ports, set VLANs, set policies, and be present when doing the lash up with the network equipment.

Fast forward to the day when a new application goes through development, test, staging and cut-over into production ... ALL using server virtualization.  Besides the fact that the time horizon for the production deployment has likely been compressed from weeks to days, the relative workloads as this cut-over approaches is radically different from the one described above. 

  • The server admin has a relative cakewalk: extend VME cluster, copy the image, or use a hot migration to herd the app into the new spot. 
  • The storage admin has pretty much the same level of work in allocating space, setting quotas, etc.,  and will soon be using SAN "hot migration" (e.g. VMware's Storage VMotion).
  • The network admin, however, just got a rude awakening.  If he's got SLAs to which his organization must commit, the network admin must allocate ports, set VLANs and VLAN policies, set up NIC teaming in both the virtual switches and physical server access switch, and set up trunking on the vSwitch and pSwitch.   Oh, and by the way... it has to be "right" for every physical server in the data center to which a virtualized application MIGHT migrate in the future.

Holy smoke, Chris!  It's not a single, oscillating signal.  It's (at least) three of 'em.  (... and if I were a better graphics hack, I'd drop in a jpg right about now.)

Rational Survivability: Security Will Not End Up In the Network...

... Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively.  From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...

Reader Comments (2)


You're absolutely right about the multiple, overlapping oscillations.

I've got another example that has about 6.

In my security/disruptive innovation talk, I actually draw this in the air as I describe it because I don't have the mad skillz necessary to plot it out...I will one day, however.

I now have another yiddish word for my vocabulary! ;)

Great post.


Jun 3, 2008 at 10:52AM | Unregistered CommenterChristofer Hoff
Thanks, Chris. I've always been fascinated by the study of unintended consequences. I can't think of many more disruptive technologies encountered over the past 30 years than modern data networks and virtualization. The nature of the "disruption" -- both positive and negative -- is worth keeping in mind. I'd appreciate a pointer to your security/disruptive innovation talk if you can supply it.

And as for the new terminology... I figured that if I was going to use a term like "PITA" (which always brings to mind the local Jordanian falafel joint) without an offsetting "tsuris", I'd run the risk of Michelle Malkin coming after me. http://is.gd/quB
Jun 3, 2008 at 2:22PM | Unregistered CommenterRich Miller

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.