The Perilous State of Virtualization Security
In many ways, virtualization has grown up. A lot of servers have become virtualized, and a lot of virtualized environments have become relatively sophisticated. Yet, as a recent report notes, virtualization security remains a critical issue that is not widely understood, implemented or budgeted.
These are some of the issues at the heart of "2010 State of Virtualization Security," which was conducted by Prism Microsystems and directed toward a large universe of IT pros drawn from a audience that include Prism customers and over 50,000 subscribers to the EventSource newsletter. The survey was also put out to the general public via Twitter and Linkedin.
Protection of the virtualization layer -- the hypervisor and VM management apps -- is a major concern to survey respondents. To wit, 56.6 percent said "The introduction of a new layer that can be attacked" was a concern, while 58.1 percent cited "The potential for the hypervisor to create a single point of entry into multiple machines instances" as another concern.
There were a few interesting points that divided respondents. For example, in response to the statement "Virtual environments are inherently less secure than physical environments," just over 25 percent either strongly agreed or agreed, while 52 percent disagreed or strongly disagreed," with 21.8 percent saying they were unsure.
There was also significant disagreement over responses to the statement "Traditional security solutions are sufficient to provide security insight into all layers of the virtual environment (hardware, hypervisor, Guest OS)," with 24.2 percent strongly agreeing or agreeing, and 51.3 percent disagreeing or strongly disagreeing. Another 24.5 percent reported that they were unsure.
When asked to respond to "Threats exposed by virtualization can be mitigated by using existing processes and technology," 46.1 percent either strongly agreed or agreed, while 24.3 percent disagreed or strongly disagreed, and another 29.5 percent were unsure.
In response to the preceding question about the use of existing processes and technology, the study states, "What's most interesting is that the majority of respondents seem to be aware that traditional solutions are insufficient to provide insight into all layers of the virtual environment, yet they still continue to use these solutions, which brings us to ask, why?"
In response to that query, 51 percent of respondents cited a "lack of budget for virtual environment-specific solutions," 48.1 percent listed "lack of staff expertise," and 40.2 percent mentioned "licensing, deployment and support models of security vendors not optimized for virtual environments."
Turning to another topic, 65 percent-plus of respondents reported that they have not created a separation of duty between IT staff responsible for the provisioning of virtual machines/virtual infrastructure and other admin groups. The problem with this, 34.9 percent of respondents claim, is that it gives too much "privilege and capability to administrators," which may lead to abuse resulting from "an extended span of control."
QUESTION: What bugs you about virtualization security in your company?
Posted by Bruce Hoard on 05/07/2010 at 12:48 PM