Firms are failing to match their enthusiastic adoption of virtualisation with a change of approach to security. By applying physical measures to the technology, they're leaving gaps.
According a new study, some 85 percent of UK organisations haven't updated security tools to deal with virtualisation, which has grown strongly since 2009 when virtual servers overtook physical machines for the first time.
But not all organisations seem aware of the dangers, with just under half acknowledging that virtualisation introduces new risks and needs specific security measures, the study by research firm Vanson Bourne for security specialist Trend Micro found.
"Often they will take their traditional security that they have for their physical environment and try and deploy that in their virtual one. As a result there's an impact on performance, because the traditional security is not designed for their virtual environment. It doesn't take into account how the virtual environment behaves and will leave security holes," Trend product manager James Walker said.
Walker said conventional security tools struggle when applied to virtual machines and also create management problems.
"[With the traditional approach] a piece of software was deployed on a physical machine. You knew where that machine was, you knew the applications running on it. It had its own processor and memory to cope with its scheduled scan, for example," he said.
"Now when you translate that into a virtual environment, where you would have multiple instances of virtual machines on the same physical server sharing memory and processor, when a scheduled scan comes on it can completely knock over the server and the applications running on it are no longer usable or accessible."
The study found that nine out of 10 organisations say they are struggling to maintain security and point to virtualisation as a contributor to the increased complexity of their IT infrastructure. Only 11 percent think their security is completely up to date.
Walker said the security-management issues relating to virtualisation centre on patching, policies and signatures.
"There are issues with what we call instant-on gaps where a new virtual machine is provisioned, or a machine has hibernated and hasn't got updated. When they are brought to life, they haven't got their most up-to-date signatures or policies and those are big potential issues," Walker said.
"The other problem is when you move virtual machines from one hypervisor to another, the security in the traditional sense can't follow. The management complexity once that starts to happen is very difficult."
Principal security risks
Trend technical director Michael Darlington agrees about where the principal security risks with virtualisation lie.
"The biggest gap is the instant-on. So suddenly I've got an end-of-quarter or end-of-year report that runs that spins up a server. That server hasn't been on for a while. Suddenly in a traditional environment you'd send all those Microsoft patches that have been released, all those Java updates, whatever those updates were, to that machine so that it sits there for a day, an hour, 10 minutes — who knows? — while it is trying to do all its updates," Darlington said.
He said that the answer is to position the security technology at the hypervisor level so when the machine comes on there is no gap because the hypervisor has ensured anything that a virtual machine spins up on is patched to the right security levels.
The research among 100 organisations with more than 1,000 staff also found that 44 percent with a virtualised environment are already using infrastructure as a service or plan to do so.
Most — 61 percent — are paying for security as part of the service but half are also addressing security for these services with the same measures they use in the datacentre. About four out of 10 think infrastructure services have made managing IT security more complex.