Surveys Raise Doubts on Virtualization Security

• By Jabulani Leffall
• 10/13/08

Migration to virtualization won't be the quick transition that some technology evangelists have predicted, according to recent surveys by two IT security companies. Nor is virtualization as secure as many might want it to be.

Virtualization security appeared to be a doubtful matter for nearly half of respondents in a survey released on Monday by San Francisco-based network security firm nCircle Inc.

In that survey, 47 percent of the study's more than 200 respondents said they didn't think the security methodologies around current virtualization programs were sound at all. Another seven percent of respondents ranked virtualization security in the "maybe/ depends" category.

"Security professionals are generally and rightfully always somewhat skeptical about new technologies," said nCircle's Director of Security Operations Andrew Storms. "I think seasoned veterans understand that technology can be both an enabler and a hindrance to solving any problem, security not excluded. How, when, where and why technologies are introduced to solve a problem is what matters most."

The jury is still out on virtualization security, which accounts for the split results found in nCircle's poll, Storms said.

The need for virtualization is clear. It's easier to roll out a new virtual guest system than it is to go into a room and push out a physical server. Moreover, a second survey, published this week by St. Paul, Minn.-based Shavlik Technologies, found that virtual machines are quickly becoming a fixture in many organizations.

Shavlik's survey polled VMworld 2008 conference attendees in a sample of nearly 300 IT, virtualization and security specialists. The survey found that security lagged despite virtualization rollouts. More than 80 percent of IT managers rated securing these virtual machines as "very important to critical," but only 35 percent had actually secured them, Shavlik's study found.

"Companies recognize the benefits of virtualization but are slower at implementing the security measures needed to protect their available information assets," said Chris Schwartzbauer, Shavlik's vice president of worldwide field operations.

While that's a problem now, virtualization offers some benefits.

"Increased investment in automating and simplifying the elements of securing virtual machines represents a significant challenge, but also an opportunity for companies to increase operational efficiencies and reduce the total cost of managing the security of virtual systems," Schwartzbauer explained.

Virtualization marks a shift in thinking, as described in a landmark speech by VMware's President and CEO Paul Maritz. He said the IT infrastructure should be treated as "a single giant computer on which applications can be provisioned in a more manageable, scalable way."

Maritz and other virtualization proponents insist that the IT community's attention will shift from devices and applications themselves to the customized needs of users and enterprisers.

Security, when used with virtualization, needs to be platform agnostic, just like the information it protects, according to Storms and some of his peers. However, it's important to stay focused on the main goal in information security: preventing breaches.

"Still there's the realization that information is everywhere. And honestly, we need not be too concerned if it resides on physical or virtual servers," Storms said. "What matters is that we consider information protection mechanisms that follow the information."

To protect IT assets, it's important to follow best practices and work toward achieving compliance in approved system configurations, he added.