Monday, April 26, 2010

Free Virtualization Assessments?

It's a familiar story.

The client had wanted to move to a virtualised data centre for some time but non-essential IT spending had been frozen. They took a 10% haircut across IT in the past 18 months and most of their contractors had been dropped, but after a long cold winter they were coming out of hibernation as business improved.

The call came in first to the notional head of IT. As in so many UK companies the IT function did not have a CIO or board-level sponsor, but found itself reporting instead to facilities or operations. The call was from one of VMware's 2000-or-so UK partners.

They offered a free virtualization assessment.

Although not an IT professional, the head of operations knew his IT team wanted to virtualise and had been stopped from doing so the previous year. The assessment would take 30 days, required 1 brief visit to site, and wouldn't cost a penny. It would kick-start this year's biggest IT project, virtualising the data centre.

After a month the client was handed a spreadsheet, and a quote for VMware licenses and 20 new HP servers valid for 30 days. Not being a technology company, and being apprehensive about making the leap to virtualization, the client wasn't ready to just sign on the dotted line, at least not without getting some questions answered:
  • What about re-using some or all of their servers?
  • How would this protect their investment in Network Attached Storage?
  • Did they need a paid-for product, what about free software like ESXi, Hyper-V, or XenServer?
  • How would a virtualised estate cope with growth coming out of recession?
  • How would all this fit in with the existing Disaster Recovery plan?
  • Did they have the required skills to operate a newly virtualised estate?
  • How firm was support for their critical ERP and CRM software in a virtual environment?
The spreadsheet didn't say. The reseller, seeing the prospect of 20 licenses and HP servers disappearing, didn't say either. They just seemed to lose interest. At this point the client found our web-site, registered to download a case study, and recounted his tale to us. Unfortunately, a virtualization assessment isn't just a maths problem that can be solved by dividing workloads by servers and multiplying the result by the cost of a VMware/XenServer/Hyper-V license. Automated tools and spreadsheets won't answer any of the points above, at least not the tools we have seen. A comprehensive Virtualization Assessment will however provide you with the foundation you need to adopt this technology in the most appropriate way for your business. Our comprehensive virtualization assessments will:
  • Reduce the risks inherent in adopting new technology
  • Increase the accountability of IT to the business over this project
  • Help you set budgets appropriately
  • Predict skills gaps and identify a plan to fill them
  • Support your IT staff with product-neutral advice and vendor evaluation
  • Accurately set expectations for timescales and functionality
  • Identify where virtualization impacts DR & BC processes
Where does that leave the average software reseller and his automated tool? Ever heard the saying "when the only tool you have is a hammer, everything looks like a nail"? If you want to virtualize mission critical systems in a safe, planned, way, but need more than a spreadsheet and a quote for some software to guide you, then let us know.

Thursday, April 15, 2010

360is Welcomes New Consultants

As a result of our growth last year, we'd like to welcome 2 new consultants to 360is.

Wynn was a contractor running the virtualised infrastructure for a financial services company, and is taking on part of the responsibility for customer support. After only a month he has proven an invaluable addition to the team. Iain we discovered as an independent contractor attending one of our training courses. He has extensive VMware and virtual desktop experience. With their first couple of client projects already completed we look forward to many more. It's rare that we are lucky enough to find individuals who fit the profile so well.

Welcome!

Wednesday, April 14, 2010

Citrix XenServer & VMware ESX Common Criteria Certification

As some of you already know, Citrix have sponsored XenServer, XenDesktop, XenApp, and Netscaler into the Common Criteria program for Information Technology Security Evaluation (CC). We have had several questions about the announcement and what it means for both VMware and XenServer in particular. Since 1 or 2 of us at 360is were there way-back when Common Criteria & ITSEC first started seeing mainstream IT products submitted for evaluation, we thought we would take this chance to answer some of your questions in this posting.

What is Common Criteria (CC)?
CC is an attempt to reduce duplication of effort of the IT security evaluation functions of several governments (6 in all). CC is an international standard that describes how product vendors may make claims about their security software or hardware, and have independent laboratories investigate these claims and certify the product has been designed and built in a way that meets the vendors claims and can be relied upon to function as described.

What is EAL?
Within CC, products are examined to an Evaluation Assurance Level (EAL). EALs are numbered currently from 1 to 7, with 7 being the most detailed, most stringent level of scrutiny that a product is put under. VMware ESX and ESXi 3.5 were certified to EAL4+ in February 2010. Citrix have submitted their products for the EAL2 process this month.

So An EAL4 Product Is More Secure Than An EAL2 Product?
No. This is probably the most common misconception about CC. A higher EAL number means only that the product passed a deeper level of scrutiny of the vendor's claims. For example, I might have a simple weak encryption application that passes EAL7, because it was found to meet my claims without fault, and its design and execution was found to be exemplary even when "put under the microscope" of EAL7. A much stronger encryption application, that would protect my data better using a strong algorithm, might only be submitted for EAL2, because I want to get some kind of basic certification quickly so I can sell to my government customers. There are also a number of misconceptions around how vendor claims are tested. In our experience, code review is only done at EAL 6 or 7 for example.

What Claims Might A Vendor Make?
The scheme allows for vendors to tailor their claims based upon their product and the way it is to be used. This means that a Firewall is not subject to the same investigation as an Email system or a Desktop OS. A vendor with a Firewall might claim that in order to administer the device you must pass 2-factor authentication, and can only do so over a strongly encrypted connection, and that there are no other possible way of gaining admin access. Such a claim would be investigated to the required depth as part of the CC certification. Another example of a popular claim might be "the admins can't automatically read everyones Email". CC tests these claims are true to a certain depth. Documentation is a vital part of passing an evaluation.

Does It Matter What Version Gets Certified?
Yes. It matters very much. Just because version 1 of a product received certification, it doesn't mean that v2 or even v1.0.1 is certified. The product must be resubmitted into the evaluation process for it to be re-assessed. This is because CC evaluates vendors claims for a given version and even a given configuration of the product. It is normal for a product to be obsolete by the time it passes certification. You could argue this is made worse by the pace of change in commercial software, with many companies pushed to make 1 major release per year and 2 functionality patches, alongside the 4 critical security related hotfixes, all of which take a product outside its certified condition.

How Long Does It Take?
For product of similar size/complexity, the higher the level of assurance the longer the evaluation takes. Expect to see an XenServer (we presume v5.0 or v5.5) certified within the next 6 months. A CC certification can be an expensive business, in our experience of the process (mainly CheckPoint-FW1 and Harris CyberGuard) the cost is £200K-£400K.

Who Cares If A Product Is Certified?
Mostly it is government buyers or those who have to work closely with government agencies, exchanging information with them, or connecting directly to them. Often such customers are restricted to choosing products from the catalogue of evaluated solutions. However, depending on the sensitivity of the information being handled by the IT, an EAL certified may not even be required.

Where Can I Find Out More?
As ever, Wikipedia is a good start.
Check the Portal for certified products.
Or talk to us.

Updated 14-09-2010: XenServer has now been granted it's certification.