Analysis: Businesses are not securing virtual environments. Why?

Virtualisation is the norm, yet a third of companies admit they have not invested in security for their virtual computing environments. Why not?

  1. Security trails drive to virtualisation
  2. Underestimating risks to business-critical environments
  3. The security risks of virtualisation
  4. How to implement virtual security measures
  5. Virtual security training


IT often virtualises new applications and workloads by default. Virtualisation is now the norm, deploying a physical server the exception. Yet, a third of companies admit they have not invested in security for their virtual computing environments. Why not?

Research has shown that 85% of organisations have adopted or are planning to adopt x86 server virtualisation,79% of firms have or are planning a “virtualisation first” policy and, on average, 52% of the x86 servers in enterprise are virtual, and this is expected to be close to 75% in two years.

The fact that server virtualisation is nearly ubiquitous proves that virtualisation has been uppermost in the minds of enterprise architects and IT and operations professionals for years, according to Forrester Research.

But, a Forrester guide on virtualisation security notes that, at the same time, many chief information security officers (CISOs) are not aware of the virtualisation security risks, while other CISOs are very concerned about their virtual environments, but do not always have the authority to enforce policy or implement new security controls.

Security trails drive to virtualisation

Economic realities have driven many organisations to ramp up their use of virtualisation in the past 18 months, according to Andrew Lintell, director for corporate sales at security firm Kaspersky Lab.

"The security industry is playing catch-up with virtualisation. Organisations seem to be more aware of what they need to virtualise their environments than of the associated risks," he said.

Historically businesses have adopted new and emerging technologies, such as the internet, because of the obvious benefits, without thinking about the security implications, said David Emm, senior security researcher at Kaspersky Lab.

Virtualisation is a good example of where a little knowledge is dangerous. A study by Kaspersky Lab conducted globally among businesses with 100 or more IT workstations, found 42% of companies believe their virtual servers are more secure than physical ones, despite the fact that one in three of those surveyed admitted their knowledge of virtualisation was ‘basic’.

Underestimating risks to business-critical environments

"There is a common perception that virtual machines (VMs) are more secure than physical ones, but this is little more than a myth. In fact, virtual systems are just as vulnerable to malware in the form of malicious e-mail attachments, drive-by-downloads, botnet Trojans and even targeted spear-fishing attacks," said Peter Beardmore, senior director of products and services at Kaspersky Lab.

“There is no doubt the business benefits of virtualisation are huge, both in cost and accessibility. But underestimating the security risks puts businesses of all sizes in a perilous position," he said.

Despite limited knowledge of virtualisation, the Kaspersky study found 81% of services launched in virtual environments are business-critical. Around half of those running applications on virtual services admitted they did not have a full understanding of virtualisation and securing that environment.

While IT and operations professionals have rapidly virtualised the environment to reduce costs and improve flexibility, Forrester Research has found that security professionals have remained on the sidelines -  either by choice or because other IT professionals have marginalised them.

"Business is so focused on performance and cost, security is often overlooked or tagged on only at the end," said Kaspersky's Andrew Lintell.

As a result, IT departments tend to rely on traditional security systems designed for physical environments to secure their virtual environments. Typically, organisations rely on existing security systems because they have not yet developed a plan for the virtual environment, Forrester found.

The security risks of virtualisation

Also, many security professionals are not aware of what tools are available for securing virtual environments and are not comfortable with virtualisation, Forrester researchers found.

Typically, CISOs and other IT security professionals have risen up the ranks from technical positions before virtualisation was introduced and consequently have not working knowledge or experience, according to Forrester security and risk analyst Andrew Rose. 

"Many IT professionals think a virtual server is just the same as a physical one, but they are not. The risks are different," he said.

According to Forrester, these risks include:

  • Limited visibility into intra-virtual-machine traffic.
    Many security professionals do not have the tools to inspect traffic between two VMs on the same virtual server.
  • Increased vulnerability to insider threats.
    The collapsed nature of virtual environments exacerbates the impact of insider threats.
  • The inability to maintain security controls in a dynamic environment.
    Change and configuration management can be challenging in a virtual environment because it is so easy to provision and delete a VM, and VM sprawl is a reality for many organisations.
  • An increased compliance footprint.
    Virtualisation increases compliance requirements, with the PCI Security Standards Council issued its first guidance on virtualisation security in June 2011 and others expected to follow.
  • The requirement to secure more layers.
    With virtualisation, there are additional infrastructure and management layers to protect, which are most important, as well as the hypervisor itself, which introduces some marginal risk, according to Forrester.

While Kaspersky's David Emm confirmed that the threat to the hypervisor remains theoretical, he said businesses cannot afford to overlook security of the VM, which is easy to do because it is not something physical. 

Allied to this, VMs are easily dragged and dropped into new environments, which may be less secure, said Forrester's Andrew Rose. 

"The security status of a VM that is off or dormant is also easy to overlook; the challenge is keeping track," he said.

Another common reason for failing to secure virtual environments, said Emm, is that information security professionals simply fail to see the risk emerging. Virtualisation, he said, creeps up on them gradually, and it may be a while before they wake up and realise something needs to be done.

How to implement virtual security measures

Forrester recommends that businesses should aim for virtual security that is at least on the same level as their security approach and look for opportunities to implement better security in the virtual environment.

To do this, Forrester recommends:

  • Applying a "zero trust" model of information security in which all network traffic is untrusted;
  • Implementing virtualisation-aware security systems instead of relying on traditional systems;
  • Implementing privileged identity management systems;
  • Incorporating vulnerability management into the virtual server environment.

Beardmore said organisations need to get up to speed on what types of security controls are available and what would be best for their particular situation.

But, because the main reasons for failing to secure virtual environments all relate back to a lack of knowledge, education around virtualisation should be a priority.

Kaspersky's Peter Beardmore said basic knowledge is simply not sufficient when the security of a business is at stake. 

Virtual security training

"The industry needs to wake up to this situation and invest in adequate security solutions alongside a comprehensive education programme,” he said.

A number of training organisations offer virtualisation security courses, including The SANS Institute. VMware also offers courses on securing VMware technologies.

In addition to training, Forrester also recommends hiring information security professionals with strong virtualisation skills or experience working at managed service or cloud service providers with large virtualised datacentres. 

These practitioners will typically be familiar with multi-tenant environments and often have deep knowledge of securing multi-tenant workloads.

According to Steven Furnell, head of the Centre for Security, Communications & Network Research at Plymouth University, organisations cannot afford to ignore security it virtual environments any longer.

"The window of opportunity to be more proactive is now," he said.

Read more on Privacy and data protection