Dark cloud: Study finds security risks in virtualization

Government IT upgrade projects may soon have a new wrench thrown into the works. According to recent research from Gartner, 60 percent of virtual servers are less secure than the ones they replace.

The situation is slated to continue through the end of 2015, when the number of insecure virtual servers is expected to drop to 30 percent.

"Virtualization is not inherently insecure," said Neil MacDonald, Gartner fellow and vice president. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."

Numerous state, local and federal agencies have moved or are moving to virtual servers, including the state of California and the Energy Department. While Gartner estimated that only 18 percent of enterprise data center workloads had been virtualized at the end of 2009, that number is expected to grow to more than 50 percent by the close of 2012.

One of the major causes of this issue is a lack of involvement of the IT security team in the architecture and planning stages of development, Gartner said. About 40 percent of the surveyed organizations had not brought security professionals into the projects.


Related coverage:

IBM launches public cloud service

Agencies help test cloud-based file storage system


Another risk is that the virtualization layer could compromise all hosted workloads, with hackers already targeting this layer, Gartner said. Gartner recommends keeping the layer as “thin as possible, while hardening the configuration to unauthorized changes."

Organizations should not rely on host-based security controls, the report states.

Other risks include a lack of visibility and controls on internal virtual networks, which are not visible to network-based security protection devices, such as network-based intrusion prevention systems, and consolidations of workloads of different trust levels on the same physical server without adequate separation. There is also the potential for inadequate administrative access controls and administrative tools for the hypervisor/virtual machine manager layer. Finally, a potential loss of separation duties for network and security controls could lead to inadvertently allowing users to gain access to data that exceeds their normal privilege levels.

To address these risks, Gartner recommended treating the virtual network as similar to a physical one, with the same kind of monitoring and separation of workloads and the same team handling both. Additionally, organizations should isolate virtual desktop workloads from the rest of the physical data center and restrict access to the virtualization layer.

About the Author

Kathleen Hickey is a freelance writer for GCN.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.