Virtualization Technology News and Information
Security Takes a Backseat in the Rush to Adopt Virtualization

Prism Microsystems, developers of comprehensive SIEM solutions that provide complete security and compliance coverage across both physical and virtual environments, today announced the results of a survey on virtualization security conducted in April 2010. The survey of over 300 IT managers, security personnel, auditors and administrators reveals a significant gap between the speed at which companies are willing to deploy virtualization and their security readiness to address the added complexity that any new technology introduces.

The results of the survey indicate that companies are largely ignoring Hypervisor-level security despite acknowledging the importance of monitoring the virtualization layer for risk mitigation – at the Hypervisor layer, only 29% are collecting logs, 17% are reporting on activities and controls, 23% are monitoring user activity, and 18% are tracking access to critical data and assets. This goes against established best practices, such as those recommended by Gartner for the virtualization layer: “Activate full auditing and logging and link these into security information and event management systems.” (Gartner, ‘Addressing the Most Common Security Risks in Data Center Virtualization Projects,’ January 2010, Neil MacDonald)

Other best practices being ignored include separation of duty, with over 65% indicating that they have not implemented separation of duty between IT personnel responsible for the provisioning of virtual machines / virtual infrastructure and other administrator groups. This raises the risk for abuse by privileged insiders – a concern that is shared by over a third of respondents.

A majority of respondents to the survey agree that traditional security products and solutions are insufficient to provide visibility into the virtual environment, yet they continue to use these solutions, citing lack of budget as a primary inhibitor. This implies that in the rush to adopt virtualization, security investments are not being factored in to project budgets. Hidden expenses are never welcome, and by ignoring what could later add up to be significant collateral costs, companies may not realize the ROI and cost-savings initially calculated for their virtualization projects.

When asked about the security of their virtual environments, only 28% expressed confidence that their virtual environment was as secure as the rest of their IT architecture, conveying a strong need for companies to find a more holistic and integrated way of monitoring, securing and managing an increasingly hybrid IT environment. “The reality is the money is just not there for specialty virtual security tools. And even if it was available, that approach is incorrect as it creates another silo of un-integrated security data. In this environment, IT teams have to get the most out of what they have – this means leveraging solutions that do more with less and provide a single point of control to seamlessly monitor the entire IT infrastructure, from the physical to the virtual,” said Steve Lafferty, VP of Marketing, Prism Microsystems.

A full copy of the survey results is available at:

Published Tuesday, May 04, 2010 6:41 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2010>