Dark cloud: Study finds security risks in virtualization

Government IT upgrade projects may soon have a new wrench thrown into the works. According to recent research from Gartner, 60 percent of virtual servers are less secure than the ones they replace.

The situation is slated to continue through the end of 2015, when the number of insecure virtual servers is expected to drop to 30 percent.

"Virtualization is not inherently insecure," said Neil MacDonald, Gartner fellow and vice president. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."

Numerous state, local and federal agencies have moved or are moving to virtual servers, including the state of California and the Energy Department. While Gartner estimated that only 18 percent of enterprise data center workloads had been virtualized at the end of 2009, that number is expected to grow to more than 50 percent by the close of 2012.

One of the major causes of this issue is a lack of involvement of the IT security team in the architecture and planning stages of development, Gartner said. About 40 percent of the surveyed organizations had not brought security professionals into the projects.

Related coverage:

IBM launches public cloud service

Agencies help test cloud-based file storage system

Another risk is that the virtualization layer could compromise all hosted workloads, with hackers already targeting this layer, Gartner said. Gartner recommends keeping the layer as “thin as possible, while hardening the configuration to unauthorized changes."

Organizations should not rely on host-based security controls, the report states.

Other risks include a lack of visibility and controls on internal virtual networks, which are not visible to network-based security protection devices, such as network-based intrusion prevention systems, and consolidations of workloads of different trust levels on the same physical server without adequate separation. There is also the potential for inadequate administrative access controls and administrative tools for the hypervisor/virtual machine manager layer. Finally, a potential loss of separation duties for network and security controls could lead to inadvertently allowing users to gain access to data that exceeds their normal privilege levels.

To address these risks, Gartner recommended treating the virtual network as similar to a physical one, with the same kind of monitoring and separation of workloads and the same team handling both. Additionally, organizations should isolate virtual desktop workloads from the rest of the physical data center and restrict access to the virtualization layer.