Data security in virtualised environments is often neglected, with 48% of IT organisations reporting or suspecting unauthorised access to files on virtual servers, a survey has revealed.
The poll of more than 100 IT professionals by data governance firm Varonis also revealed that 70% of respondents had little or no auditing in place on virtual servers.
The results indicate that there is a limited awareness of security matters when it comes to virtualised servers, but at the same time 87% of respondents said their application servers were virtualised.
The main reasons for virtualisation were speedier deployment (76%) and disaster recovery (74%).
The survey revealed that one of the biggest areas of neglect across all companies is file security.
While almost 60% said they were very careful about setting permissions and controlling subsequent updates, 70% had implemented little or no auditing, including 20% of large enterprises.
“We suspect that for IT departments, virtualisation may be something of a black box,” said David Gibson, vice-president of strategy at Varonis.
More on security and virtualisation
- Seeking nirvana: virtualisation without security risk
- Virtualisation is often a missed security opportunity
- Post-implementation virtualisation security issues
- Virtualisation vulnerabilities and security threats
- Security Think Tank: Configuration is key to virtual security
- Security Think Tank: Virtual security more than just technology
- Security Think Tank: Security in virtual world requires special considerations
- Security Think Tank: Hypervisor is key to securing virtual servers
- Security Think Tank: Security in the virtual world still not 100%
“We have found that, after a workload is virtualised, the actual details of managing file permissions and monitoring access is considered to be automatically ‘taken care of’,” he said.
Gibson believes it is also possible that the teams managing virtualisation projects see file security and governance as outside their discipline.
“The security team may have no visibility of what is happening,” he said.
The survey results suggest that while virtualisation has been groundbreaking in allowing IT to isolate applications and services with a few clicks, it does not solve permissions management and access auditing, which might even make it even more complex, said Gibson.
Data protection, he said, requires the same, if not a greater level of vigilance in a virtual environment, given the complexities of managing multiple operating systems on a single computing box.
“For organisations to stay on top of their digital assets it is vital to further IT education in this area, both in terms of training staff in understanding virtual file systems, as well as in effectively using automation to uncover security holes, monitor activity and control permissions,” said Gibson.