More than 140 data center-savvy personnel in organizations ranging from small and midsize businesses (SMBs) to very large multinational firms were queried during the third quarter of 2010 on everything from their current security effectiveness (i.e., is their data center security keeping pace with the ever-increasing volume and sophistication of attacks) to their views on whether security concerns slowing the adoption of private or public clouds. The “2011 Data Center Security Survey” is available for download here.
So, back to the finding about the types of tools securing physical and virtual worlds. When asked, about 70 percent said they use the same security mechanisms for physical and virtual systems. Only a little more than 20 percent disagreed with that sentiment (and the remaining few didn’t know one way or the other – yikes).
More than a year ago, Gartner Group issued research findings that estimated 60 percent of virtual servers – at that time – were less secure than the physical servers they were replacing (you can see an article on that here, in Network World. Gartner also predicted, at that time, that such insecurities would remain in place until 2012.
The reason is clear: security issues associated with virtualization, and virtualized workloads, are different.
As Gartner put it back then, although IT operations may think they already have the skills to secure the workloads, operating systems and hardware underneath (because you know, nothing really has changed there), the fact is that there is a new layer of software – the hypervisor and virtual machine monitor – that have to be taken into account. This new layer contains new vulnerabilities, Gartner explained. And if there’s a threat to the virtualization layer, it could harm all hosted workloads.
The research firm goes on to say that organizations should not rely on host-based security controls to detect a compromise or protect anything running below it. Gartner also pointed to additional risks in virtualized environments: Network-based security devices are blind to communications between virtual machines within a single host; workloads of different trust levels are consolidated onto single hosts without sufficient separation; virtualization technologies do not provide adequate control of administrative access to the hypervisor and virtual machine layer; and when physical servers are combined into a single machine, there is risk that system administrators and users could gain access to data they’re not allowed to see.
McAfee and GCG argue that few security suites are optimized for virtualized systems, and that much of the security software in the data center “has been modified to work on virtualized systems rather than designed (or re-designed) from the ground up with virtualization in mind.”
The survey authors say virtualization features such as partition mobility need special treatment. While our respondents didn’t cite this as a problem, we’d think that there must be some virtualization features (like partition mobility) that need special treatment from a security perspective.
In a release announcing the survey findings, McAfee VP of network security Greg Brown said, "The move to virtualized data center requires organizations to consider their approach to security early in the design cycle. Using network and system security solutions that are optimized for virtualized environments ensures continuity of data center operations, without interfering with performance. McAfee's solutions provide seamless security management across conventional and virtualized data center resources."
There have been quite a few reports and articles on the study’s findings that there’s a discrepancy between what management things about their data center security and what the data center pros know about their data center security. That’s interesting too, for sure, but (I hate to say it) not surprising. Security pros are well-versed in the challenges of upselling security to their bosses.
There are other interesting tidbits in the GCG and McAfee survey. To wit: Nearly half of the respondents reported that they are constantly finding new security holes; more than 40 percent of respondents feel that their organization's security pace isn't keeping up with threats; about 70 percent of respondents are skeptical of public cloud security; and 40 percent report that day-to-day security does not conform to the standards required by their official polices.