Virtualization has brought us another step closer to the world of Star Trek. Think back to episodes of The Next Generation where Geordi was able to control the functions of the entire ship through a single touch-screen interface. He was able to reconfigure electrical, mechanical and propulsion systems without needing anyone else or additional authorization. The only thing to prevent him from doing something risky or damaging was the computer system itself.

This picture is exciting in its similarities with virtualization. Here, the hypervisor essentially becomes a datacenter in a box where not only servers are virtualized, but also networking and storage. One of the challenges this creates, though, is around separation of duties, since the virtual infrastructure administrator now has the ability to make changes to each of these aspects of virtual infrastructure. This has blurred the lines around traditional separation of duties and is creating some serious organizational challenges.

Historically, separation of duties has been a key tenant of internal controls. As a security principle, it is meant to protect against fraud and unintentional error due to a variety of factors, such as lack of skills or inattention caused by overwork. In addition, from an IT perspective it is meant to reduce the potential damage from the actions of one person. Also, regulatory compliance initiatives like SOX and the Gramm-Leach Bliley Act (GLBA) require separation of duties since internal controls rely on IT to automate and enforce the separation. Auditors check to make sure there are adequate control mechanisms around separation of duties and have listed "material deficiencies" when the risk is high enough, or documented "compensating controls" when IT controls required for compliance cannot be satisfied.

Traditional IT organizations are built with multiple skilled groups; typically these include server, networking, storage and security. These groups are not only experts in their particular domains, but they have limited access to the specific systems they need to manage. With virtualization, however, these functional areas become very difficult to segregate and manage; for example, the server team that adopts virtualization may end up also managing networking and storage within the virtual infrastructure. This creates both organizational and virtualization adoption challenges.

Here are three steps for solving the issue of separation of duties within a virtualized environment:

1. Architect organizational processes and separation of duties from the ground up
2. Use granular role-based access control methods to ensure separation of duties - this should be consistent across all access methods
3. Ensure you have consistent and granular audit-quality logs for all virtual infrastructure operations (log individual user and command activities)

Bottom line, the best way to effectively address the problem of separation of duties is by deploying a solution that automates and delivers consistency around areas like access management, policy enforcement (according to role and object/resource being managed) and audit-quality logging. These capabilities are critical to enforce separation of duties as well as enable new virtualization capabilities such as self-service. With steps like these in place, the unchartered course we're on with virtualization can bring tremendous assurance, control, security, management and compliance.

Now you're ready to take your business where no man has gone before.