Study: Security Lags in Datacenter Virtualization Projects
Datacenter virtualization projects can open up security issues, depending on how they are implemented, according to research from Gartner.
Gartner's study, published in late January, looked at security risks in datacenter virtualization projects and found that 60 percent of virtual servers become less secure than the ones they replace. The trend is likely to continue through the end of 2015, when the number of insecure virtual servers is expected to drop to 30 percent, according to Gartner.
"Virtualization is not inherently insecure," said Neil MacDonald, Gartner fellow and vice president. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
Numerous state, local and federal agencies have moved or are moving to virtual servers, including the state of California and the Energy Department. While Gartner estimated that only 18 percent of enterprise datacenter workloads had been virtualized at the end of 2009, that number is expected to grow to more than 50 percent by the close of 2012.
One of the major causes of this issue is a lack of involvement of the IT security team in the architecture and planning stages of development, Gartner said. About 40 percent of the surveyed organizations had not brought security professionals into the projects.
Another risk is that the virtualization layer could compromise all hosted workloads, with hackers already targeting this layer, Gartner said. Gartner recommends keeping the layer as "thin as possible, while hardening the configuration to unauthorized changes."
Organizations should not rely on host-based security controls, the report states.
Gartner's study pointed to a lack of visibility and controls on internal virtual networks, which are not visible to network-based security protection devices, such as network-based intrusion prevention systems. Another potential problem is consolidations of workloads of different trust levels on the same physical server without adequate separation. There is also the potential for inadequate administrative access controls and administrative tools for the hypervisor/virtual machine manager layer. Finally, a potential loss of separation duties for network and security controls could lead to inadvertently allowing users to gain access to data that exceeds their normal privilege levels.
To address these risks, Gartner recommended treating the virtual network as similar to a physical one, with the same kind of monitoring and separation of workloads and the same team handling both. Additionally, organizations should isolate virtual desktop workloads from the rest of the physical datacenter and restrict access to the virtualization layer.