Virtualization Security Falls Short Among Enterprises, Survey Says

Enterprise adoption of virtualization is still going strong, but security for those environments is not. A survey by Prism Microsystems shows many organizations are failing to enforce a separation of duties and deploy technologies to protect the hypervisor.

Enterprise adoption of virtualization is continuing its upward trend. But what about security?

According to Prism Microsystems, organizations are slacking when it comes to protecting virtualized environments. A survey of 302 IT managers, security pros, auditors and administrators about their virtual deployments paints a picture of a landscape where the hypervisor is unprotected and separation of duties is lacking.

According to the study, (PDF) 65 percent of respondents indicated they have not implemented separation of duties between the staffers responsible for provisioning virtual machines and other administrator groups. Not coincidentally, 34.9 percent said they are worried about the potential for insider abuse due to the expanded control available to administrators. In addition, compromising the credentials of a virtual administrator could provide an outside hacker with "the keys to the castle," Prism's report said.

"Virtualization administrators now have full access to server, storage and networking infrastructure, whereas before server administrators may have been prevented from interfering with network operations by simply preventing their access to network infrastructure, or vice versa," noted Renata Budko, co-founder of virtual security vendor HyTrust.

While it would seem the hypervisor would be a natural focal point for security, many respondents said they are not doing much for it in the way of logging and reporting. Even though 79.5 percent agreed monitoring the virtualization layer is important, just 29 percent said they are directly collecting logs from the hypervisor. Twenty-one percent said they are collecting logs from the virtual management application. Only 16.9 percent are reporting on activities and controls, and only 15.7 percent at the virtual management application level.

In addition, 58 percent reported that their organizations were using traditional tools for virtual security as opposed to solutions aimed specifically at virtual environments (20 percent). The lack of virtualization-specific tools being deployed has not slowed uptake of the technology, however, with 85 percent stating they had adopted virtualization to some degree. The majority expect to have virtualized more than 30 percent of their production servers by the end of 2011.

"There are actually fairly effective security technologies that can be implemented today, but the vast majority of the market is simply not at that level of maturity yet," said Steve Lafferty, vice president of marketing at Prism. "Technology is only an enabler and without policy it is really not all that useful. The customers we have seen [be] successful with virtualization are the ones that adopted virtualization like any other typical IT initiative where policy was defined and the tools to implement the policy followed."