Monday, November 29, 2010

Accodring to eWeek: "Security Lacking in Most Virtualized IT Environments"

The following is from eWeek
(http://www.eweek.com/c/a/Virtualization/Security-Lacking-in-Most-Virtualized-IT-Environments-Survey-Says-408929/)
and I quote


".... Hypervisor privileges pose other concerns. The administrator
accounts on hypervisors generally have extensive access privileges
with very few limitations and security controls. The study found that
73 percent of surveyed organizations are concerned about the
privileges granted to hypervisors and the potential for abuse by users
with administrative control. However, 49 percent of those concerned
companies have not implemented any privileged user management or
security log management systems to mitigate the risk, the survey
found.

Even though the majority of the business and IT leaders said
virtualization would help improve IT operational efficiency, security
remains a concern, with 39 percent saying virtual environments are
more difficult to secure than physical environments.

Almost 85 percent of the organizations said "cloud privacy and
compliance issues" and "cloud security issues" inhibit plans to move
from virtual environments to a private cloud, the report said.

About a fifth of the companies in the survey said their IT staff does
not have the skills or funds to implement security in a virtual
environment, researchers found. About half, or 55 percent, of those
organizations cited budgetary restraints and the "upfront cost" of
implementation, and 53 percent named the "complexity of managing
security across virtual environments and platforms."

While over 84 percent of the surveyed managers prefer integrated
products that seamlessly secure physical and virtual environments,
just over half, or 56 percent, actually have implemented, or are in
the process of implementing, such systems, the researchers found.

While automation is considered important to secure virtual
environments, integrating security management with infrastructure
management or with incident and problem management do not appear
highly important for most respondents, according to the report.

Organizations will "struggle to automate their processes and reap the
real rewards of virtualization," said Nosseir.

Despite all the interest around virtualization, it is not yet the
standard for production environments. Only 34 percent of the
participating companies have deployed server virtualization for more
than 50 percent of their systems, the researchers found. The companies
have rolled out even less for other types of virtualization, such as
storage, application and desktop, the researchers said. For example,
only 8 percent of the organizations in the report has desktop
virtualization for more than 50 percent of the enterprise, according
to the report.

"Despite the rapid growth in server virtualization, many organizations
still have quite a way to go before they reach the level of maturity
and automation required to reap the true benefits of virtualization,"
said Nosseir.

Only 65 percent of the business managers enforced a separation of
duties for administrative tasks across virtual platforms, the report
said. More than 40 percent of the surveyed executives claimed to not
use automation tools for access certification, privileged user
management or log management, according to the study. In fact, only 42
percent perform

regular access certifications for privileged users or are able to
adequately monitor and log privileged access, researchers found.

Automation technologies that can mitigate risks from privileged access
in virtualized environments are "not yet widely deployed," said
Nosseir.

The virtualization security report, "Security—An Essential
Prerequisite for Success in Virtualization," surveyed 335 senior
business and IT executives in Europe and the United States, CA said.
The countries included Belgium, Denmark, Finland, France, Germany,
Italy, Luxemburg, Netherlands, Norway, Portugal, Spain, Sweden,
Switzerland, the United Kingdom and the United States.

Most organizations have at least two different virtualization
technologies in their environment. VMware remains the most prevalent,
deployed by 83 percent of the respondents, followed by Citrix at 52
percent. About 41 percent run Microsoft's hypervisors, namely Hyper-V,
according to the report."

I personally recommend NIST publication on <<Guide to Security for
Full Virtualization Technologies>> (Draft).

No comments:

Post a Comment