While VMware users harbour little doubt about the cost savings and productivity gains brought by virtualising their networks, security concerns still exist on many fronts, whether figuring out how to meet regulatory compliance with auditors, or evaluating cloud services.

Numerous regulatory regimes, such as the Payment Card Industry (PCI) guidelines for cardholder data, make it questionable whether it is possible to hold sensitive data subject to high security on the same virtual machine as non-sensitive data. The answers about so-called virtualisation "mixed mode" data security could be totally different based on what any given internal or outside auditor might say, which puts network managers on the spot when trying to secure networks where server virtualisation is speeding along.

"There are compliance challenges," said Paul Wallace, server administrator for GM Financial, who spoke on a panel at the VMworld Conference being held at two Las Vegas hotels filled to overflowing with about 19,000 attendees. Wallace said about 70% of GM Financial's server infrastructure is now virtualised based on VMware, and desktop virtualisation based on View is also underway. Use of VMware vCenter Configuration Manager helps in generating reports letting auditors know how sensitive customer data is managed, but he notes it's not easy meeting the demands of the many auditors whose opinions hold sway over any technical decisions.

Susan Seidlitz, systems administrator at Geovera Insurance, pointed out that although her company, almost completely virtualised, has already licensed VMware's vShield security technology for vSphere, it can't actually be put into full use until auditors approve the way it is being deployed.

Included in vShield are ways to set up software-based firewalls or use specific third-party products, such as anti-malware or intrusion-prevention systems, in a manner designed for vSphere.

"We haven't done mixed-mode environment - that's why we purchased vShield," Seidlitz said. But until auditors, such as those approving PCI compliance, approve how vShield will be set up, it can't be used in day-to-day production.

Regulations such as PCI mean "you have to have a lot of firewalls," said George Gerchow, director of VMware's Center for Policy and Compliance, which advises customers on these issues. Healthcare, with the HIPAA privacy and security rules, is also heavily regulated and can impact virtualisation deployments, he added.

Gerchow acknowledges auditors are often negative about the idea of a virtualised mixed-mode security environment where more sensitive data sits in a guest operating system on the same virtual machine next to a guest OS with less sensitive data. Speaking on the panel, he expressed some frustration about it. "A lot of auditors aren't on board yet. They haven't got a clue. They're still living with technologies of 10 years ago."

At other VMworld sessions, some enterprise IT managers not subject to the same kind of strict regulation as financial services, for example, acknowledged their lot was different and they faced far fewer questions of this kind.

"I make lipstick. I don't have a PCI or a HIPAA," said David Giambruno, senior vice president and chief information officer at Revlon. He said Revlon over a two-year period has saved about $70 million through server virtualisation based on reduced costs for hardware, support and other factors such as cutting data centre power costs by 72%.

Revlon can move applications about at will across its enterprise through virtualisation, a capability that served well in being able to quickly restore application services when a fire not long ago struck a Revlon facility in Venezuela, he noted.

With its recent Site Recovery Manager 5.0 and vSphere Replication products in vSphere 5.0, VMware is making it possible to automate recovery processes between sites and replicate files between sites. This is winning plaudits from service providers that work closely with VMware, including FusionStorm, iLand, Hosting.com and VeriStor, that offer cloud-based services for disaster recovery and business continuity.

Executives from these cloud-based disaster-recovery service providers touted new services at VMworld. But the question is, since the VMware SRM 5.0 software only supports VMware-based virtualised environments, what can customers with non-VMware environments expect?

VeriStor and Hosting.com, for instance, said they didn't offer virtualisation-based continuity services for non-VMware environments. But VeriStor can offer more traditional disaster-recovery services as it has done for the past decade. And iLand would be able to provide some support for Microsoft Hyper-V and Citrix with specialized equipment from Akronis. Hosting.com vice president of engineering Matt Ferrari said his firm expects to support Microsoft Hyper-V systems in the future under a project now in the works with Microsoft.