Skip to content ↓ | Skip to navigation ↓

In my last article, I had written about the “The Sometimes Fun, But Scary, Risks Of VM Administrator Access” and the sometimes startling amount of access to systems and data that the VM administrator has. As Mike Poor from Intelguardians put it…

“virtualization does wonders to solve the IT asset management problem, but creates some huge nightmares for the data containment problem. We both agreed that when dealing with sensitive systems and data, partitioning data to separate ESX clusters with no shared access makes a lot of sense.”

Continuing this line of thinking made me realize the breadth of skills required for effective VM administration, and makes me question the notion that Mark Gaydos wrote that “The VM Virtualization Administrator is Dead: Long Live Virtualization!” As a commenter wrote,

[And then] There are still some struggles that we have with the other (sub)departments…network guys don’t understand why we want multiple 10G channels into the blade chassis (”It’s only got 14 blades…why do you need that much bandwidth?” “Ummm, because there’s actually > 170 virtual servers running in there, and they all use the network…”), and the storage team doesn’t understand why iSCSI doesn’t work for everything all the time (”but [insert document here] says that iSCSI is cheaper and faster for VMware…we’ll just give you some LUNs, you don’t need an aggregate to yourself…”, ugh).

It’s not just that VM admins will need to interface with storage folks. The VM admin suddenly find themselves owning an incredibly high number of automated controls that are critical to achieving both IT operational and security objectives. To do this job right, we’re talking about someone who can span the boundaries of being an enterprise architect, storage, a security architect, a VM administrator, as well a security reviewer. (i.e., “Hey, I need to deploy this new application over the weekend that Marketing needs. Can you help me with this VLAN and open up a firewall port?”)

The last example about the firewall ports needing to be opened used to be clearly an information security responsibility. In the virtualized world, we can only hope that the person responding to the request will be information security – because the decisions they make surely will have information security implications.

To make good decisions, they must create appropriate trust boundaries, ensure separation of duty, do VLAN administration, as well as understand the security implications of certain types of changes. This is on top of having to deal with all the operational messiness of dealing with capacity, hardware dependencies, etc.

Is it realistic for anyone to make all these decisions and do all this work without the help of information security? Is it realistic that everyone in the organization can make well-informed decisions around VM and VMM issues without a VM domain expert? In my opinion, both seem very unlikely!

\

“Can you please add a VLAN and open up a firewall port for me? Oh, and by the way, I need it by Monday. The Marketing folks already scheduled the promotional print ad to run in the Sunday newspapers…”

Hacking Point of Sale
  • Hey Gene,

    Do you see that you're actualy saying that the VM Administrator is dead? When you ask me you're saying that Virtualization concerns so many different aspects within your IT organization that a normal administrator cannot oversee it. I do agree with you if you mean that the VM administrator will/has to shift to a Virtual Infrastructure Architect.

    I think as hypervisors are becoming comodity and virtualization will be in every IT organization within a couple of years, every "administrator" (security, network, storage and so on) will needs to update his or her skills concerning the virtual infrastructure. As said before I do agree that you need some kind of Virtual Infrastructure Architect who oversees the big picture but hey; you always need an architect in the bigger organizations.

    I don't think you'll see dedicated VM Administrators in the future because what should they be doing?

    Creating vSwitches or VLAN's ?

    That's being done by the network dudes who have updated their skills with network virtualization.

    Creating VM's ?

    Sure, there's somebody who initially sets up a couple of templates but in the future every user will be able to "create" a VM by requesting it via a portal which results in an automated deployment of a VM.

    Setting up new VM hosts ?

    That's so easy, even nowadays, to automate so you won't need dedicated administrators for that either.

    So I think we are both concluding that people who are VM Administrators now should work on becoming a Virtual Infrastructure Architect (excuse me for the VMWare related name but it's simply the best description) otherwise they'll be out of work. Do you agree ?

  • Gene Kim

    Matthijs,

    I completely agree with your characterization and your conclusion, with some minor qualifications.

    You wrote: “people who are VM Administrators now should work on becoming a Virtual Infrastructure Architect (excuse me for the VMWare related name but it’s simply the best description) otherwise they’ll be out of work. Do you agree ?”

    Yes! My claim is that your average VM admin may or may not be conscious of the fact that they are suddenly more than just administering VMs. To do their job effectively, they will need to have expertise in architecture, storage, networking and security. Or horrors, if they don’t have this expertise, they will actually have to interact with people who do have those skills! :-)

    I suspect that not only are the VM admins not fully aware of this, but neither are the peole who are creating and filling these roles. Who are then putting people in these roles who don’t have adequate experience or training.

    There are very real security implications to this, as having an adequate control environment requires people making good and well-informed decisions on all these aspect.

    Matthijs, you’ve inspired me. I think the real title of this article should have been “The VM Admin Is Dead – Long Live the VI Architect.” :-)