System Center 2012 - Virtual Machine Manager can handle cross platform management of both VMware ESX and Citrix XenServer virtualization platforms. When Windows Server 8 is released, the management platform will be cause for IT managers to seriously consider Microsoft for expanded use in the datacenter.

Today, I’ll focus in on System Center 2012 – Virtual Machine Manager (SC VMM).

Since 2008, SC VMM has been able to manage not only Microsoft Hyper-V virtualization hosts but also VMware ESX hosts as well. Citrix XenServer hosts can also be monitored and managed using SC VMM. For IT managers, this means that the widely used System Center tools are gaining in capability. This has two positive and one negative effects. First, there is a relatively large pool of IT professionals with System Center experience, which means that there is talent available to implement and use the tool.

Second, Microsoft’s decade plus of experience in datacenter management means that System Center has enough experinece under its belt to credibly handle the root cause analysis and error management reporting needed to help IT staff quickly identify problems and take action.

On the downside, using System Center requires a substantial Microsoft ranging from Active Directory to WSUS (Windows Server Update Service) to Microsoft SQL Server. These components are tied together very tightly, such that once SC VMM is in place, stringent change management controls will be needed to keep the system running smoothly.

So what do you get with SC VMM besides basic management across the three major hypervisor platforms? For one thing, you will get one of the best single products for managing a Microsoft Hyper-V environment. And with the improvements I’ve seen in the virtualization capabilities that will be offered in the upcoming release of Windows Server 8, the enhancements in SC VMM will lay the basis for the automation and fault resolution needed to keep a virtual datacenter up and running.

There are alternatives to SC VMM for heterogeneous hypervisor management. BMC, CA, HP and IBM-Tivoli all make tools that can monitor one or more virtual and physical environments inside a common framework. As I delve into SC VMM at eWEEK Labs, expect to see more about how the product stacks up to these established datacenter players.

Red Hat Enterprise Virtualization 3.0 focuses on adding new management features.

Red Hat Enterprise Virtualization 3.0 was released today with many of the changes from version 2.2 focused on improving management features.

The open source, KVM-based (Kernel Virtual Mode) Red Hat Enterprise Virtualization 3.0 hangs its hat, so to speak, on lower license costs and SPEC benchmarks that show it has an advantage over “proprietary” (read VMware) systems. KVM is also a part of the Linux kernel although Xen based hypervisor technologies, for example Citrix XenServer, have a large following in the open source community.

I’ll be setting up a Red Hat Enterprise Virtualization test environment over the coming week. In the meantime, a quick look at the Technical Notes clearly show that most of the work in this version focused on management features.

This make sense. As I noted in my eWEEK review “As Microsoft readies Windows Server 8, and the operating systems enhanced Hyper-V virtualization capabilities for release, the days will soon be gone when VMware is the single star that dominates center stage. Savvy IT managers will need to call on players, some old and many new, to successfully manage these evolving and maturing datacenter virtualization platforms.

Further setting the stage for multi-hypervisor management, Red Hat Enterprise Virtualization Manager 3.0, now with a REST API that enables full access to Red Hat virtual hosts and guest virtual machines, including high availability, live
migration, storage management and system scheduling.”

Ensuring that Red Hat Enterprise Virtualization can be managed in concert with other VMware and Microsoft Hyper-V is critical for IT datacenter managers. For cost savings to extend beyond lower license fees it is critical that multiple hypervisor platforms can be managed with as few IT resources as possible. This means using tools that can hook into the hypervisor to provide inventory, performance and dependency information in a single management console.

It looks like Red Hat has taken a significant step in this direction.

Today’s big-deal security breach comes from right here in San Francisco, where the City College of San Francisco (CCSF) has found itself host to a virus-driven security crisis that could affect anyone who used the college’s networks or systems since the turn of the millennium.

As staff writer Nanette Asimov of the San Francisco Chronicle wrote in the January 13 edition:

Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran and the United States, [CCSF CTO David] Hotchkiss and his team discovered. Servers and desktops have been infected across the college district’s administrative, instructional and wireless networks. It’s likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected.

