Virtualization Is Hot, but Is It Secure?

Sue Marquette Poremba

The growth of virtualization is a hot topic these days, including at IT Business Edge. Arthur Cole presents his top 10 benefits for virtualization in enterprise. Mike Vizard talks about hybrid client virtualization. These are just two examples of the obvious upside to virtualization.


However, there are security concerns. Larry Barrett, writing for, reported on a CDW report that found that though 90 percent of companies surveyed are using virtualized servers, not everyone trusts their security:


62 percent confessed that despite all the well-documented benefits of virtualization -- particularly the reduction in energy consumption, the ease of configuring and managing servers and the freeing of cash to pursue other IT projects -- they still have a ton of applications that they don't feel comfortable running on virtual servers because of the criticality of the data and applications' functions.


That 62 percent may be on to something. A recent Gartner report stated that, over the next couple of years, 60 percent of virtual servers will be less secure than their physical counterparts.


As more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address.


Gartner listed the top six security risks:


  • Security isn't initially involved in the virtualization projects.
  • A compromise of the virtualization layer could result in the compromise of all hosted workloads.
  • Workloads of different trust levels are consolidated onto a single physical server without sufficient separation.
  • Adequate controls on administrative access to the hypervisor/VMM layer and to administrative tools are lacking.
  • The lack of visibility and controls on internal virtual networks created for VM-to-VM communications blinds existing security policy enforcement mechanisms.
  • There is a potential loss of separation of duties for network and security controls.


Gartner also provided solutions for each risk, but I think this said it best:


Security professionals need to realize that risk that isn't acknowledged and communicated cannot be managed. They should start by looking at extending their security processes, rather than buying more security, to address security in virtualized data centers.

Add Comment      Leave a comment on this blog post
Mar 26, 2010 11:37 AM abcdefg abcdefg abcdefg abcdefg  says:

It's about time to see that the importance of controlling and monitoring administrators, and privileged users' in general, is set to increasingly grow and get the attention it deserves.  With virtualization becoming the de facto platform and cloud computing gaining more traction, the threat posed by privileged users will become more critical and challenging to manage over the next few years. 

To find out more about the importance of managing privileged users in virtual and cloud environments, please read my recent blog at

Shirief Nosseir



Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.