Server virtualisation will increase businesses' exposure to hacking attacks, according to analyst Gartner.
Gartner has estimated that almost two-thirds of virtual servers will be less secure than the physical servers they replace between now and 2012. Security will improve by 2015, when Gartner predicts 30% of virtual servers will be insecure.
"Virtualisation is not inherently insecure, but most virtualised workloads are being deployed insecurely as a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants," said Neil MacDonald, vice-president and Gartner fellow.
Gartner has produced a report on server virtualisation risks.
Server virtualisation security issues
1. Information security is not initially involved in the virtualisation projects
Survey data from Gartner conferences in late 2009 indicates that about 40% of virtualisation deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.
2. A compromise of the virtualisation layer could result in the compromise of all hosted workloads
The virtualisation layer represents another important IT platform in the infrastructure, and like any software written by human beings, this layer will inevitably contain embedded and yet-to-be-discovered vulnerabilities that may be exploited.
3. The lack of visibility and controls on internal virtual networks created for VM-to-VM communications blinds existing security policy enforcement mechanisms
For efficiency in communications between virtual machines (VMs), most virtualisation platforms include the ability to create software-based virtual networks and switches inside the physical host to enable VMs to communicate directly. This traffic will not be visible to network-based security protection devices, such as network-based intrusion prevention systems.
4. Workloads of different trust levels are consolidated onto a single physical server without sufficient separation
As organisations move beyond the "low-hanging fruit" of workloads to be virtualised, more critical systems and sensitive workloads are being targeted for virtualisation. This is not necessarily an issue, but it can become an issue when these workloads are combined with other workloads from different trust zones on the same physical server without adequate separation.
5. Adequate controls on administrative access to the hypervisor/VM management layer and to administrative tools are lacking
Because of the critical support the hypervisor/VM management layer provides, administrative access to this layer must be tightly controlled, but this is complicated by the fact that most virtualisation platforms provide multiple paths of administration for this layer.