latest updates from easySERVICE™
Better hardware utilization and performance are driving the growth of virtualization. The trouble is security practices are failing to keep up.
Firms are failing to match their enthusiastic adoption of virtualization with a change of approach to security. By applying physical measures to the technology, they’re leaving gaps.
According a new study, some 85 percent of UK organizations haven’t updated security tools to deal with virtualization, which has grown strongly since 2009 when virtual servers overtook physical machines for the first time.
But not all organizations seem aware of the dangers, with just under half acknowledging that virtualization introduces new risks and needs specific security measures, the study by research firm Vanson Bourne for security specialist Trend Micro found.
“Often they will take their traditional security that they have for their physical environment and try and deploy that in their virtual one. As a result there’s an impact on performance, because the traditional security is not designed for their virtual environment. It doesn’t take into account how the virtual environment behaves and will leave security holes,” Trend product manager James Walker said.
Walker said conventional security tools struggle when applied to virtual machines and also create management problems.
“[With the traditional approach] a piece of software was deployed on a physical machine. You knew where that machine was, you knew the applications running on it. It had its own processor and memory to cope with its scheduled scan, for example,” he said.
“Now when you translate that into a virtual environment, where you would have multiple instances of virtual machines on the same physical server sharing memory and processor, when a scheduled scan comes on it can completely knock over the server and the applications running on it are no longer usable or accessible.”
The study found that nine out of 10 organizations say they are struggling to maintain security and point to virtualization as a contributor to the increased complexity of their IT infrastructure. Only 11 percent think their security is completely up to date.
Walker said the security-management issues relating to virtualization center on patching, policies and signatures.
“There are issues with what we call instant-on gaps where a new virtual machine is provisioned, or a machine has hibernated and hasn’t got updated. When they are brought to life, they haven’t got their most up-to-date signatures or policies and those are big potential issues,” Walker said.
“The other problem is when you move virtual machines from one hypervisor to another, the security in the traditional sense can’t follow. The management complexity once that starts to happen is very difficult.”
Trend technical director Michael Darlington agrees about where the principal security risks with virtualization lie.
“The biggest gap is the instant-on. So suddenly I’ve got an end-of-quarter or end-of-year report that runs that spins up a server. That server hasn’t been on for a while. Suddenly in a traditional environment you’d send all those Microsoft patches that have been released, all those Java updates, whatever those updates were, to that machine so that it sits there for a day, an hour, 10 minutes — who knows? — while it is trying to do all its updates,” Darlington said.
He said that the answer is to position the security technology at the hypervisor level so when the machine comes on there is no gap because the hypervisor has ensured anything that a virtual machine spins up on is patched to the right security levels.
The research among 100 organizations with more than 1,000 staff also found that 44 percent with a virtualized environment are already using infrastructure as a service or plan to do so.
Most — 61 percent — are paying for security as part of the service but half are also addressing security for these services with the same measures they use in the data center. About four out of 10 think infrastructure services have made managing IT security more complex.
Share your thoughts in the comments below and don’t forget to like this post.
Source: Associated Press
Error: Twitter did not respond. Please wait a few minutes and refresh this page.