The college’s CTO, who has been in the position for almost two years, isn’t pulling any punches:

“We may never know the full extent of the damage, and how many lives have been affected by this,” Hotchkiss told three college trustees Thursday evening who met to discuss school buildings and technology issues. “These viruses are shining a light on years of (security) neglect.”

Apparently, this has been going on for at least a decade, although the first signs of this problem didn’t surface until late November 2011. The one bright side to this is that the school’s computers holding medical information of staff and students appear to be clean, but the community college’s accounting, admissions and payroll systems have yet to be audited, notes the Chronicle.

This isn’t the school’s first security blunder, either. Back in 2007, CCSF discovered that a file which had been created in 2000 for providing students access to their grades, containing names, addresses and Social Security Numbers, could be viewed from external systems. I have to suspect that whatever audit took place after that kerfuffle produced results so alarming that the report was marked “Burn Before Reading.”

Penny-wise but pound- foolish never looks good on the resume. Certainly, one can’t hold Hotchkiss responsible for the state of affairs that he inherited at CCSF. When he came on board in the summer of 2010, Asimov’s article notes, some systems hadn’t seen a password change in a decade; attempts to modernize the IT infrastructure have been hobbled by an inadequate budget, which has been exacerbated by the state’s financial crisis.

This brings me back to the biggest problem with IT security: it isn’t cheap and it won’t make any money for the organization, and therefore, it’s as low of a priority as one can get away with; the only time the purse strings loosen is when the proverbial barn is a pile of smoldering ash. I’ve covered IT security for almost 15 years and ceased long ago to be surprised by this sort of incident, because business leaders are only slightly better than politicians about taking the “it can’t happen here” approach to budgeting for augmented defenses, even when they should know better.

Okta can smooth the transition of online control from one employee to another.

The beauty of cloud-based applications is that any employee with a credit card (and sometimes not even that) can provision really useful corporate services on the fly.

The ugliness of cloud-based applications is that any employee can provision services on the fly. When an employee leaves–even under the best of circumstances–the lack of central IT controls over corporate assets is laid bare.

Last October I spent some time with cloud identity management provider Okta.  When I wrote about my meeting with Okta, I said that I wanted to test three things:

• Ease of integration with business apps. Company officials say the product comes with ready made integrations to over 1,000 applications. During the demo, it looked like nine fields had to be filled in by the IT administrator to connect Okta to a Salesforce.com instance. That’s not unreasonable, but I do want to see how much effort is needed to integrate typical products.
• Connector durability. When an application changes version, that is usually when the single sign on integration breaks. Okta says that it keeps an eye on these changes in order to “future-proof” the connections. I’d like to see that in action.
• Value for money. Current Okta licenses range from $12/user/year for one application connector to $10/user/month for the enterprise level product.

As part of a recent staff turn over I got to see up close and personal the number of problems that a product such as Okta could have smoothed over. In this case a bundle of very public social media accounts including Twitter and Facebook along with a plethora of other online accounts were transitioned from a departing employee to an existing staff member.

Okta acts as a single sign-on intermediary. Not only are strong passwords used to controll account access, passwords aren’t known by the employee. Thus, even after resignation or termination, and they are removed from the Okta system, they won’t have access to sensitive account information. And for audit purposes, Okta maintains access records that just aren’t possible when employees are using the “cowboy” method of online service access.

Of course a big part of the transition headache that I witnessed was the result not of technology. A policy was also needed to ensure that employees followed an orderly process that involved central IT and corporate decision makers. But a product like Okta certainly would have helped to make the transition more smooth.

Whether Internet access is a civil right or a human right, technologists have an obligation to ensure that barriers to use are minimal.

Last week, Vint Cerf, one of the undisputed fathers of the Internet, published a controversial op-ed piece in the New York Times that confronted the emerging belief that access to the Internet is a human right. He is onto something with his argument that it may be more akin to a civil right, notwithstanding the proclamations of parliaments in Estonia, France and elsewhere.

