According to a recent survey conducted by Varonis, a data governance solutions provider, data security in virtualized environments is often neglected by IT organizations.
The small survey, conducted at VM World conferences in Barcelona and San Francisco, suggests that when it comes to virtualized servers, security is often an afterthought, as 70% of respondents had little or no auditing in place on virtual servers.
The lack of sufficient security is highlighted by the fact that 48% of respondents either reportedor suspected unauthorized access to files on their virtualized servers . Additionally, even for those who do audit all activity, 68% believe there is still unauthorized access.
According to a 2012 report from Gartner, there are more than 50 million installed virtual machines (VMs) on servers. According to Varonis’s survey, application servers were virtualized by almost all survey respondents (87%), primarily due to speedier deployment (76%) and disaster recovery (74%). Those who do not virtualize cite disk storage (37%), performance (30%) and a lack of advantages (20%) as the three main reasons for not doing so.
File security was often neglected by organizations of all sizes, Varonis said. According to the survey, almost 60% said they were very careful about setting permissions and controlling subsequent updates, and 70% had implemented little or no auditing. In fact, 20% of enterprises with more than 5,000 employees admitted to having no file logging capabilities in place.
"We suspect that for IT departments, virtualization may be something of a black box. We have found that, after a workload is virtualized, the actual details of managing file permissions and monitoring access is considered to be automatically 'taken care of.' It is also quite possible that the teams managing virtualization projects see file security and governance as outside their discipline. The security team may have no visibility of what is happening," David Gibson, VP of Strategy at Varonis, said in a statement.
The results suggest that, while virtualization has been groundbreaking in allowing IT to isolate applications and services with a few clicks, it doesn't solve permissions management and access auditing -- in fact it might make it even more complex.
"Data protection, obviously, requires the same level of vigilance in a virtual environment -- and perhaps even more so given the complexities of managing multiple operating systems on a single computing box," Gibson added. "For organizations to stay on top of their digital assets it is vital to further IT education in this area, both in terms of training staff in understanding virtual file systems, as well as in effectively using automation to uncover security holes, monitor activity, and control permissions."