The odds of a virtual environment being inadequately unprotected are roughly fifty-fifty, as many organizations only partly implement a security solution.
By Jack Rosenberger
More than half of businesses using virtualized infrastructure have only "partially" implemented a security solution to protect their virtual servers, according to a new survey by Kaspersky Lab. This troubling statistic—essentially, one in two virtual servers is vulnerable to cybercriminals, spies and assorted malcontents—is especially troubling given that businesses are increasingly storing valuable business information in their virtual environments.
The Kaspersky report, "Global IT Security Risks Survey 2014—Virtualization," is based on interviews with 3,900 respondents in 27 countries, with nearly 55 percent of the participants belonging to a mid-size, large or very large company. Virtualized environments comprise a core part of the mission-critical IT infrastructure for 52 percent of the respondents, with the virtual networks being used to store customer and financial data, intellectual property, and other critical business information.
While these businesses are increasingly housing important business applications and data in their virtual environments, they are also failing to adequately protect these assets, according to the report. In addition, most of the survey respondents who consider themselves to be IT security experts lack a clear understanding of the different security solutions for virtual environments.
The Kaspersky survey's worrisome findings include:
Unprotected Virtual Infrastructure
Of the businesses using virtualized infrastructure, 53 percent report only "partially implementing" a security solution to protect their virtual hardware and just 32 percent reported "fully implementing" a security solution.
Inadequate Security Knowledge
Only one-third of the survey respondents who consider themselves to be IT security experts said they have a "clear understanding" of agent-based AMS, agent-less AMS and light agent AMS virtual security solutions.
Network Performance Issues
Forty-six percent of the respondents believe that conventional physical security solutions offer adequate protection for virtual networks, but, as Kaspersky notes, this usage inflicts "a high cost in system performance, server consolidation and overall ROI."
The survey report's good news is that organizations are becoming more security conscious about virtualized environments, but, according to Kaspersky, "there is still work to be done around educating businesses, and even self-proclaimed IT security experts, about the differences in virtualization security solutions that exist today." However, as virtual environments continue to gain in popularity, their growing digital footprint will attract the unwelcome attention of cybercriminals.
For CIOs and IT managers, Kaspersky Lab offers three recommendations:
Measure Your Security Solution's Performance Cost
If you are using a physical security solution to protect your virtual environment, it could hamper your network's performance, especially if your deployment includes 50 or more virtual machines. Measure your network traffic and its performance.
Use the Appropriate Security Solution
To adequately protect your virtual environment, you will probably need a combination of virtual security products and this will involve understanding the strengths and weaknesses of agent-based and agent-less virtual configurations.
Maintain a Small Target
Your virtual network is a target for cybercriminals, so keep it as small and controlled as possible. IT should monitor the network's virtual machines just like it does the physical ones, and shut down any virtual machines when they’re not in use. For instance, a "one-off" test virtual server that is unused but connected to the network is still a serious security risk.
Done right, virtualization offers many competitive advantages, such as lower IT equipment costs and increased business agility, but it also comes with new and difficult security issues. And, as the Kaspersky report reveals, there are important security concerns that CIOs need to address, starting with a lack of adequate knowledge about virtual security.
About the Author
Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight. To read his previous CIO Insight article, "Germany's Secret World Cup Weapon: Big Data," click here.