I generally hold a broad view of rights, in part because I take the language of the U.S. Declaration of Independence seriously. When Jefferson and company wrote that we are “endowed with certain unalienable rights [including] life, liberty and the pursuit of happiness,” they were taking an advanced view of the human condition and by the standards of the day, a radical one as well.

237 years after those words were written, we still find room to argue what “liberty” means, but I’d argue that Internet access comes closer to “the pursuit of happiness” than anything else. That’s because access is no longer a novelty or even a luxury; it’s a necessity. If you don’t believe me, go down to McDonald’s and ask for an application. To many franchisees, job applicants who can’t figure out how to apply online can’t be trusted to make a batch of fries, or get the right amount of special sauce on a Big Mac.

I’m not arguing that working at McBurgerJack Jr. leads directly to happiness, but there are an awful lot of people who would be happier working there than not at all. I have come to believe that Internet access is almost indispensable to participating in society; it’s certainly possible to be well-informed without the Net, but it’s nowhere near as easy as it used to be.

What sells me most on Cerf’s point of view is the comparison he draws with the “universal access” policy that was established during the years of AT&T’s monopoly over the telephone system. Concepts such as the party line helped subscribers gain access to the phone network, even if one had to share the circuit with the busybodies down the road.

In other words, I don’t yet believe that Internet access is an inalienable right, one that society should subsidize in the way that we do food or housing, but it is one of those things that define civilized life, like electricity or telephone service. I’m willing to go as far as saying that we should offer “lifeline” Internet access at a reduced rate, in a fashion similar to the way we offer our poorest households discounted and subsidized rates for phone and power.

Distinguishing between human rights and civil rights may be better left to philosophers, but technologists like Cerf are right to point out that technology creators have an obligation to support both kinds of rights. The hard part, as I see it, is getting an engineer to look past the question of “Can this be done?” and ask “Should this be done?”

A better-performing Safari is on my wish list for 2012.

1)      An iPad with the “Retina” display. This you can bank on. Other features that I expect to see upgraded in the third Apple tablet include the cameras and the storage capacity; although I would like to see a slightly smaller version, about the size of the Kindle Fire, I think it’s going to take another product cycle for the company to be comfortable with disregarding its expressed views on the subject.

2)      The “real” iPhone 5. Not because of anything in the feature set; it’s more of a materials science issue. Curved glass isn’t cheap, and curved “Gorilla” glass is enough of a challenge that Apple decided to ship the iPhone 4S last year even if it meant that some customers wouldn’t have to run out and buy all new accessories. Remember, kids, the real money is in selling us 10 cents of silicone for $29.99.

3)      The Steve Jobs action figure, with or without the kung-fu grip. Apple’s claim to own the likeness of the late Dear Leader isn’t that far-fetched; the question is “Is it enforceable?” Although California law will back up such an approach, other jurisdictions may disagree.

4)      A refreshed Mac Pro. If Apple’s still interested in paying lip service to its high-end users, this is the year for the company to prove it. Killing the Mac Pro would not only put paid to the company’s dwindling support among professional artists, it would define Mac OS X’s Server package as being strictly for hobbyist and SOHO use only.

5)      iCloud for Snow Leopard. I can use iCloud from a 10-year-old installation of Windows XP, but not from Snow Leopard? Really? Prove to me that this was an engineering decision, because it reeks of good old-fashioned greed.

6)      More capabilities for Siri. Expanding what is now a novelty to support dictation, voice control of system settings, and eventually, third-party applications makes too much sense to not be on the roadmap. Apple’s conservative approach to Siri support makes sense for a beta-level technology, but by the middle of next year, the “beta” label will be difficult to justify.

7)      More platforms for Siri. There’s no technical reason to keep it from older devices such as the iPhone 4 and the first two iPad models; this, like iCloud for Snow Leopard, is simply about separating customers from their money.

8)      A 15-inch MacBook Air. This is very likely; the question is will Apple make the Air configuration its only 15-inch model, or will it transition customers over the next couple of years’ models? I want the extra connectivity of the MacBook Pro, but in a lighter package; a larger MacBook Air might convince me to part with some hard-earned money.

