Gartner Blog Network

Addressing the Most Common Security Risks in Data Center Virtualization Projects

by Neil MacDonald  |  January 27, 2010  |  5 Comments

One of my frequent blog posting topics is virtualization security. Virtualization isn’t inherently insecure, but in many cases, it is being deployed insecurely. The latter is a result of the relative immaturity of our tools, processes, staff and service providers. Also, in many cases, information security isn’t proactively involved in the virtualization planning. Survey data from Gartner conferences in late 2009 indicated that about 40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages — an improvement from the same survey a year earlier where 50% indicated that they didn’t proactively involve information security.

Based on responses from the same survey, I’ve just published this research note for clients: Addressing the Most Common Security Risks in Data Center Virtualization Projects  to specifically address the risks that were rated the highest. The survey data is being turned into two research notes. Here’s a list of the most highly rated risks that I addressed in the first RN:

  • Information Security Isn’t Initially Involved in the Virtualization Projects
  • A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
  • The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
  • Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
  • There Is a Potential Loss of SOD for Network and Security Controls When These are Virtualized

I’m not a doom-and-gloom type of security analyst, so the bulk of the 10 pages in the research discuss specific actions you can take to address each risk in detail and I provide multiple options to either reduce or eliminate each risk based on established best practices from discussions with thousands of clients over the past three years on these issues.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: next-generation-data-center  virtualization-security  

Tags: best-practices  next-generation-data-center  next-generation-security-infrastructure  virtualization-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Addressing the Most Common Security Risks in Data Center Virtualization Projects

  1. Mike Wronski says:

    I couldn’t agree with you more Neil. The gaps along with the general new challenges to managing virtualization is what drove Reflex to broaden our focus from pure network security to a more comprehensive view.

    Its not just network segmentation leaving people at risk, it’s the change controls, access controls, and difficulty auditing them. The Reflex VMC product provides visibility and control points across the entire virtualization infrastructure which allows both the InfoSec team and Operators of virtualized environments access to the data and controls they need to mitigate these risks.

  2. […] argue that the x86 virtualization platforms that we are installing (ESX, Xen, Hyper-V and so on) are the most important x86 platforms in our data centers. That means patching this layer is paramount. With Hyper-V’s parent partition that means closely […]

  3. […] should be protected accordingly. I provide pages of specific recommendations on how to do this in this research note for […]

  4. It’s about time to see that the importance of controlling and monitoring administrators, and ‘privileged users’ in general, is set to increasingly grow and get the attention it deserves. With virtualization becoming the de facto platform and cloud computing gaining more traction, the threat posed by privileged users will become more critical and challenging to manage over the next few years.

    To find out more about the importance of managing privileged users in virtual and cloud environments, please read my recent blog at

  5. […] Symantec is finally starting to talk about virtualization and security, it hasn’t made much meaningful progress. For example, even the basic ability to randomize and […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.