Virtualized Environments Lack Data Security: Varonis

The lack of sufficient security could be putting sensitive company information at risk of being misused, lost or stolen. 

Data security in virtualized environments is often neglected by IT organizations, with nearly half (48 percent) of organizations either reporting or suspecting unauthorized access to files on virtualized servers, according to a survey conducted by Varonis, a provider of comprehensive data governance software.

The lack of sufficient security could be putting sensitive company information at risk of being misused, lost or stolen, although the report noted that even for those who do audit all activity, a significant 68 percent believe there is still unauthorized access.

“We suspect that for IT departments, virtualization may be something of a black box,” Varonis vice president of strategy David Gibson said in a statement. “We have found that, after a workload is virtualized, the actual details of managing file permissions and monitoring access is considered to be automatically ‘taken care of.’ It is also quite possible that the teams managing virtualization projects see file security and governance as outside their discipline. The security team may have no visibility of what is happening.”

While almost 60 percent said they were very careful about setting permissions and controlling subsequent updates, 70 percent of respondents, regardless of company size, had implemented little or no auditing even at the high end of the enterprise space. A fifth (20 percent) of enterprises with more than 5,000 employees admitted to having no file-logging capabilities in place.

With more than 50 million installed virtual machines (VMs) on servers, the survey found application servers were virtualized by almost all respondents (87 percent) to speed deployment (76 percent) and enhance disaster recovery (74 percent). On the other hand, those who do not virtualize cited disk storage (37 percent), performance (30 percent) and a lack of advantages (20 percent) as the three main reasons for not doing so.

“Data protection, obviously, requires the same level of vigilance in a virtual environment – and perhaps even more so given the complexities of managing multiple operating systems on a single computing box,” Gibson said. “For organizations to stay on top of their digital assets it is vital to further IT education in this area, both in terms of training staff in understanding virtual file systems, as well as in effectively using automation to uncover security holes, monitor activity and control permissions.”

The report concluded by suggesting that the results indicate while virtualization has been groundbreaking in allowing IT to isolate applications and services with a few clicks, it doesn’t solve permissions management and access auditing and in fact it might make it even more complex.