One of my frequent blog posting topics is virtualization security. Virtualization isn’t inherently insecure, but in many cases, it is being deployed insecurely. The latter is a result of the relative immaturity of our tools, processes, staff and service providers. Also, in many cases, information security isn’t proactively involved in the virtualization planning. Survey data from Gartner conferences in late 2009 indicated that about 40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages — an improvement from the same survey a year earlier where 50% indicated that they didn’t proactively involve information security.
Based on responses from the same survey, I’ve just published this research note for clients: Addressing the Most Common Security Risks in Data Center Virtualization Projects to specifically address the risks that were rated the highest. The survey data is being turned into two research notes. Here’s a list of the most highly rated risks that I addressed in the first RN:
- Information Security Isn’t Initially Involved in the Virtualization Projects
- A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
- The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
- Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
- There Is a Potential Loss of SOD for Network and Security Controls When These are Virtualized
I’m not a doom-and-gloom type of security analyst, so the bulk of the 10 pages in the research discuss specific actions you can take to address each risk in detail and I provide multiple options to either reduce or eliminate each risk based on established best practices from discussions with thousands of clients over the past three years on these issues.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.