Security Lacking in Most Virtualized IT Environments, Survey Says

Enterprises are embracing virtualization, but security is still lagging behind as managers don't implement security strategies to protect the hypervisor, according to a survey by CA Technologies.

A report on virtual security management underscores the wide gap between what needs to be done to secure virtualized environments and what IT managers are actually doing, said CA Technologies on Nov. 29.

Business and IT executives across 15 countries reported serious security concerns about data sprawl, hypervisor privilege, and other privacy and compliance issues in their virtual environment.

Organizations need to "address the current IT and security management silos and to help simplify the complexity of virtual environments," said Shirief Nosseir, a product marketing director for the EMEA region in the Security Management group at CA.

A significant majority, or 81 percent, of the executives felt that data sprawl, or the risk of data moving around virtual systems without control and ending up in less secure environments, is the biggest threat, according to the report. While data loss prevention programs can effectively address data sprawl, the survey found that only 38 percent of surveyed organizations have actually implemented the strategy.

Hypervisor privileges pose other concerns. The administrator accounts on hypervisors generally have extensive access privileges with very few limitations and security controls. The study found that 73 percent of surveyed organizations are concerned about the privileges granted to hypervisors and the potential for abuse by users with administrative control. However, 49 percent of those concerned companies have not implemented any privileged user management or security log management systems to mitigate the risk, the survey found.

Even though the majority of the business and IT leaders said virtualization would help improve IT operational efficiency, security remains a concern, with 39 percent saying virtual environments are more difficult to secure than physical environments.

Almost 85 percent of the organizations said "cloud privacy and compliance issues" and "cloud security issues" inhibit plans to move from virtual environments to a private cloud, the report said.

About a fifth of the companies in the survey said their IT staff does not have the skills or funds to implement security in a virtual environment, researchers found. About half, or 55 percent, of those organizations cited budgetary restraints and the "upfront cost" of implementation, and 53 percent named the "complexity of managing security across virtual environments and platforms."

While over 84 percent of the surveyed managers prefer integrated products that seamlessly secure physical and virtual environments, just over half, or 56 percent, actually have implemented, or are in the process of implementing, such systems, the researchers found.

While automation is considered important to secure virtual environments, integrating security management with infrastructure management or with incident and problem management do not appear highly important for most respondents, according to the report.

Organizations will "struggle to automate their processes and reap the real rewards of virtualization," said Nosseir.

Despite all the interest around virtualization, it is not yet the standard for production environments. Only 34 percent of the participating companies have deployed server virtualization for more than 50 percent of their systems, the researchers found. The companies have rolled out even less for other types of virtualization, such as storage, application and desktop, the researchers said. For example, only 8 percent of the organizations in the report has desktop virtualization for more than 50 percent of the enterprise, according to the report.

"Despite the rapid growth in server virtualization, many organizations still have quite a way to go before they reach the level of maturity and automation required to reap the true benefits of virtualization," said Nosseir.

Only 65 percent of the business managers enforced a separation of duties for administrative tasks across virtual platforms, the report said. More than 40 percent of the surveyed executives claimed to not use automation tools for access certification, privileged user management or log management, according to the study. In fact, only 42 percent perform regular access certifications for privileged users or are able to adequately monitor and log privileged access, researchers found.

Automation technologies that can mitigate risks from privileged access in virtualized environments are "not yet widely deployed," said Nosseir.

The virtualization security report, "Security-An Essential Prerequisite for Success in Virtualization," surveyed 335 senior business and IT executives in Europe and the United States, CA said. The countries included Belgium, Denmark, Finland, France, Germany, Italy, Luxemburg, Netherlands, Norway, Portugal, Spain, Sweden, Switzerland, the United Kingdom and the United States.

Most organizations have at least two different virtualization technologies in their environment. VMware remains the most prevalent, deployed by 83 percent of the respondents, followed by Citrix at 52 percent. About 41 percent run Microsoft's hypervisors, namely Hyper-V, according to the report.