In-Depth
Security Blindsided by Virtualization
When it comes to securing the increasingly virtualized systems of the 21st century, IT seems to be stuck in 20th-century mode.
When it comes to securing the increasingly virtualized systems of 21st century IT, most shops seem to be stuck in 20th century.
Almost 60 percent of IT shops, according to one recent survey, are taking an old-school approach to securing their virtual infrastructures. Virtual environments pose an altogether different set of challenges on the security front, however. What's needed, experts say, is a 21st-century rethinking of the status quo.
That's one conclusion of a new survey from auditing and logging specialist Prism Microsystems Inc., which found that just one-fifth of shops have developed virtualization-aware security strategies or are using virtualization-ready security tools. Most (58 percent) haven't revised their security strategies or invested in virtualization-aware security technologies.
Prism's survey is based on a sample of more than 300 IT pros across a broad range of vertical markets. It paints a picture of an IT establishment that wants to have things both ways: i.e., adopters want to reap the benefits of pervasive virtualization without also updating their security strategies (and investing in new -- and potentially costly -- security technologies) to address the very different lay of the (pervasively virtualized) land.
"Server virtualization is essentially a new distributed operating system that has its own challenges," argues Renata Budko, co-founder and vice president of marketing with virtualization security specialist HyTrust, in a statement.
In a conventional distributed environment, Budko maintains, administrative responsibilities tend to be strictly segmented: sys admins manage compute assets; network administrators handle networking assets; storage administrators are responsible for storage assets. Virtualization, on the other hand, has a melting pot-like effect: duties tend to bleed together; separation or segmentation melts away.
"Virtualization administrators now have full access to server, storage, and networking infrastructure, whereas before server administrators may have been prevented from interfering with network operations by simply preventing their access to network infrastructure, or vice versa."
The rub, according to the Prism survey, is that far too few companies seem to be aware of (or concerned about) this effect. For example, less than one-third of adopters say they've implemented a separation-of-duty scheme.
"This raises the risk for abuse by privileged insiders -- a concern that is shared by 34.9 percent of respondents, who acknowledged the greater potential for abuse resulting from an extended span of control available to administrators," the report explains. "Beyond the insider issue, compromise of the credentials of the virtual administrator can also provide an outside hacker with the keys to the castle."
Respondents aren't totally in the dark when it comes to virtual security. More than half (56.6 percent) admitted to being concerned about "the introduction of a new [virtual] layer that can be attacked," while almost three-fifths (58.1 percent) specifically cited "the potential for the hypervisor to create a single point of entry into multiple machine instances." The rub, of course, is that most shops still haven't invested in technologies to protect these or other virtual assets.
More to the point, Prism researchers conclude, most adopters seem to know that they can't take a same-old-same-old approach to securing their virtual infrastructures. Less than one-quarter (24.2 percent) "agree" or "strongly agree" that existing security solutions "are sufficient to provide security insight into all layers of the virtual environment." More than half (51.3 percent) either "disagree" or "strongly disagree" with this sentiment.
On the other hand, nearly half (46.1 percent) of respondents say they "agree" or "strongly agree" that the use of existing processes or technologies can "mitigate" most of the threats exposed by virtualization; less than a quarter (24.3 percent) endorse the need for new processes and technologies to address virtualization-related security issues.
Why haven't more shops moved to address their virtualization-related security shortcomings? The most commonly cited gripes shouldn't surprise anyone. More than half (51 percent) of respondents say they simply don't have the budget to spend on virtualization-ready (or "virtual environment-specific") security solutions.
Prism permitted respondents to select multiple choices; concerns about a "lack of staff expertise" was the second most commonly cited impediment (mentioned by 48 percent of respondents); dissatisfaction with ISV/service provider licensing terms, support models, or deployment schemes was cited by 40.2 percent of respondents.