Data Security Issues

Could Virtualized Servers Present Security Holes?

• By Dian Schaffhauser
• 05/11/10

In spite of the growing popularity of server virtualization, the majority of IT professionals don't consider their virtual environments as secure as the rest of their network operations. That's the conclusion of a recent vendor-sponsored survey of 300 IT managers, security personnel, auditors and administrators. Prism Microsystems sells products for monitoring the security of the IT infrastructure, including hypervisors, the programs that allows multiple operating systems to run on the same piece of hardware.

"2010 State of Virtualization Security Survey," a 14-page report published by the company, cited several vulnerabilities that could exist in an unprotected virtualization layer. This layer encompasses the hypervisor and virtual management applications and can, potentially, "provide unfettered access to all hosted machines on a physical server." Added to that, the authors wrote, "Traffic between virtual machines on the same box never hits the physical network where network monitoring tools such as intrusion prevent/detection systems reside, rendering them ineffective." Also, the report said, log monitoring systems aren't necessarily capturing data at the virtualization layer.

Currently, according to the report's authors, industry experts believe a failure associated with a hypervisor-based attack "is somewhat theoretical." But 58 percent of respondents expressed concern about the potential for a hypervisor to create a single point of entry into multiple machines; 57 percent said they were concerned about the introduction of a new layer that could be attacked; and 54 percent cited "VM sprawl and flexible deployment capabilities" as a potential problem because it could lead to unmonitored or invisible machines.

A comparable number of people--nearly six in 10--reported that they use existing traditional security tools and strategies to secure their virtual environment. Yet slightly more than half of all respondents also said they don't agree that these are sufficient to provide "security insight into all layers of the virtual environment.

Only a fifth of enterprises are using virtual environment-specific security approaches. What's holding the others back is a combination of factors, primarily a lack of budget, a lack of staff expertise, and a lack of support from their security vendors.

"The reality is the money is just not there for specialty virtual security tools. And even if it was available, that approach is incorrect as it creates another silo of un-integrated security data," said Steve Lafferty, Prism's vice president of marketing. "In this environment, IT teams have to get the most out of what they have. This means leveraging solutions that do more with less and provide a single point of control to seamlessly monitor the entire IT infrastructure, from the physical to the virtual."