Virtualization Security Survey: Security – an essential prerequisite for successful virtualization

During September and October 2010 KuppingerCole conducted an independent survey of the status and plans for Virtualization Security amongst organizations. This survey shows that security is a key success factor to virtualization. Organizations transitioning to a virtualized or cloud IT model need to invest in a security strategy, in organization and skills, and in technology. Vendors need to provide better integration between security and service management plus security tools to better support heterogeneous virtualized and physical environment.

 

Highlights of the results are:

• The major driver of virtualization is the improvement of IT operational efficiency. The least important drivers are preparation for Cloud IT closely followed by meeting Green IT targets.
• The major inhibitor for implementing virtualization security is the lack of expertise and skills to plan and implement it. Around a quarter of organizations believe that virtual environments in general are less secure than physical environments.
• The most important security challenge and concern is around “data sprawl”. This issue is closely followed by concerns relating to the fulfilment of both regulatory compliance and internal audit requirements in a virtualized or cloud environment.
• One key issue highlighted by the survey is that nearly three quarters of respondents are concerned about the far-reaching privileges introduced by hypervisors which might lead to abuse. Technologies available today to mitigate the risks posed by privileged access in virtualized environments yet these are not widely deployed.
• There is a lack of integration between virtualization, security, and service management less than half organizations report integration in this area.
• Too many security activities are still dependent upon manual processes, performed without supporting technology and the scale of virtualization makes this approach untenable.
• By not investing in virtualization security when there are well identified security threats organizations are taking unnecessary risks which could easily be mitigated.

The survey allowed participants to add comments and free text. Some of these comments have been added as quotes to the report.