The growth of virtualization is a hot topic these days, including at IT Business Edge. Arthur Cole presents his top 10 benefits for virtualization in enterprise. Mike Vizard talks about hybrid client virtualization. These are just two examples of the obvious upside to virtualization.
However, there are security concerns. Larry Barrett, writing for ServerWatch.com, reported on a CDW report that found that though 90 percent of companies surveyed are using virtualized servers, not everyone trusts their security:
62 percent confessed that despite all the well-documented benefits of virtualization -- particularly the reduction in energy consumption, the ease of configuring and managing servers and the freeing of cash to pursue other IT projects -- they still have a ton of applications that they don't feel comfortable running on virtual servers because of the criticality of the data and applications' functions.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
That 62 percent may be on to something. A recent Gartner report stated that, over the next couple of years, 60 percent of virtual servers will be less secure than their physical counterparts.
As more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address.
Gartner listed the top six security risks:
- Security isn't initially involved in the virtualization projects.
- A compromise of the virtualization layer could result in the compromise of all hosted workloads.
- Workloads of different trust levels are consolidated onto a single physical server without sufficient separation.
- Adequate controls on administrative access to the hypervisor/VMM layer and to administrative tools are lacking.
- The lack of visibility and controls on internal virtual networks created for VM-to-VM communications blinds existing security policy enforcement mechanisms.
- There is a potential loss of separation of duties for network and security controls.
Gartner also provided solutions for each risk, but I think this said it best:
Security professionals need to realize that risk that isn't acknowledged and communicated cannot be managed. They should start by looking at extending their security processes, rather than buying more security, to address security in virtualized data centers.