Demarcation of Roles: Where to Split the Load?

Virtualization created a lot of change in the technological landscape, and continues to do so. It’s also made large impacts in other areas; processes and roles. Back when everything was physical, people knew their roles and what they were responsible for. The server guys owned the server; the network guys owned the network and so on. But today, those clear lines are blurred; there is no clear demarcation anymore. Blade chassis can now house Cisco network and fiber switches, ESX handles virtual switching through vDS or the Cisco 1000V, and now there are virtual firewalls that run on the hypervisor as well, for managing traffic between VMs. This fundamental shift creates huge implications for ownership, especially in a word were Enterprise Security groups are pushing Role Based Access Control. It simply boils down to “Who Owns What?”

When ESX was first introduced and became an industry norm, ownership for everything beyond where the network cable plugged into the server was handled by the server administrator. This meant that configuration, management and ownership of the Virtual Switches were handled by the ESX Admin. However, as those technologies have grown, should that still be the case today? And with the introductions of blade chassis with L2 switches attached, the clear lines become even more blurred.

It’s becoming more and more apparent that there is a need to rethink the approach for delegating the management of entities. There seems to be two clear choices in the approach for this. The first choice is to migrate from silos of technologies and create all encompassing groups around services in the enterprise. The second is to shift the demarcation of roles to encompass end to end technologies.

The first approach requires the largest shift inside an organization. Typically, groups manage technologies, not the services that use those technologies. Virtualization, however, needs to be looked at as a service that uses multiple technologies. Instead of having a separate server, network and storage team that manages those technologies for virtualization, why not create a Virtualization Team that includes SMEs in the areas of server, network and storage management. This allows the SMEs in each group to not only bring expertise in that specific technology to the table, but also the knowledge of how to best use the technology to better the virtualization service. This approach becomes even more paramount when you start looking at advanced virtualization initiatives such as cloud or VDI.

The second approach is to no longer use the physical connection to the server as the demarcation zone. This approach falls more in line with the thought processes behind Role Based Access Control. By taking this approach, you extend ownership and management of a technology from end to end. In the case of an ESXi environment running on a blade chassis w/ Cisco B22HP FEX devices, and using the Cisco 1000v Virtual Switch, you grant access and ownership to the network team to be responsible for the networking from the core down to the 1000v. This allows not only insight to what is being done down to a port level in a virtual environment, but it allows for standardization of the network technologies and places the management of that technology in the SMEs in an organization. It also allows for end to end impact analysis of a change anywhere in the network environment.

While both approaches have their merits, choosing the one that works best will be dependent on your organization. The first method will require a shift in the general thinking, and any major organization change like that takes time to step through. However, I do feel it’s the better approach, especially for managing future technologies such as vBlock and Cloud. However, given the challenges around the changes required to get to this model, it may not be easily executable. The second model will be simpler to adapt to, and still accomplish a major goal. However it will still have all the flaws of a silo’ed approach and may prevent the collaborative thinking that designing and managing a service such as virtualization can benefit from. At the end of the day, communication is key when working with a technology like virtualization, and I feel that it isn’t up to the standard that it should be in most enterprises. Either by following the recommendations here, or creating your own that works best for your organization, as long as some change is occurring, then I believe the mission is accomplished, because continuing to have the mindset of the ‘IT Organization’ from 10 years ago is nothing but a recipe for disaster.