RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Mainframe Computer Service (Problems)
From:
Angie Fares <[log in to unmask]>
Reply To:
Records Management Program <[log in to unmask]>
Date:
Mon, 23 Feb 2009 21:32:01 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (173 lines) 
Dear Hugh

Hope you don't mind me chiming in late on the subject, but many large
organizations are already faced with that challenge.  It makes being a
records manager/information technology auditor very interesting!!!

The beauty of virtualization is that it is spawning a number of virtual
machine monitor products (also called hypervisors, "VMM's", and virtual
machine managers).  This is a layer of software that sits between one or
more operating systems and the platform.  It presents each hosted
operating environment with the impression that it has its own dedicated
platform, although in reality a single physical server can
simultaneously host multiple operating systems.  The tough decision is
to determine which configuration best suits the needs of the company and
then you have to situate the firewall and other protective measures at
the right points to make sure that you are covered and that access and
redunancy are supported.  In many cases, users don't even know that
there may be firefighting going on behind the scenes.

Somestimes, you see what is called "Guest Operating System Based
Virtualization" models (sometimes called Hosted Virtualization).  The
virtual machine manager software runs within an operating system
environment.  Imagine a triple layer cake with the bottom layer being
your hardware, the middle layer being your operating system, and the top
layer being your virtual machine manager.  You can put multiple
applications and their specific operating systems all over the top like
big globs of icing, but the VMM sits on top of the operating system and
its hardware. 

Another model that I've seen is VMM Based Virtualization - Single System
(sometimes call "Bare-Metal Virtualization").  This kind of
virtualization has the VMM software running direction on a given
hardware platform (as an operating system control program). In this
scenario, imagine only a double layer cake with the bottom layer being
your hardware and the top layer being your virtual machine manager
layer.  You can have multiple globs of applications and their associated
operating systems, but the VMM sits right on top of the hardware as a
"guest" operating system.

Finally, you've got your VMM Based Virtualization - Multiple Systems
(sometimes called "Complex Virtualization"). This kind of virtualization
has the virtual machine manager running directly on two or more hardware
platforms.  You can configure this a couple of ways.  In a "Type A"
scenario, virtual machines with various applications can be provisioned
across multiple systems to support redundancy and failover usages.
Imagine two separate cake plates as your hardware with a large cake laid
over both plates.  Your virtual machines and their associated
applications run on top of that.  In a "Type B" scenario, a single
virtual machine provisioned across across multiple systems, but within
this virtual machine applications can be run with varying system
resources available to them based on load leveling or other requirements
(i.e. security, etc.).  In this scenario, imagine the two cake plates
side by side with a triple layer cake laying across both plates.  Each
cake plate is your hardware.  The bottom layer of cake is your
virtualization and provisioning layer.  The middle layer is your
operating system, and the top layer is an application of major
importance.

OK, so now that brings us to Cloud Computing and SaaS (Software as a
Service)/Application Streaming.  For the newly initiated, Saas is a
delivery model where a software vendor develops a web-native software
application and hosts and operates (either independently or through a
third party) the application for use by its customers over the internet.
Customers do not pay for owning the software, but could be charged for
using it.  Application streaing is a relatively new form of software
distribution method using appliation virtualization.  By virtualizing
the application and streaming blocks of executable code, it can be run o
the client side before it is finished downloading.  This is sort of new
to those of us who are used to applications running on the server itself
(which is sometimes called Terminal Server Computing).  I get a fuzzy
naval feeling when people start talking about "cloud computing" because
it means different things to different people.  You've got web based
applications like Facebook and Twitter, etc.  You've got Cloud/Service
applications like Google Apps, Salesfore.com, etc.  Then you've got
Virtualization based computing resources in the cloud itself like Amazon
EC2, Google App Engine, etc.  It is just about everything but the
kitchen sink.  I once heard Steve Orrin from Intel describe "cloud
computing" and I liked his definition.  He said, "Cloud Computing is the
notion of providing easily accessible compute and storage resources on a
pay-as-you-go, on-demand basis, from a virtually infinite infrastructure
managed by someone else.  As a customer, you don't where the resources
are, and for the most part, you don't care.  What's really important is
the capability to access your application anywhere, move it freely and
easily, and inexpensively add resources for instant scalability."  Love
the definition, but the information systems auditor/records manager in
me is just scared silly trying to figure out how to introduce any sense
of control.

The biggest challenges to virtualization security are always going to be
the attack vectors (hyperjacking, virtual machine manager jumping, guest
hopping), compliance configuration, updates, and patching.  What is
hyperjacking?  That is where hackers intall a rogue virtual machine
manager that can take complete control of a server withou the operating
system even being ware tha thte machine has been compromised.  Handling
synchronization issues is generally not a problem with cloud computing
and virtualization. Hardening the configuration and security to prevent
someone from taking control of the hypervisor (get control of that, and
you have the keys to the kingdom) are the more difficult threats we face
when using virtualization.  You've got to look at local routing &
switching, spoofing (which tends to be easier in virtual environments),
broadcast traffic amplication, shared and unassigned addresses, and live
migration issues.  In the audit world we have a phrase that we use
called "promiscuous mode" when a computer is sharing too much
information with too few controls.  In the real world, virtual machines
can transfer from one physical machien to another with little or no down
time, but if the firewalls and security are not in place, you've got
real problems.

In my opinon, it is about configuration.  You either create a recipe for
success or a recipe for disaster...depending on your needs.  The more
seamless it everything seems to the users, the more I start digging for
potential security issues.

Hope this didn't put you to sleep, but it has been a favorite study of
mine in recent months.  

Angie Fares
817.415.4935
[log in to unmask]



-----Original Message-----
From: Records Management Program [mailto:[log in to unmask]] On
Behalf Of Hugh Smith
Sent: Thursday, February 19, 2009 10:37 AM
To: [log in to unmask]
Subject: Re: Mainframe Computer Service (Problems)

With all the changes to processing, could all these different virtual
elements create problems with enforcing any level of retention
scheduling.

For example, virtual computing spread computing around to various
servers without a real defined directory.  This file on that server at
this time and so on. Now Cloud computing put this even more remote.  So
you go along removing and destroying documents at the end of their life
cycle.  But somewhere Servers were pulled of line due to maintenance
issues and sits there idle.  It misses it de- duplication cycle and then
a subpoena comes along and various servers are sitting out there, off
line and holding documents that are past retention schedule but were
never destructed.

Computer systems are not designed to deal with retention schedules and
they create and store documents in many locations that are not thought
of when management cycles are reviewed.

Un less someone creates a new form of records management software that
can search out all these items.  But if a server if offline for repair
when this happens, it just is missed.

Am I wrong?


Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM



List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance To unsubscribe
from this list, click the below link. If not already present, place
UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]

ATOM RSS1 RSS2