Expects 60% of virtualised servers to be less secure than physical servers
Through 2012, 60% of virtualised servers will be less secure than the physical servers they replace, according to a report released by Gartner.
Gartner analysts warn that many virtualisation deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages.
The study found that at the end of 2009, only 18% of enterprise data centre workloads that could be virtualised had been virtualised, and is expected to grow to more than 50% by the close of 2012 and fall to 30% by the end of 2015.
Neil MacDonald, vice president of Gartner, said: “Virtualisation is not inherently insecure. However, most virtualised workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants.”
Gartner has found the six most common virtualisation security risks such as information security; a compromise of virtualisation layer that could result in the compromise of all hosted workloads; and the lack of visibility and controls on internal virtual networks created for VM-to-VM communications that could blind existing security policy enforcement mechanisms.
Other risks include, lack of adequate controls on administrative access to the Hypervisor/VMM layer and to administrative tools; and the potential loss of separation of duties for network and security controls.
Gartner said that security professionals instead of buying more security should start extending their security processes, to address security in virtualised data centres. The research firm also added that organisations should treat the virtualisation layer as the x86 platform in the enterprise data centre and keep it as thin as possible.
The firm said that same type of monitoring as the physical networks is required, so that organisations don’t lose visibility and control when workloads and networks are virtualised.
In addition, the Gartner also recommends restricting access to the virtualisation layer as with any sensitive OS and favouring virtualisation platforms. The same team responsible for the configuration of network topology in the physical environment should be responsible for this in virtual environments.