Many organizations are putting their virtual infrastructures at risk as a result of hypervisor privileges and ‘data sprawl’ in virtual environments not being adequately addressed by current adoption of security technologies and policies, according to a study released today by CA Technologies.
The study, “Security-An Essential Prerequisite for Success in Virtualization,” surveyed 335 decision makers in 15 countries across Europe and the US.
Data sprawl, defined as the risk of data moving around virtualized IT systems without control and ending up in less secure environments, is considered to be the greatest threat. The study reveals that 81 percent of respondents consider the risk of data sprawl as ‘very important’ or ‘important’. While Data loss prevention (DLP) help reduce the risks of data sprawl, only 38 percent of respondents say they have implemented DLP.
“There are two key aspects associated with complexity and virtualization security,” says Martin Kuppinger, Founder and Principal Analyst at KuppingerCole, the firm that conducted the survey for CA Technologies. “First, managing security in virtualized environments is more difficult because virtualization leads to an increased number of instances, like the location of applications and data moving between different host systems and other aspects of data sprawl. Second, different platforms and environments provided by different vendors need to be managed and secured.”
Related: Ten Criteria for Evaluating Virtualization Security Solutions
The study also revealed that 73 percent of organizations are concerned that the far-reaching privileges presented by hypervisors might lead to mistakes or abuse by privileged users. The hypervisor administration account has extensive access privileges with very few limitations or security controls. The hypervisor also introduces an extra layer into virtualized environments creating new attack surfaces, opening the door to abuse by privileged users. However, according to the study, 49 percent of these organizations have neither implemented a privileged user management (PUM) nor a security log management solution.
Other Key Findings:
· 39% of organizations believe that virtual environments are more difficult to secure than physical environments
· Most organizations use at least two different virtualization technology providers: VMware is deployed by 83 percent of respondents, Citrix by 52 percent, and Microsoft (mainly Hyper-V) by 41 percent, for example.
· 84 percent of respondents state they prefer integrated solutions to seamlessly secure both virtual and physical environments. However, only 56 percent of the organizations surveyed have implemented or are in the process of implementing the same security solutions for virtual and physical environments. – Most organizations are unaware of the importance of integrating security management with infrastructure management
· Too many security activities remain dependent upon manual processes, putting organizational security at risk
“These findings demonstrate that the automation technologies available to mitigate the risks from privileged access in virtualized environments are not yet widely deployed,” says Shirief Nosseir, EMEA Product Marketing Director, Security Management, CA Technologies. “If they were, IT organizations could control the risks arising from virtualization security and ultimately better leverage the benefits of virtualization.”
Concerns Slowing Adoption of Private Clouds
The study also surveyed about the plans organizations have for private cloud as an evolution of their virtual environment. When asked for the major inhibitors to quickly move towards a private cloud strategy, the strongest factors were ‘cloud privacy and compliance issues’ and ‘cloud security issues’, both cited by almost 85 percent of respondents. While 38 percent expect to eliminate the security issues by the end of 2011, only 30 percent believe this will become true for the privacy and compliance issues, meaning that users think privacy and regulatory compliance might delay the evolution of IT towards cloud principles. On a more positive note, the research demonstrates organizational awareness that security―in particular identity and access management (IAM) and governance, risk and compliance―are prerequisites for a successful cloud computing strategy.
“Despite the rapid growth in server virtualization, many organizations still have quite a way to go before they reach the level of maturity and automation required to reap the true benefits of virtualization,” Nosseir concludes. “This survey highlights the need for a unified approach to address the current IT and security management silos and to help simplify the complexity of virtual environments. Without this integration, organizations will struggle to automate their processes and reap the real rewards of virtualization. Moreover, this integration becomes essential when transitioning to cloud-enabled datacenters as the focus shifts more on delivering and consuming IT and security services.”
Related: Evaluating Cloud Solutions: Which Type of Cloud is Right for Your Organization?
Related: Ten Criteria for Evaluating Virtualization Security Solutions