Gartner warns on virtualisation security lapses

Companies that rush to deploy virtualisation software risk undermining their IT security, Gartner warned today.

The analyst firm noted that virtualisation software that can simultaneously run multiple operating systems on one physical server or desktop, regardless of the specific underlying architecture, has significant potential benefits.

However, Gartner went on to warn that a virtualised privileged layer of software that becomes compromised places all consolidated workloads at risk.

"Virtualisation, as with any emerging technology, will be the target of new security threats," said Neil MacDonald, vice president and Gartner fellow.

"Many organisations mistakenly assume that their approach for securing virtual machines will be the same as securing any operating system, and thus plan to apply their existing configuration guidelines, standards and tools.

"While this is a start, simply applying the technologies and best practices for securing physical servers will not provide sufficient protection for virtual machines."

MacDonald added that, because of the rush to adopt virtualisation for server consolidation, many security issues are overlooked and best practices are not applied.

As a result, 60 per cent of production virtual machines will be less secure than their physical counterparts through to 2009, Gartner predicts.

Gartner advised that the process of securing virtual machines must start before they are deployed, and ideally before vendors and products are selected so that security and "securability" can be factored into the evaluation and selection process.

During this process, organisations must consider these security issues in virtualised environments.

"Organisations need to pressure security and virtualisation vendors to plug the major security gaps," said MacDonald.

"Existing virtualisation solutions address some of the gaps, but not all. It will take several years for the tools and vendors to evolve, and for organisations to mature their processes and staff skills.

"Knowledge of the security risks, and the costs to address them, must be factored into the cost-benefit discussion of virtualisation.

"If these added costs are avoided, the risk of not making the necessary security investments must be accepted by the decision maker in the move to virtualisation."