Series: Virtualization 2.0 December 07, 2012
Virtualized IT environments need sophisticated security
Reservations about the cloud
Cloud computing at fixed prices
According to estimates by Gartner, through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace – though this figure is expected to fall to 30 percent by the end of 2015.
As Neil MacDonald, Vice President at Gartner Research, says, “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
Hackers glean data from virtualized servers
Just a few days ago, researchers in North Carolina proved just how right MacDonald was. Using a manipulated virtual machine, they managed to de-code encrypted data stored on another virtual server. This means that hackers could potentially get their hands on sensitive enterprise data. The Gartner press release also reports that this can become an issue “when these workloads are combined with other workloads from different trust zones on the same physical server without adequate separation.”
A restrictive approach to IT security
Organizations that want to avoid these issues need to take some fundamental security requirements into account. These include a dedicated virtualization security team that has control over all levels of the virtualized infrastructure. In addition, the same strict access controls that apply to other parts of the infrastructure need to apply to the virtualized environment. Again, according to Gartner, “when physical servers are collapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels.”
IT security is key from the start
The USA-based National Institute for Standards and Technology (NIST) echoes this sentiment. The authority has recently published a comprehensive brochure that highlights the growing threats that are arising from the increased demand for virtualization. “IT security is an absolute must from the very first planning stages of a virtualization project. It involves much more effort and higher costs to implement security mechanisms after systems have been virtualized,” explains NIST expert Karen Scarfone. In short, when it comes to weighing up the expense of virtualized infrastructures, the cost of security plays a key role – high availability, IT security in general, compliance and data protection require particular attention. Moreover, additional security mechanisms are necessary to prevent attackers from inside and outside the enterprise from penetrating the infrastructure and gaining access to operating systems, services, applications and data. Organizations must be able to offer this level of protection or select a provider with the right skills.
Source of the Gartner information: Gartner Says 60 Percent of Virtualized Servers Will Be Less Secure Than the Physical Servers They Replace Through 2012