Gartner Blog Network

Virtualization Security Assessments

by Neil MacDonald  |  December 21, 2009  |  4 Comments

One of my frequent blogging topics is virtualization security. I’ve researched the issue for years and have watched the industry and enterprises deploying virtualization mature in their processes and tools.

One area of interest from clients is for external third parties to come into an organization and assess the security of the enterprise’s virtualization deployment. The good news is that multiple vendors and service providers are stepping up to fill this specific need.

Here are some examples:

If anyone knows of others, please add them to the comments section to build the list.

Ideally, whatever vendor you are using for overall IT security assessments should be able to include virtualized infrastructure and not require a separate practice. Most organizations will require a mix of physical and virtualized computing capabilities for years to come and it doesn’t make sense to have separate vendors and assessments for our physical infrastructure versus our virtualized infrastructure. If your existing assessment vendor can’t correct assess a virtualized environment, consider using one of these point solution providers to fill the gap – or switching providers.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: virtualization-security  

Tags: information-security  virtualization-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Virtualization Security Assessments

  1. Doug Barbin says:

    Hi Neil,

    I am with SAS 70 Solutions ( We provide SAS 70 Type I and II audits as well as PCI (QSA) and ISO 27001/27002 assessments and advisory services with a focus on service provider organizations.

    We concur with your statement that any assessment firm needs to be able to handle virtualized and physical computing environments (and controls). We would add that consideration should also be given to the independence and neutrality of the assessor. In other words, should assessors be engaged to assess their own implementations or products? Should assessors be engaged to assess competitors’ implementations or products?

    There is certainly value in either approach, but organizations must understand the ramifications when selecting a vendor.

    Happy Holidays!

    Douglas W. Barbin
    Director, Security and Compliance Services
    SAS 70 Solutions

  2. […] Virtualization Security Assessments – One of my frequent blogging topics is virtualization security. I’ve researched the issue for years and have watched the industry and enterprises deploying virtualization mature in their processes and tools. … […]

  3. Neil MacDonald says:

    Doug – I checked before the holidays and after as well – there is no match for “virtualization” or “vmware” on your site. So if indeed you all include this as a part of your services, why wouldn’t you call this out?

    Agree that a single audit / assessment should cover both physical and virtual environments, but potential clients can’t assume this.

  4. Doug Barbin says:


    Good feedback, thank you. From an auditors perspective, virtualization lies within the details of the assessment scope, specifically the targets and substantive testing that is performed. As such, I’m not sure I would specifically call out a virtualization or vmware audit as its own service offering per se.

    That said, it is fair to point out the domains and types of technologies we regularly assess. We are actually in the process of updating the site to include the broader set of security assessments so we will include this as well. Thanks again.

    Best Regards,

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.