Virtualization Can Hurt Security, Gartner Says

Published: April 12, 2007

by Alex Woodie

Thousands of companies are adopting virtualization to increase the utilization rates of their servers and save money. But unless these companies take pains to properly secure their virtualized IT environments, it can end up hurting their security posture, reducing their agility, and increasing costs, Gartner warned last week.

While there is a lack of uniformity and standards among virtualization technologies, there is one aspect that all virtualization products have in common, according to Gartner: They create a privileged layer that, if compromised, puts all consolidated workloads at risk. With so many eggs in one basket, it's even more important to implement good security practices to protect critical data and applications.

Unfortunately, most companies won't take these extra steps to implement strong security for virtualized environments, Gartner says, and this will have a predictable effect. The analyst group says 60 percent of production virtual machines (VMs) implemented through 2009 will be less secure than their physical counterparts.

"Many organizations mistakenly assume that their approach for securing VMs will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools," says Neil MacDonald, vice president and Gartner Fellow. "While this is a start, simply applying the technologies and best practices for securing physical servers won't provide sufficient protections for VMs."

But don't fret: Gartner says there are several steps that companies can take to start securing their VMs. Companies must protect their new weakest link--the hypervisor. They must be prepared to deal with the loss of separation of duties for administrative tasks. They must take pains to ensure the proper patching and signature support for VM and VM appliance images. They must somehow work around the decreased visibility into the host operating system and its network connections, as well as into intra-VM traffic, which needs to be inspected by security software. Companies must also be ready to implement security policies that can cope with VMs that are mobile. Lastly, IT professionals will have to get creative, because the security and management tools to accomplish many of these tasks in VM environments are "immature and incomplete," Gartner says.

"Organizations need to pressure security and virtualization vendors to plug the major security gaps," MacDonald says. "Existing virtualization solutions address some of the gaps, but not all. It will take several years for the tools and vendors to evolve, as well as organizations to mature their processes and staff skills."

MacDonald will present more information on the security threats posed by virtualization technologies in a session titled "Securing Virtualization, Virtualizing Security," during the Gartner Symposium/ITxpo 2007: Emerging Trends event, which is being held in two weeks in San Francisco.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot