Jury is out on virtualization security
Connecting state and local government leaders
Migration to virtualization won't be the quick transition that some technology evangelists have predicted, according to the results of two recent surveys.
Migration to virtualization won't be the quick transition that
some technology evangelists have predicted, according to recent
surveys by two IT security companies. Nor is virtualization as
secure as many might want it to be.
Virtualization security appeared to be a doubtful matter for
nearly half of respondents in a survey released on Monday by San
Francisco-based network security firm nCircle Inc.
In that survey, 47 percent of the study's more than 200
respondents said they didn't think the security methodologies
around current virtualization programs were sound at all. Another
seven percent of respondents ranked virtualization security in the
"maybe/ depends" category.
"Security professionals are generally and rightfully always
somewhat skeptical about new technologies," said nCircle's Director
of Security Operations Andrew Storms. "I think seasoned veterans
understand that technology can be both an enabler and a hindrance
to solving any problem, security not excluded. How, when, where and
why technologies are introduced to solve a problem is what matters
most."
The jury is still out on virtualization security, which accounts
for the split results found in nCircle's poll, Storms said.
The need for virtualization is clear. It's easier to roll out a
new virtual guest system than it is to go into a room and push out
a physical server. Moreover, a second survey, published this week
by St. Paul, Minn.-based Shavlik Technologies, found that virtual
machines are quickly becoming a fixture in many organizations.
Shavlik's survey polled VMworld 2008 conference attendees in a sample of
nearly 300 IT, virtualization and security specialists. The survey
found that security lagged despite virtualization rollouts. More
than 80 percent of IT managers rated securing these virtual
machines as "very important to critical," but only 35 percent had
actually secured them, Shavlik's study found.
"Companies recognize the benefits of virtualization but are
slower at implementing the security measures needed to protect
their available information assets," said Chris Schwartzbauer,
Shavlik's vice president of worldwide field operations.
While that's a problem now, virtualization offers some
benefits.
"Increased investment in automating and simplifying the elements
of securing virtual machines represents a significant challenge,
but also an opportunity for companies to increase operational
efficiencies and reduce the total cost of managing the security of
virtual systems," Schwartzbauer explained.
Virtualization marks a shift in thinking, as described in a
landmark speech by VMware's President and CEO Paul
Maritz. He said the IT infrastructure should be treated as "a
single giant computer on which applications can be provisioned in a
more manageable, scalable way."
Maritz and other virtualization proponents insist that the IT
community's attention will shift from devices and applications
themselves to the customized needs of users and enterprisers.
Security, when used with virtualization, needs to be platform
agnostic, just like the information it protects, according to
Storms and some of his peers. However, it's important to stay
focused on the main goal in information security: preventing
breaches.
"Still there's the realization that information is everywhere.
And honestly, we need not be too concerned if it resides on
physical or virtual servers," Storms said. "What matters is that we
consider information protection mechanisms that follow the
information."
To protect IT assets, it's important to follow best practices
and work toward achieving compliance in approved system
configurations, he added.