There’s no denying it: virtual machines (VMs) offer a ton of benefits and should be a key element of any modern IT environment.
In the past, a systems administrator would need to budget and plan for a new server. Servers take up space in data centers, generate heat and have their own HVAC/temperature control needs, require electricity and internet access. Once a physical server is purchased and powered up, someone needs to install and configure an operating system. The whole process, end-to-end, takes a substantial investment of resources and leads to some highly-visible work.
With the advent of virtual machines, the entire equation has changed. The cost to add an additional virtual machine is minimal, they don’t take up rack space in your data center, and they don’t consume additional electricity. All of the work that takes time and money to get a physical machine up and running has been replaced by a mouse-click and a 5-minute wait. Then viola!, a new server is up and running.
There’s no question, virtual machines are fantastic. But like anything that is cheap and easy, they have a tendency to persist long past their usefulness. Why invest the time and energy to retire a VM when it can linger on and not bother anyone?
And yet, it’s exactly that issue that unwittingly creates information security and knowledge management challenges for organizations.
From an information security perspective, each virtual machine has all of the same characteristics as a physical server — it needs to be patched and maintained and it has all of the standard issues with admin-level and standard user account and password management. Does the virtual machine require direct access to the internet? If so, it requires firewall configuration changes.
From an information and knowledge management perspective, some degree of organizational data, information, and knowledge are stored on that server. Even if the sole purpose of setting up that machine was to test a new application, someone at the organization is walking around with knowledge in his or her head about why the machine was spun up, the purposes for which it is being used, why it has various ports exposed, who the business owner is, and if there’s a time when it should be retired or moved from development to production.
It’s so tantalizingly easy to skip documenting anything about a virtual machine. Why bother, when it will take longer to kill off the VM than it would to write up anything? Because from an information security and information management perspective, it’s still an organizational asset — and likely contains data and information that your organization is responsible for — that must be appropriately protected.
In short, virtual machines should be treated like any and every other core system that comprises your organization’s information architecture. As such, it should be routinely and periodically reviewed under the auspices of your information governance program. Some sample questions to ask:
- What business purpose does this VM support? Is it still valid? Needed?
- Who is the business owner of this VM? Does the business owner still work at this organization? Does the business owner still need the VM?
- Who is responsible for maintaining the security of this VM? Is that person held accountable for the security and integrity of the VM?
We’re all for using virtual machines. Just don’t let them stagnate and contribute to your organization’s digital junkyard. Make sure there is a plan for decommissioning each VM and include auditing them on a periodic and routine basis as part of your IT department’s responsibilities.