It seems that those IT managers who said that virtualised servers were more insecure than physical ones may have had a point after all.
According to a new report from Gartner, 60 percent of virtualised servers will be less secure than the physical ones they've replaced, thanks to bad practices by IT departments. The report, Addressing the Most Common Security Risks in Data Center Virtualization Projects, points out some of the pitfalls involved in moving to a virtualised environment.
It's not that virtualised servers are inherently less secure, said Neil MacDonald, vice president and Gartner fellow, but "most virtualised workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
In 40 percent of the cases, virtualisation projects were rolled out without any reference to an organisation's security team, said Gartner. The company said that while the underlying physical structure hadn't changed, there was an additional risk through the use of hypervisor software . According to Gartner, enterprises are failing to acknowledge that additional risk and should look to extend their security processes.
Gartner has identified other areas where a virtualisation project could pose a security risk for an organisation, including lack of control over administrative privileges when moving to a virtual machine and the separation of workloads with different trust levels.
One of the biggest dangers is to the hypervisor layer itself, which Gartner describes as particularly vulnerable to attack, suggesting that cyber-criminals are already targeting this, on account of the privileged level that the hypervisor holds in the stack. According to Gartner, this layer should be treated as the most critical part of the server platform, keeping it as thin as possible and preventing all unauthorised changes to the hypervisor.