Users need to warily embrace virtualisation, according to speakers at Interop assessing how to proceed with technology investments in the face of possible IT budget cuts.

Interop shared space with Mobile Business Expo in an effort to bolster both events in an economy where trade show attendance is flagging, and together they hoped to draw a total of 13,000 people over the course of the four-day event, show officials said.

Those who attended Interop heard that cloud computing will help companies accomplish more, but new security threats must be overcome in order to fully benefit from this new technology, speakers said.

Virtualisation is a "chameleon concept" with one common denominator: breaking the bond with physical reality "so you can do more," Marie Hattar, vice president of network systems and security solutions at Cisco, said during her keynote address. "It's one asset to many, or many assets to one," she said.

But perhaps the most critical issue is the new and numerous security holes opened up by virtualisation and cloud computing. "A hypervisor needs hypersecurity," Hattar said, as Cisco found out when it virtualised its own servers. "We have to rethink our security approach because when we virtualised, it increased complexity. In cyberspace, there are a lot more points of entry."

She stressed that companies embarking on virtualisation and cloud computing need to plan copiously for operations, management, control and security of the new infrastructure.

Her points were echoed by Novell President and CEO Ron Hovsepian, who said companies need to overcome challenges such as reduced spending, complex management and risk mitigation in order to have their heterogeneous IT assets work as a unified system.

Key to bringing IT assets together are injecting agility into the data centre through virtualisation; enhancing end-user productivity through collaboration and pinpoint management of enterprise desktops; and then implementing and enforcing companywide IT identity and security policies and procedures through access and compliance management strategies.

While Hovsepian touted the benefits virtualisation and cloud computing can bring - improving use of storage arrays, reducing power consumption, streamlining server architecture - another speaker focused on the litany of new risks virtualisation comes with.

At least for now, virtual servers, the hypervisors that oversee them, the management platforms that govern them and the IT staff that sets them up and runs them day to day are all potential attack vectors, says Joshua Corman, principal security analyst for IBM/ISS. "Virtualisation is a game changer for good and for bad," he says.

IT staff under financial pressure to implement virtual servers may be overworked and lose the diligence to properly plan secure deployments, Corman says. "Virtualisation requires more discipline and enforcement of policies than before," he says.

Virtual technology itself presents weak spots for attackers to take advantage of, he says. In particular, virtual environments are a "management nightmare" where each virtual machine may spawn another that could appear virtually anywhere. This makes instances of servers hard to find let alone protect, he says, and this "server sprawl" can lead to catastrophic failures, he said.

Individual virtual machines, called guests, can fall into vulnerable configuration due to a feature of virtualisation that suspends them when they are not used, he says. When the applications these guests host are needed, they are brought back online, but in the meantime may have missed critical security updates and are left open to exploits.

Hypervisors that oversee virtual servers are designed to be small and simple to make them more difficult to attack. But they can be exploited according to publicly announced research, and that allows unlimited access to all the virtual machines they control, Corman says. "If they get into the hypervisor, the game is over," he says.

While grappling with the rigors of virtual security, show-goers were encouraged to embrace green networking principles, if not for actual costs savings then for the goal of reducing corporate carbon footprints.

"It's about efficiency as much as it is about anything else," said Johna Till Johnson, president and senior founding partner of Nemertes Research, of the dual-pronged impetus for green initiatives.

The drivers are there: Most servers use 50 percent of their rated power even when idle, so they're using 50 percent of electricity but doing 5 percent work, Johnson said.

That means that for every 100 servers only five are in use. Turning off the other 95 would result in 47.5 percent efficiency, she said. In addition, for every productive dollar gained from servers, almost two dollars are wasted in UPS, AC/DC conversions and fans, Johnson said.

Even so, 80 percent of companies recently surveyed by Nemertes have no corporate green policies; only 13 percent knew data centre energy costs; only 3 percent turn off their servers when not in use; and desktops are left on 50 percent of the time.

Miami-Dade's public schools started a green initiative as a cost-saving measure. But it required the cooperation and support of the faculty and students at each school, said Paul Dunn, senior network analyst for the schools, said.

"We had to go to the CFO to get the project and funding approved," he said. "We were spending [US]$8 million per year in electricity just to keep computers going. But the buy-in had to be from grass roots, the school sites. Their cooperation made it happen. Kids don't care about saving money but they do care about green initiatives."

Dunn said that cooperation will help the school district establish custom scheduling per site to try to save even more money from energy efficiency.

Johnson said green IT initiatives have to start like that - with corporatewide policies or mandates to consolidate IT assets, encourage telecommuting and virtual work, establish sustainable supply chains, and recycling.

Half the total carbon footprint for KPMG's back-office campus is from electricity, and half of that goes to power the data centre, says the firm's CIO, Rowan Snyder. "I'm not a tree hugger, but it's a significant issue," said Snyder, who spoke on a panel about the status of IT in corporations.

If IT projects don't actually save money, they'd better help generate some, says Joanna Young, CIO of insurance company Liberty Mutual, who spoke on the same panel. "There are no IT projects anymore, there are business projects. The question we always ask is, 'What is the smallest IT investment we need to make to have this [business result] happen for you?'"

As Wall Street sagged, she clung to the hope that her company in particular might be spared some of the stock-trading volatility. "We are not a public company, which might be good today," she said.