Mel Duvall
MAR 16, 2010 1:45pm ET

Related Links

Center Introduces Computing Cabinets with Chimneys
February 8, 2012
Battening Down For Data Breaches
February 7, 2012
Biting the Bullet for a Core Upgrade
February 6, 2012

Web Seminars

Creating a Sense of Application Awareness in IT Virtualization Environments
Available On Demand

Virtualized Servers Posing Security Risk: Gartner

Print
Reprints
Email

In what is sure to be a cause for concern for enterprises that have embarked on virtualization efforts, Gartner says virtualization servers are substantially less secure than the physical servers they replaced.

The Stamford, Conn.-based research firm said Monday that through 2012, 60% of virtualized servers will be less secure than their physical counterparts.

Gartner does expect that figure to fall to 30% by 2015, but warns many virtualization deployments are being undertaken without involving information security teams in the initial architecture and planning stages.

“Virtualization is not inherently insecure,” Gartner vice president and fellow Neil MacDonald, said in a statement. “However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers, and consultants.”

Gartner identified six of the most common virtualization security risks:

  1. Information security isn’t initially involved in the project. Survey data indicates about 40% of virtualization deployment projects were undertaken without involving the information security team in the architecture and planning stages.
  2. A compromised virtualization layer could result in a security risk to all hosted workloads. Gartner noted that hackers have already begun to target the virtualization layer, potentially compromising all workloads hosted above it.
  3. Lack of visibility and controls on internal virtual networks blinds existing policy enforcement mechanisms. For efficiency, software-based virtual networks and switches are configured to communicate directly. As a result, this traffic may not be subject to network-based security protection devices, such as intrusion prevention systems.
  4. Workloads of different trust levels are consolidated onto a single physical server without sufficient separation. Gartner advises enterprises to treat hosted virtual workloads as untrusted, and isolate them from the rest of the physical data center.
  5. Adequate controls on administrative access to the hypervisor/virtual machine monitor layer are lacking. Gartner says this is complicated by the fact that most virtualization platforms provide multiple paths of administration for the hypervisor layer.
  6. There is a potential loss of separation of duties for network and security controls. When physical servers are collapsed onto a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels.

Gartner estimates that at the end of 2009, only 18% of enterprise data center workloads that could be virtualized had been virtualized. However, that figure is expected to grow to more than 50% by the end of 2012.

 

 

 

 

Filed under:
Data Center
Data Management
Security/Identity
Virtualization

Advertisement

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Slide Shows

How to Select Relevant KPIs
Most Read
Most Emailed

Today's DM Radio: Best Practices for Requirements Gathering

Twitter
Facebook
LinkedIn

Analytics

Business Intelligence

Customer Experience

Open Source

Predictive Analytics

Data Governance

Data Integration

Data Management

Login  |  My Account  |  White Papers  |  Web Seminars  |  Events |  Newsletters |  eBooks
FOLLOW US
Please note you must now log in with your email address and password.