Most UK businesses are failing to secure data in virtual environments, a Vanson Bourne survey of IT decision makers has revealed.
Around 85% of enterprises polled are leaving their IT infrastructure open to threats by using the same security technology for their physical and virtual environments.
This failure to adopt a new security mind-set for virtualised environments is leaving businesses open to risk, according to the research.
“The shift to virtualisation, superseding physical on-premises infrastructure, has created a new paradigm for IT departments and requires a new way of thinking,” Vanson Bourne stated in the report..
Read more on virtualisation security
Analysis: Businesses are not securing virtual environments. Why?
Companies fail to secure virtual environments
Virtualisation making IT more cost effective
Setting a network security policy for a virtual environment
Network traffic analysis in a virtualized environment
New VDI malware analysis tool aids virtual desktop security
Some 93% of organisations said virtualisation had contributed to the complexity of IT infrastructure, while 92% said they are struggling to keep their systems secure.
With only 11% organisations suggesting their security systems are completely up-to-date, the research report said it is not surprising that two thirds have experience a security breach in the past five years.
Only 52% of these breaches were discovered by internal security monitoring tools, with just under half of the affected organisations being alerted by a systems outage, a third party or by accident.
“Virtualisation security is still being viewed as an afterthought as businesses ‘make do’ with the same security policies, process and tools they would use in a physical environment,” said Michael Darlington, Technical Director at security firm Trend Micro, which commissioned the survey.
“This approach is leaving organisations open to the risk of cyber-attack as they fail to realise that a new security mind-set is required,” he said.
A common security risk found only in virtual environments is the vulnerability of virtual machines (VMs) in the time between being activated and receiving the latest security signatures and policies.
“During the so-called ‘instant-on gap’ virtual machines are vulnerable to the latest attack methods until they are updated,” said James Walker, product manager at Trend Micro.
“Applying traditional defences will not deal with the instant-on gap, while at the same time they are likely to have a performance impact on VMs, preventing businesses achieving the improvements they expect through virtualisation,” he said.
Trend Micro has found that moving the security protections to the VM management or hypervisor level, means that the performance of VMs are not impacted by security, and that security processes can be managed centrally, said Walker.
Through is six-year partnership with VMWare, Trend Micro has also developed the capability to ensure VMs are fully updated each time they are reactivated.
The study found that while UK businesses recognise the importance of factoring security into their virtualisation roadmap, most are not acting on this belief.
Some 95% of organisation said that security is an integral part of moving to a virtualised environment, yet 59% admitted failing to consult security teams throughout virtualisation deployments.
“Security is often an afterthought because businesses allocate budget to infrastructure as a whole, not security, so that typically becomes a follow up project,” said James Edwards, European product manager at VMWare.
“As much of the capabilities of virtual environments are new to the market, so are the ways of making these environments as secure as they can be,” he said.
The survey found that 44% of organisations with a virtualised environment either use or plan to use an Infrastructure-as-a-Service (IaaS) provider.
However, half address the security of these services by deploying the same controls as used in their data centre, and 39% of those using IaaS believe that its use has made managing IT security more complex.
“Virtualisation continues to be adopted at a rapid pace driven by the business desire for greater flexibility and lower cost, but IT teams are struggling to keep up as IT infrastructure becomes more complex,” said Darlington.
“However, it is important to note that virtualised environments can be as secure if not more secure than physical environments,” he said.
According to Darlington, by adopting a new mind-set and recognising the security posture needs to change in line with IT environments, UK businesses will be able to realise the benefits of virtualisation without compromising on security.
Best practices for securing virtual environments:
- Information security and datacentre teams must be involved in any virtualisation project to ensure both teams are working towards the common goal of a high-performing and secure virtual environment.
- Use security tools that are designed for virtual environments right from the start and do not rely on tools used to secure physical IT environments.
- Deploy specialised intrusion protection and prevention tools to help secure data in virtual environments.
- Have one security model across physical, virtual and cloud environments that can be managed from a single console.
- Make sure security follows the workload. When virtual machines move around the virtual environment, security controls must move with them.
Read more on Cloud security
Darlington Building Society invests in platform for digital transformation
Moving from VMs to a container-based enterprise architecture
Containerisation in the enterprise - Open Infrastructure Foundation: The flavours of containers
Containerisation in the enterprise - a Computer Weekly feature series