Virtualized environments painfully insecure?
John Burke of Nemertes Research says while organizations are hot for virtualization technology, they are ignoring security in the rush to adopt
By Joan Goodchild , Senior Editor
June 07, 2011 — CSO —
Boston -- Less than 20 percent of organizations using virtualization technology are adopting security tools to work in tandem with the software in order to decrease the risks that are inherent in a virtualized environment. This according to John Burke, Principal Research Analyst with Nemertes Research, who spoke Tuesday at the IT Roadmap Conference and Expo in Boston about the emerging threats posed to mobile and virtual environments.
Burke pointed to a woefully unprepared landscape of IT managers who have not yet confronted the serious risks that exist today. While 68 percent of workloads are virtualized, according to Burke's presentation, only a fraction of those using virtualization are adopting those environments in a secure way.
Why? The common answer, according to Burke, is "We haven't seen any compromise yet."
"That isn't a statement any audit team is going to take too seriously," he cautioned.
Burke said IT departments are increasingly sacrificing the kind of security once seen in physical data centers in order to reap the benefits of virtualization.
"They are doing it tactically and hoping no one notices," he said. "But they feel the trade-off is worth it."
The problems surrounding security in virtualized environments, according to Burke, is that today's traditional network security team still doesn't 'get' virtualization security. And specialized security teams are often brought in late, or not at all, when virtualization projects are underway.
Yet, entire virtualized data centers in the cloud are coming, said Burke. And it's time for the security team to start getting involved.
"You need to stop seeing security as a lot of point solutions, you have to think about it now in a comprehensive way," he explained. "Think one or two panes of glass for the security folks to look at, not 16 panes for 16 tools. You need one or two for however many tools you may have. And everything needs to be virtualization-aware."
Burke suggested the immediate steps for organizations which may have virtualized without considering security would be to restore some of the defense-in-depth lost in the virtualization process.
"Have at least some visibility into the virtual environment for auditing purposes," he said. "You don't necessarily have to recreate the firewall between point a and point b, but you should at least be able to ensure point a isn't talking to point b. The important thing is to do something."
Read more about data protection in CSOonline's Data Protection section.
Other stories by Joan Goodchild