The difficulties of integrating virtualised servers with the software necessary to secure them is creating unmanageable complexity that risks undermining the needs of both, a Trend Micro snapshot of European IT manager opinions has found.
The questioning of 100 IT decision makers in the UK, France and Benelux uncovered a range of problems that tend not to be mentioned by the fans of simple server provisioning, often cited as one big plus of virtualised environments.
Over half were deploying the same security tools in virtual environments they had used for physical servers, with 45 percent believing they were not well informed about the security products specific to virtualisation. Almost nine in ten across all countries considered that the security demands of virtualisation represented a “struggle”.
The explanation for this ranged from the usual moan about a lack of resources to ignorance of the specific security threats, but probably the biggest of all was simply a lack of familiarity and knowledge. A fifth of those asked believed that security professionals lacked the skills needed to secure virtualised architectures.
Eighty-five percent agreed that virtualisation had contributed to growing security complexity.
“When searching for a security solution for virtual environments, cost and ease of deployment regularly take precedence over effectiveness at detecting and stopping threats,” the researchers noted.
Who looks after virtual servers and are these the same people that secure them? Given that a quarter hosted theirs in data centres while about a third located it both on-premises and offsite, not surprisingly there was sometimes confusion about who was responsible for security.
“Given that third party hosting of virtual machines isn’t exactly a new concept, it’s surprising that organisations are still unsure over where responsibility lies for security management,” said Trend Micro’s technical director, Michael Darlington. “We need to look at introducing industry-wide guidelines to provide businesses with clarity here, ensuring that they are working with data centre managers to protect their virtual assets in the best possible way.”
Trend Micro’s advice is that organisations invest in dedicated security products built to secure virtualised environments, which of course dovetails neatly with its own interests in selling such systems.
“In a dynamic virtual network, security should be built in from the outset instead of being treated as a bolt-on. IT transformation is at its most impactful when security and virtualisation experts work together to create a solution that reduces cost and improves productivity whilst managing risk,” said Darlington.
Organisations should also invest in their staff and not simply assume the necessary skills will be picked up over the course of time. Having a single security model applied across all resources also helped with this.
Organisations have started waking up to the fact that virtualised environments come with their own set of vulnerabilities that need tending to. This includes mundane ones such as software flaws; last week VMware warned of issues in its ESX and ESXi hypervisors and in vCenter Server Appliance and vSphere Update Manager to pick on only one recent example.