The use of virtual environments has become an established practice over the past few years. A 2016 survey by Spiceworks reports that 76% of respondents have adopted server virtualization, and Gartner estimates that server virtualization rates in many organizations already exceed 75%. This strong adoption of virtualization is easy to understand: virtual environments are easy to deploy, improve IT efficiency, provide better business continuity, and - most importantly - reduce costs. 

Unfortunately, these benefits can be negated if proper security measures are not taken. A 2015 global survey by Kaspersky Lab reveals that businesses pay twice as much to recover from a security breach if virtualized infrastructures are involved. The figures are quite worrying: $60,000 per incident for SMBs and $800,000 for enterprises. The report attributes these high costs to the complexity of securing virtualized environments, a failure to properly understand the risks, and the increasing reliance on virtualization for mission-critical operations.

Clearly, even a single security breach can be devastating. Here are three recommendations for ensuring your virtual environment is secure:

Recommendation #1: Protect your virtual environments just as carefully as your physical environments. According to the Kaspersky Lab survey, 42% of respondents still think that virtual environments are safer than physical ones. But it would be a great mistake to rely on that belief while storing sensitive data on virtual machines. Attackers will always find a way in. Don't wait for a breach; make the security of your virtual machines a priority.

Recommendation #2: Learn about the risks specific to virtual environments. Virtual environments have different vulnerabilities than physical infrastructures. For example, they have a larger attack surface: Because the components of a virtual infrastructure are often connected and can be accessed through each other, any unauthorized or malicious action can affect all virtual machines connected to one host, magnifying its impact. In addition, virtual machines can be easily misconfigured or copied and misused, either of which can impair critical business activity.

Recommendation #3: Don't leave your virtual environment a blind zone. System administrators need complete visibility into the entire IT infrastructure, including the virtualized parts of it. They should conduct regular IT audits and proactively look for any suspicious activities. They need to be able to quickly answer questions such as:

• Who created each virtual machine?
• Who reconfigured or disabled a particular virtual machine?
• Who changed resource pool parameters?

Every suspicious change needs to be investigated immediately, since even innocent human errors can lead to a security incident.

Organizations that follow these recommendations have more secure virtual environments. Enrique Martinez, Information Security Coordinator of Banco Bandes Uruguay, explains how complete visibility into user activity across VMware helped the bank establish proper security controls in its virtual environment. "With the virtual environment, manual auditing is completely impossible. When a virtual server can be created in 15 seconds, there is a strong possibility of not knowing how many servers there are and what happens to them," he said.

Virtualization technology continues to mature in both performance and reliability. But it's critical not to rush to move your critical data to a virtual environment before you establish effective security practices and gain complete visibility into user activity across the entire IT infrastructure. The inability to detect errant or malicious changes can lead to system downtime and security incidents - even a data breach that could entail significant financial consequences and damage to your organization's reputation.  Awareness of virtualization-related risks is increasing, but so is the number of attacks on virtual infrastructures. Smart organizations will make it a priority to invest in an advanced security solution. 

##

About the Author

Alex Vovk, an accomplished expert in information security, is CEO and co-founder of Netwrix, the first company to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments.