60 Percent of Virtual Servers Less Secure Than Replaced Machines

STAMFORD, Conn.—Market researcher Gartner has released a report that says 60 percent of virtualized servers are less secure than the machines they replaced, but that their insecurity will start to decrease by the end of 2012. The report also outlines the six most common security risks association with virtual servers.

“Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace,” reads a company announcement issued March 15. “Although Gartner expects this figure to fall to 30 percent by the end of 2015, analysts warned that many virtualization deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages.”

According to VMware, a market leader in virtualization, “Today’s powerful x86 computer hardware was designed to run a single operating system and a single application. This leaves most machines vastly underutilized. Virtualization lets you run multiple virtual machines on a single physical machine, sharing the resources of that single computer across multiple environments. Different virtual machines can run different operating systems and multiple applications on the same physical computer.”

While Gartner research shows that by the end of 2009, only 18 percent of enterprise data center workloads that could be virtualized had been virtualized, the firm expects the number to grow to more than 50 percent by the close of 2012.

“As more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address,” the announcement said.

While virtualization is not inherently insecure, Neil MacDonald, vice president and Gartner fellow says that most virtualized workloads are being deployed insecurely. “The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants," he added.

The six most common security risks identified by Gartner are:

• Information Security Isn't Initially Involved in the Virtualization Projects

• A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads

• The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms

• Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation

• Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking

• There Is a Potential Loss of Separation of Duties for Network and Security Controls

Complete information about the above risks, and advice about how each can be addressed, is available here.