Enterprises are embracing virtualization, but security is still lagging behind as managers don't implement security strategies to protect the hypervisor, according to a survey by CA Technologies.
A report on virtual security management underscores the wide gap between
what needs to be done to secure virtualized environments and what IT managers
are actually doing, said CA Technologies on Nov. 29.
Business and IT executives across 15 countries reported serious security
concerns about data sprawl, hypervisor privilege, and other privacy and
compliance issues in their virtual environment.
Organizations need to "address the current IT and security management
silos and to help simplify the complexity of virtual environments," said
Shirief Nosseir, a product marketing director for the EMEA region in the
Security Management group at CA.
A significant majority, or 81 percent, of the executives felt that data
sprawl, or the risk of data moving around virtual systems without control and
ending up in less secure environments, is the biggest threat, according to the
report. While data loss prevention programs can effectively address data
sprawl, the survey found that only 38 percent of surveyed organizations have
actually implemented the strategy.
Hypervisor privileges pose other concerns. The administrator accounts on
hypervisors generally have extensive access privileges with very few
limitations and security controls. The study found that 73 percent of surveyed
organizations are concerned about the privileges granted to hypervisors and the
potential for abuse by users with administrative control. However, 49 percent
of those concerned companies have not implemented any privileged user
management or security log management systems to mitigate the risk, the survey
Even though the majority of the business and IT leaders said virtualization
would help improve IT operational efficiency, security remains a concern, with
39 percent saying virtual environments are more difficult to secure than
Almost 85 percent of the organizations said "cloud privacy and
compliance issues" and "cloud security issues" inhibit plans to
move from virtual environments to a private cloud, the report said.
About a fifth of the companies in the survey said their IT staff does not
have the skills or funds to implement security
in a virtual environment, researchers found. About half, or 55 percent, of
those organizations cited budgetary restraints and the "upfront cost"
of implementation, and 53 percent named the "complexity of managing
security across virtual environments and platforms."
While over 84 percent of the surveyed managers prefer integrated products
that seamlessly secure physical and virtual environments, just over half, or 56
percent, actually have implemented, or are in the process of implementing, such
systems, the researchers found.
While automation is considered important to secure virtual environments,
integrating security management with infrastructure management or with incident
and problem management do not appear highly important for most respondents,
according to the report.
Organizations will "struggle to automate their processes and reap the
real rewards of virtualization," said Nosseir.
Despite all the interest around virtualization, it is not yet the standard
for production environments. Only 34 percent of the participating companies
have deployed server virtualization for more than 50 percent of their systems,
the researchers found. The companies have rolled out even less for other types
of virtualization, such as storage, application and desktop, the researchers
said. For example, only 8 percent of the organizations in the report has
desktop virtualization for more than 50 percent of the enterprise, according to
"Despite the rapid growth in server virtualization, many organizations
still have quite a way to go before they reach the level of maturity and
automation required to reap the true benefits of virtualization," said
Only 65 percent of the business managers enforced a separation of duties for
administrative tasks across virtual platforms, the report said. More than 40
percent of the surveyed executives claimed to not use automation tools for
access certification, privileged user management or log management, according
to the study. In fact, only 42 percent perform regular access certifications
for privileged users or are able to adequately monitor and log privileged
access, researchers found.
Automation technologies that can mitigate risks from privileged access in
virtualized environments are "not yet widely deployed," said Nosseir.
The virtualization security report, "Security-An
Essential Prerequisite for Success in Virtualization," surveyed 335
senior business and IT executives in Europe and the United
States, CA said. The countries included Belgium,
the United Kingdom
and the United States.
Most organizations have at least two different virtualization technologies
in their environment. VMware
remains the most prevalent, deployed by 83 percent of the respondents, followed
by Citrix at 52 percent. About 41 percent run Microsoft's hypervisors, namely
Hyper-V, according to the report.