The Inherent Vulnerability of HCI

But patching makes it better.

vSphere admins of the world sure had fun last week! VMW dropped VMSA-2021-0010 on us Tuesday, and you can imagine faces falling as virtualization administrators read the details: unauthenticated RCE on 443, CVSSv3 Range:6.5-9.8, versions 6.5, 6.7, and 7.0 all affected. Any optimism we had going into a long weekend was summarily tempered with the cold reality of unscheduled and / or emergency changes. 

To VMware's credit, the company published a blog post with a stunning amount of information regarding the severity of the issue and clearly expressed the urgency of the situation, to wit: When do I need to do something about this? Right now. The post is as good as the flaw is bad.

For administrators of vCenter Servers that supervise converged or traditional infrastructures, patching was a relatively easy task. Of course you read the release notes first (cue laugh track). In most cases, suffering the indignities of officious change management processes eclipsed the update task itself. If you've been keeping up with VCSA updates, you know that you always grab a snapshot and run an ad hoc backup through the VAMI before you do anything. Once you've taken steps to protect the data, you run the update and within minutes you're back in business. Delete the snapshot and move on.

But for admins of hyperconverged solutions (e.g., Dell's VxRail system), the process is not so simple. HCI vendors maintain a tight grip on the versions of each component in the bundled system, and mince no words in warning users to not upgrade software outside of the bundled updater. There's an expectation that when VMware publishes a software upgrade for a critical security issue, the HCI vendor will quickly incorporate that update into their bundle and make it available for download. In this particular case, VMware published a workaround along with the security advisory that allowed users of HCI to defend against exploits.

However, the gap between VMware and HCI-vendor patch releases is unacceptable when the issue is remote code execution. The finnicky requirements of the infrastructure solution force its users to remain vulnerable beyond the immediacy of moment.

Last Words

HCI is still a worthwhile solution for most vSphere environments. The onus is on the customers and users to decide how they'll account for and supplement for the unacceptable delay in incorporating critical security updates into their solutions.

Getting There from Here with vROps

At Cloud Field Day 9, VMware presented their vRealize Operations Manager software as a means to assess cloud readiness and costs. I attended as a delegate, which means I received some swag from VMware (a reusable water bottle). I hope my opinions aren't so easily swayed. Narrator voice: they aren't.

VMware's depiction of the cloud journey.

For the better part of a decade, VMware has described the process of embracing and migrating cloud services as a journey. I recall hearing this message loud and clear in San Francisco at VMworld in 2014, and I was admittedly confused by it. How could migrating your applications to the cloud be so difficult? What barriers were so insurmountable that groups of motivated IT professionals couldn't complete such a project in a single phase?

Seven years later, when I informally survey the market and assess where several large enterprise customers are in their journey, I understand. The problem that keeps enterprises from adopting cloud has less to do with technology and more to do with business operations: cost is once again the primary consideration for the business.

Identifying the true cost of IT services (which is to say the cost of the hardware, software, development, security, and operations) is notoriously difficult. People tend to spitball these costs during meetings, but can rarely show the receipts. And if you're not able to determine today's costs, you're not able to perform a true cost comparison with a cloud-based solution. This may be less true for shops that are moving off of a server-centric IT model and onto serverless. However, I propose that, if in 2021, an organization that hasn't yet moved to the cloud is still highly dependent upon servers.

To solve this problem, VMware positions vRealize Operations Manager (stylized as vROps) as a means to calculate your current costs and compare them to estimated cloud costs. It does this by leveraging data center technologies like vCenter Server, ESXi, and NSX, collecting data from these sources, and analyzing data to develop an accurate picture of your environment. It's pretty slick.

For example, let's say you're considering a cloud migration, and you want to stick with a server-centric delivery model. It might be tempting to export the system specifications for your on-prem VMs and use this data to estimate costs for your cloud VMs. However, you're assuming that your existing environment is right-sized. This is likely not the case. vROps can compare the size of your VMs with their observed workload, and recommend changes to bring the VM inline with its demand. This feature has been integral to vROps for many version, but the incorporation of this feature into the cloud planning function is key. Take the opportunity to right-size your VMs prior to using their specs to estimate cloud costs. 

Side note: When you're ready to start planning your cloud architecture, you'll want to try out vRealize Network Insight. vRNI can discover the relationships and connections between your systems, which is vital for planning your cloud networking architecture. And when you're ready to build out your migration strategy, VMware HCX can simplify the planning process for you.

In summary, vROps offers more than just vSphere alert centralization and policy compliance. Use this tool to inform your decision making as you head for the clouds.

FYI

Here's a recording from #cfd9 in which Taruna Gandhi, Senior Director, Product Marketing at VMware, discusses how vROps can be used to facilitate a journey to the cloud. For the costing capabilities within vROPs, check this one out.