- Event Registration
- Events Calendar
- Gartner Blog Network
- Videos
- Podcasts
- Photographs
- Gartner Books
- Analyst Coverage Areas
- Press Release RSS Feed
- Attribution Guide
- Products & Services
- Company Profile
- Investor Information
- Executive Profiles
- Board of Directors
- Acquisition History
- Gartner Policies
- Office of the Ombudsman
- North America
- Europe
- Australia / New Zealand
- S.E. Asia / North Asia
- India and Korea
- Japan
- Latin America / Mexico
- CURRENT
- VIEW ALL
Gartner Says Organizations That Rush to Adopt Virtualization Can Weaken Security
Future of Virtualization Security to be Examined at Gartner Symposium/ITxpo 2007: Emerging Trends Taking Place April 22-26 in San Francisco
STAMFORD, Conn., April 3, 2007 — Virtualization offers organizations the opportunity to reduce costs and increase agility, however, if this is done without implementing best practices for security, virtualization may actually increase costs and reduce agility, according to Gartner, Inc.Virtualization software allows users to simultaneously run multiple operating systems (OS), or multiple sessions of a single OS, on a single, physical machine — server or desktop. Regardless of the specific architecture, virtualization uses a privileged layer of software that, if compromised, places all consolidated workloads at risk.
“Virtualization, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, vice president and Gartner Fellow. “Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won’t provide sufficient protections for VMs.”
Because of the rush to adopt virtualization for server consolidation efforts, many security issues are overlooked, best practices aren’t applied, or in some cases, the tools and technologies for addressing some of the security issues with virtualization are immature or nonexistent. As a result, through 2009, 60 percent of production VMs will be less secure than their physical counterparts.
Gartner analysts said the process of securing VMs must start before the VMs are deployed, and ideally, before vendors and products are selected, so that security and securability can be factored into the evaluation and selection process. During this process, organizations must consider these security issues in virtualized environments:
-
Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.
- The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth.
- Patching, signature updates, and protection from tampering for offline VM and VM "appliance" images.
- Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.
- Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
- Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).
- Mobile VMs will require security policy and settings to migrate with them.
- Immature and incomplete security and management tools.
“Organizations need to pressure security and virtualization vendors to plug the major security gaps,” said Mr. MacDonald. “Existing virtualization solutions address some of the gaps, but not all. It will take several years for the tools and vendors to evolve, as well as organizations to mature their processes and staff skills. Knowledge of the security risks and the costs to address them must be factored into the cost-benefit discussion of virtualization. If these added costs are avoided, the risk of not making the necessary security investments must be accepted by the decision maker in the move to virtualization.”
Mr. MacDonald will provide more detailed analysis regarding the security of VMs and emerging virtualized security technologies in a presentation titled “Securing Virtualization, Virtualizing Security," during Gartner Symposium/ITxpo 2007: Emerging Trends, which is being held April 22-26 in San Francisco. A total of 125 Gartner analysts, hundreds of solutions providers and thousands of attendees will meet in San Francisco to discuss and debate the impact of breakthrough technologies on all businesses. This year’s sessions will be based on eight "megatrends" that include: Commoditizing the Tech Sector, Globalizing of Supply and Demand, Virtualizing the Enterprise Platform, Freeing Communications, Socializing Technology, Revolutionizing Industries, Inspiring Innovation, and Transforming IS Management.
For more information, please visit www.gartner.com/us/symposiumwest.com. Members of the media can register by contacting GartnerEvents@text100.com.
Contact:
Christy Pettey
Gartner
+1 408 468 8312
christy.pettey@gartner.com
About Gartner:
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit www.gartner.com.
