The vast majority of companies have little or no security in place for their virtual systems. That is a scary statistic revealed in a survey of attendees at the recent VMWorld 2008 conference in Las Vegas.
In general we are finding in talks with customers that at least 99 percent of them plan to add VMs now or in the near future," said Neil Butchart, MD at Shavlik EMEA. "It makes so much sense to deploy them, and now we see data centres full of VMs."
Despite this, Shavlik is concerned that for the majority of companies, security for VM is falling by the wayside.
The survey found that more than 80 percent of IT managers rated securing their virtual machines as "very important to critical", yet only 35 percent of those surveyed actually have security in place for virtual systems.
The survey also asked conference delegates if their IT infrastructure was subject to industry or government audits (PCI, BASEL II, SOX) and if the audits included their virtual machines. About 61 percent responded that they were. Respondents were asked to rate the importance of centralising patch management for virtual and physical systems, and 99.2 percent rated this as "important to critical."
When asked how they were responding to the requirement to secure virtual environments, 32.4 percent said that they had no security scheme in place while 37.8 percent were currently evaluating solutions for virtual security.
Only 34.9 percent were using an existing security/compliance package.
"We deal with a lot of companies every day in EMEA, that seem to have forgot that the same security risks apply for virtual hosting as with physical machines," said Butchart told Techworld. "Virtual machines are still connected physically to the network, and so long as you have any connection, then you have a possible compromise or risk."
Respondents were also asked to rate the importance of centralising configuration management for virtual and physical systems, and 98.9 percent rated this category as "important to critical."
"There is no different between physical and virtual machines, it is the same risk and the same problem," Butchart insisted. He feels a lack of education among professionals is mostly to blame for overlooking virtual security, especially considering the skill shortage for virtual environments at the moment.
It will perhaps come as no surprise then that Shavlik sells its own security offering for virtual machines. Indeed, a version of Shavlik's NetChk Protect product is used by VMware itself.
"They are using our own technology for their ESX Server Update Manager," said Butchart. He pointed out that NetChk Protect 6.5 now includes the ability to scan and patch offline VMs as well. By the end of the year, it will include anti virus scanning.
According to Butchart, an end user price for NetChk Protect is typically £70 ($125), between one and 100 servers, after which "pricing breaks" apply.