9)      A Safari that doesn’t hog memory. Someone will have to explain to me why Safari on Mac OS X does such a poor job of memory management; if I have 100 browser windows open (with relatively similar content in each) and Safari is using 6GB of memory (real and virtual, including the core and Web Content processes), then one would imagine that closing 92 of those windows causes the application to release those resources, but that’s not what happens. Like my ex, Safari just takes and takes until you cut it off entirely.

10)   More ways to access applications on Mac OS X. Actually, that’s something we don’t need: there are already three ways to get to an application – Finder, Dock and now, Launchpad – and until we get a thought-activated interface, I think that’s confusing enough for now.

In my 2009 review I used SCVMM 2008 R2 to manage seven physical host systems that were running a mix of VMware and Microsoft hosts.

Good management of datacenter virtualization is the key to cost savings and competitive advantage.

In 2012 there will be a new set of questions to ask about managing data center server virtualization. The reason? The impending release of Microsoft Windows Server 8. VMware’s vSphere will have a significant challenger even for high value workloads when the next version of Hyper-V is released.

Here is a link to my 2009 review and slideshow of SCVMM.

The emergence of a second hypervisor platform raises a question for IT managers: how to manage both VMware and Microsoft. Or Citrix. Or Red Hat.
For some time, Microsoft System Center Virtual Machine Manager (SCVMM) has been able to monitor both Windows servers running Hyper-V as well as VMware vSphere host systems. I first used SCVMM to manage a mixed Microsoft/VMware environment in 2009. So there is one obvious answer.

Another approach might be to use the built in tools provided with each virtualization platform to manage each platform. It’s hard to see how the same staff could manage heterogeneous platforms in a cost-effective and cost-saving manner but it might be possible.

We might also see a resurgence of third party tools from the likes of CA and BMC. These companies have a history of making tools that can span multi-vendor environments. The task of unifying management of disparate, if similar, systems has often led to long running service engagements and brittle implementations that don’t update well.

And so the other question that an advancing hypervisor market will like present is an amplification of the main theme of 2011: The Cloud.

Infrastructure as a Service (IAAS) providers might start to look more attractive to cost-conscious C-Level executives even as service levels and security questions linger. Thus, as hypervisor maturity gets set to drive greater product choice IT management decisions will determine if the infrastructure investment pays off.

The Cisco Nexus 7009 shipped this year and hopes to take the place of the legendary Catalyst 6509.

I stopped in at the Cisco’s main San Jose campus a couple times in 2011 to get a demonstration of the Nexus 7000 family of chassis and NX-OS software that runs these behemoths. The hardware is impressive and the software is strategic in that it seeks to unify datacenter operations without dashing already deployed network resources.

With that said, Juniper, Brocade, HP and a small fleet of smaller players also unleashed networking fabrics in the last couple of years. As I wrote in May, Juniper’s QFabric and a host hierarchy-flattening, latency-reducing offerings from Brocade, Arista and others made it clear that network managers have a lot to think about when designing the next generation of networks.

At the beginning of the year Cisco had two shipping models, the Nexus 7010 and 7018. In August, the smaller Nexus 7009–a successor of sorts for the Catalyst 6509–model became available. The 14RU (rack unit), 24-inch deep 7009 is designed for smaller data centers. The unit can be mounted in a 2-post set up and uses side-to-side cooling air flow. The unit lists for around $20,000 and with supervisor and I/O cards comes out to about $44,000.

I saw all three models in Cisco’s test labs. The Nexus 7009 can use Fabric 2 switch modules and deliver up to 550Gb per second in switching bandwidth per module, which is significantly more than the 230Gb per second that is supplied when using Fabric 1 modules.

The network chassis are impressive when it comes to capacity and the software sets the stage for strategic network design. In 2012 it will be interesting to see how the hardware and fabric offerings coming Cisco and its competitors will shake out in terms of real world implementation.

Microsoft has cracked the door on XMPP support in Windows Live Messenger; 2012 is the time for the company to kick it open.

