In five years, virtualized systems likely will be more secure than their physical counterparts, but until then, it will be rough sledding for organizations transitioning to the new technology, according to a new report from Gartner.
Through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replace, revealed the findings, released Monday. The analyst firm blamed the stumbling on organizations' failure to involve the IT security team in its deployment projects, in addition to immature tools to protect these new environments.
"I think the worst thing is that people pretend there aren't any differences [between virtual and physical] and they move right ahead and don't have any discussions at all," Neil MacDonald, a Gartner vice president and fellow, told SCMagazineUS.com on Tuesday. "That's the most common mindset I encounter. In some cases, they [operations] are worried because they think information security will come and say, 'No, we can't do this.'"
But that is a big mistake, especially considering virtualization projects come with their fair share of risks, he said. And, by 2012, more than 50 percent of enterprise data centers are expected to be virtualized.
For example, if attackers are able to compromise the virtualization layer, that could lead to a compromise of all hosted applications and data, MacDonald said. Problems additionally could arise if virtual desktop "workloads" are not properly isolated from one another or if access to the hypervisor, the software that coordinates a virtual machine's interaction with underlying hardware, is not properly controlled.
But these threats are expected to be mitigated as organizations become more skilled in handling this technology, as vendors deliver better security tools, as virtualized platforms go to market with more security features and as system integrators, consultants and auditors become better educated.
"That [60 percent number] would actually drop by 2015, as people become more aware of the difference in physical and virtual environments and the special considerations they need to look at as they virtualize," MacDonald said.
Kurt Roemer, chief security strategist at Citrix, maker of the popular XenServer virtualization platform, said he is not surprised that organizations may overlook security as they transition to virtualized infrastructure.
"This is unbelievably reminiscent from the transition of mainframe to personal computer," he told SCMagazineUS.com on Tuesday. "It seems identical to what happened years and years ago."
He said that due to the ability for virtualization to free departments from various IT constraints, many are proceeding on their own with projects, without consulting the security team.
"If it's set up outside the IT and security organization, security is going to take a backseat to functionality," Roemer said.
To remedy this, businesses must ensure they stand up a strong security architecture and leverage security tools that work on both physical and virtual platforms, to avoid misconfiguration, he said. In addition, company newsletters and other educational materials should contain information on properly safeguarding virtual machines.
There is at least one ray of light: Many organizations have been reluctant to turn over their most sensitive, mission-critical applications to the virtualized layer, mostly due to concerns over performance and vendor support, MacDonald said. By the time they do, enterprises may be better prepared to protect them.
