Companies rushing to deploy virtualisation technologies for could wind up overlooking many security issues and exposing themselves to risk, Gartner has warned.
"Virtualisation, as with any emerging technology, will be the target of new security threats," said Neil MacDonald, a vice president at Gartner, in a published statement.
Virtualisation software offers the ability to run multiple operating systems, or multiple sessions of a single operating system, on a single physical machine, whether server or desktop. But virtualisation software, such as hypervisors, present a layer that will be attacked and security strategies need to be put in place in advance, Gartner warns.
"Many organisations mistakenly assume that their approach for securing virtual machines will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools," MacDonald said. While this is a start, a closer look at securing virtual machines is required, especially since needed tools may be "immature or non-existent," according to Gartner.
MacDonald will be presenting a detailed analysis of the security ramifications of virtualisation at the upcoming Gartner Symposium/ITxpo in San Francisco later this month.
Among the specific points about virtualisation and security which Gartner will address at the conference are:
- Loss of separation of duties for administrative tasks.
- Patching and signature updates and protection from tampering.
- Limited visibility into the host OS and virtual network to find vulnerabilities and correct configuration.
- Restricted views into "inter-VM traffic" for inspection by intrusion prevention systems.
- Mobile VMs and security policy.
- Immature and incomplete security and management tools.
Gartner speculates that the "rush to adopt virtualisation for server consolidation efforts" will result in many security issues being overlooked. That, in combination with the lack of available security tools for virtualisation, will mean "as a result, through 2009, 60 percent of production [virtual machines] will be less secure than their physical counterparts."