Surveys Raise Doubts on Virtualization Security

Migration to virtualization won't be the quick transition that some technology evangelists have predicted, according to recent surveys by two IT security companies. Nor is virtualization as secure as many might want it to be.

Virtualization security appeared to be a doubtful matter for nearly half of respondents in a survey released on Monday by San Francisco-based network security firm nCircle Inc.

In that survey, 47 percent of the study's more than 200 respondents said they didn't think the security methodologies around current virtualization programs were sound at all. Another seven percent of respondents ranked virtualization security in the "maybe/ depends" category.

"Security professionals are generally and rightfully always somewhat skeptical about new technologies," said nCircle's Director of Security Operations Andrew Storms. "I think seasoned veterans understand that technology can be both an enabler and a hindrance to solving any problem, security not excluded. How, when, where and why technologies are introduced to solve a problem is what matters most."

The jury is still out on virtualization security, which accounts for the split results found in nCircle's poll, Storms said.

The need for virtualization is clear. It's easier to roll out a new virtual guest system than it is to go into a room and push out a physical server. Moreover, a second survey, published this week by St. Paul, Minn.-based Shavlik Technologies, found that virtual machines are quickly becoming a fixture in many organizations.

Shavlik's survey polled VMworld 2008 conference attendees in a sample of nearly 300 IT, virtualization and security specialists. The survey found that security lagged despite virtualization rollouts. More than 80 percent of IT managers rated securing these virtual machines as "very important to critical," but only 35 percent had actually secured them, Shavlik's study found.

"Companies recognize the benefits of virtualization but are slower at implementing the security measures needed to protect their available information assets," said Chris Schwartzbauer, Shavlik's vice president of worldwide field operations.

While that's a problem now, virtualization offers some benefits.

"Increased investment in automating and simplifying the elements of securing virtual machines represents a significant challenge, but also an opportunity for companies to increase operational efficiencies and reduce the total cost of managing the security of virtual systems," Schwartzbauer explained.

Virtualization marks a shift in thinking, as described in a landmark speech by VMware's President and CEO Paul Maritz. He said the IT infrastructure should be treated as "a single giant computer on which applications can be provisioned in a more manageable, scalable way."

Maritz and other virtualization proponents insist that the IT community's attention will shift from devices and applications themselves to the customized needs of users and enterprisers.

Security, when used with virtualization, needs to be platform agnostic, just like the information it protects, according to Storms and some of his peers. However, it's important to stay focused on the main goal in information security: preventing breaches.

"Still there's the realization that information is everywhere. And honestly, we need not be too concerned if it resides on physical or virtual servers," Storms said. "What matters is that we consider information protection mechanisms that follow the information."

To protect IT assets, it's important to follow best practices and work toward achieving compliance in approved system configurations, he added.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • student reading a book with a brain, a protective hand, a computer monitor showing education icons, gears, and leaves

    4 Steps to Responsible AI Implementation

    Researchers at the University of Kansas Center for Innovation, Design & Digital Learning (CIDDL) have published a new framework for the responsible implementation of artificial intelligence at all levels of education.

  • glowing digital brain interacts with an open book, with stacks of books beside it

    Federal Court Rules AI Training with Copyrighted Books Fair Use

    A federal judge ruled this week that artificial intelligence company Anthropic did not violate copyright law when it used copyrighted books to train its Claude chatbot without author consent, but ordered the company to face trial on allegations it used pirated versions of the books.

  • server racks, a human head with a microchip, data pipes, cloud storage, and analytical symbols

    OpenAI, Oracle Expand AI Infrastructure Partnership

    OpenAI and Oracle have announced they will develop an additional 4.5 gigawatts of data center capacity, expanding their artificial intelligence infrastructure partnership as part of the Stargate Project, a joint venture among OpenAI, Oracle, and Japan's SoftBank Group that aims to deploy 10 gigawatts of computing capacity over four years.

  • laptop displaying a phishing email icon inside a browser window on the screen

    Phishing Campaign Targets ED Grant Portal

    Threat researchers at cybersecurity company BforeAI have identified a phishing campaign spoofing the U.S. Department of Education's G5 grant management portal.