Rush to virtualise prompts security fears

6 Apr 2007

Without implementing best practices for security, firms who rush to implement virtualisation strategies to reduce costs may actually end up increasing costs and reducing the agility of their business, according to Gartner.

Virtualisation software allows users to simultaneously run multiple operating systems (OS), or multiple sessions of a single OS, on a single, physical machine — server or desktop.

However, analyst firm Gartner warned that regardless of the specific architecture, virtualisation uses a privileged layer of software that, if compromised, places all consolidated workloads at risk.

“Virtualisation, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, vice-president and Gartner Fellow.

“Many organisations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won’t provide sufficient protections for VMs.”

Because of the rush to adopt virtualisation for server consolidation efforts, many security issues are overlooked, best practices aren’t applied or in some cases the tools and technologies for addressing some of the security issues with virtualisation are immature or non-existent.

As a result, until 2009 60pc of production VMs will be less secure than their physical counterparts.

Gartner analysts said the process of securing VMs must start before the VMs are deployed and ideally before vendors and products are selected so that security and securability can be factored into the evaluation and selection process.

During this process, organisations must consider these security issues in virtualised environments.

“Organisations need to pressure security and virtualisation vendors to plug the major security gaps,” said MacDonald. “Existing virtualisation solutions address some of the gaps, but not all.

“It will take several years for the tools and vendors to evolve as well as organisations to mature their processes and staff skills. Knowledge of the security risks and the costs to address them must be factored into the cost-benefit discussion of virtualisation,” McDonald added.

By John Kennedy