In IT terms, virtualization is cool. The rewards include cost savings, agility, and flexibility. Enterprises reap the benefits of virtualization through a much more efficient use of IT personnel and resources, faster delivery time of applications, higher availability/service levels, and additional capabilities such as high availability and disaster recovery. No wonder data centers worldwide are being transformed by going virtual.

Now for the bad news: there are definitely serious drawbacks, especially around compliance. If you think about virtualization, the hypervisor is now the lowest part of the stack, existing below the operating system and application. The virtual infrastructure is also a platform, which provides a lot of management functionality, as well as capabilities that historically used to require physical data center access (migrate virtual machine, reconfigure virtual network, copy/snapshot virtual machine). Therefore, companies that are subject to compliance regulations need to ensure that the virtual infrastructure meets compliance standards. For example, strict role-based access control needs to be enforced at the virtualization level, and detailed audit logs need to be mandated.

In addition, virtualization creates a much more dynamic environment with a much higher rate of change. For example, with live migration, a virtual machine can be moved from one physical host to another instantaneously. With DRS (Dynamic Resource Scheduler), live migrations can be set to happen automatically for load balancing - for a company running DRS, a typical VM could move three to four times a day. Of course, the new "dynamicism" and much higher rates of change means that organizations need to find different ways to map and enforce policy around their IT environments. Monolithic mappings and central database policy management systems can't keep up with such a fluid environment.

With virtualization - for the first time - the machine becomes the data. A server that used to be thought of as a physical box is now a flat file that can be copied, moved around, accessed, and exported. This presents at least two major problems for, say, multinational conglomerates. The first is data security - given that the VM is now portable, someone can copy or snapshot a VM, take it home and run it on any hypervisor. The second - and often more overlooked - problem is that because of portability, many multinationals are potentially in violation of export control laws and tightly coupled compliance regulations like Sarbanes-Oxley.

Export control laws have strict mandates around the ability to export technologies and systems. These apply not only to products being sold internationally but also to internal technologies and systems. Therefore, any foreign subsidiary is under the mandate of export control laws, and companies need to pay strict attention to what is moving internationally between offices.

This was a lot easier in the physical server world - moving a system from a data center in the U.S. to one in, say, France meant putting it in a box and calling the shipper. With virtualization, the machine is now considered data and can be copied easily across WAN connections.

With that in mind, here are the five questions that CIOs should ask virtualization vendors as it relates to compliance:

• Visibility/Reporting: What does each vendor provide to give me a continuous - summary and in-depth - look at my environment?
• Isolation: What are the vendors providing to enable isolation and proof?
• Access Management: What levels of control are provided for adequate role separation and access management to the virtual infrastructure for management and user access? How granular is the logging?
• Portability control: Which controls are provided to limit who can snapshot and make copies of virtual machines, and where they can be copied, moved or archived?
• Automation: What is available to enable automated configuration and patch management?

At the end of the day, the ideal is to guarantee that you are not breaking any laws when you run virtualized data centers.