People who know me might be a little surprised by that, because if there’s one technology that I simply cannot abide, it’s instant messaging. As I’ve said elsewhere, it combines the worst features of telephone and e-mail by mixing synchronous conversations (e.g., the telephone) with asynchronous ones, and gives the user a third tool that has to be monitored throughout the work day, if not 24×7. In my experience, “instant pestering” is a tool beloved by bosses who don’t trust their employees to work without constant supervision.Nevertheless, I recognize that a lot of work gets done over IM, and generally, end-users seem to like having it at their disposal. The problem is that historically, IM clouds developed as relatively closed systems; although tools such as Trillian sprang up to bridge the competing clouds offered by AOL, Microsoft, Yahoo and others, at first these were fairly kludgy, breaking every time the provider made a change to the back end of the IM service. What was needed was a universal protocol for IM, and XMPP was the answer.

XMPP – the eXtensible Messaging and Presence Protocol – began its life in 1999 as the Jabber project, and is now a de facto standard for communication among the various IM clouds. How far each IM service goes in utilizing XMPP is a complicated story, however; GoogleTalk may be the closest thing to a major service using XMPP whole-hog, but services such as AOL Instant Messenger (and Apple iChat, which piggybacks on AOL’s implementation) Facebook Chat and Meebo all implement XMPP to one degree or another. Even corporate IM standbys such as IBM Lotus Sametime can take advantage of XMPP through a gateway service.

So what Microsoft’s done is open up the Messenger network, allowing developers to write their own client software that authenticates using OAuth 2.0. For now, the XMPP support is limited to the core specification (RFC 6120), most of the instant messaging and presence specs (RFC 6121, except for roster management), fetching of vCards (but not updating them), chat state notifications, and delivery delay; nevertheless, that’s more than enough to get the ball rolling.

Although some observers have argued that the most important thing for Microsoft to do with XMPP at this time is to incorporate federation, which would allow the service to interoperate with services such as Google Talk, I see a bigger opportunity that would actually improve the usefulness of XMPP community-wide, and that’s in the way certain XMPP traffic is handled. Currently, an XMPP message is sent as an XML document, which is fine for ordinary text, but horrible for binary attachments. The latter have to be encoded as a Base64 file, as is done with e-mail attachments that use MIME; until an truly efficient binary XML scheme is developed – and Efficient XML Interchange (EXI) isn’t it – XMPP will just have to make do.

But if Microsoft really wanted to give something back to the community, it could do a lot worse than to put some of its best brains on the chore of making binary XML work well, without requiring the recipient to have a copy of the data schema, as is the case with EXI.

One such publication is Volume 4 of Veracode’s State of Software Security Report, which came out on December 7. I’ve stuck my nose into this report for the last three weeks and pulled it out again, in part because it makes for terribly depressing reading. (You can download a copy here.)

If only secure codiing was as easy as pressing a key, Veracode would have little to report; unfortunately, the opposite is the case.

The worst thing is that, at the end of 2011, commercial software remains prone to stupid security vulnerabilities such as buffer overflows and the existence of backdoors into the application. You’d think we would have learned in the last twenty years how to manage data in memory securely, but it seems those lessons have to be relearned at painful cost, year after year.Almost as appalling is the vulnerability of applications, from whatever source, to old-school tricks such as cross-site scripting, CR-LF injection and directory traversal. This stuff can’t be tolerated, if only because the dangers of these have been so well known for so long. Sometimes I wonder if post-secondary programming classes even discuss securing code, much less insist on it.

Although I recognize that developers are at the end of a very long food chain, they’re also the only people who can implement security at the code level, no matter what methodology is used. It’s time for coders to start treating secure coding as their lifeline to their next job, no matter the truth of the statement that between cheap, fast and secure code, you can only have two of those.

But there is one glimmer of hope as the year winds to an end: I was glad to read that Veracode’s started grading software in a tougher fashion than previously, because it’s clear that security remains a low priority for developers. I don’t believe it’s due to anything more than laziness, but sloth will screw things up almost as well as actual malice can.

It’s not all on developers, of course; management has to be willing to pay the extra costs involved in creating secure code, whether those appear in the design, testing or deployment phases. Cutting corners on this is like playing cards at a casino, except that the stakes are much higher.