Virtualisation security - Better late than never

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments. The reduced costs and flexibility of virtualisation have led to...

Share

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments. The reduced costs and flexibility of virtualisation have led to widespread adoption of the technology. Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required.  Our research interviews revealed several themes:

  • Business as usual is the status quo. IT departments rely upon traditional security solutions (end point and network security) to secure their virtual environments.  Depending on the network architecture, virtualisation can create blind spots in your network leaving you blind to intra-virtual-machine (VM) communication.
  • Many security pros aren't aware of the virtualisation aware solutions available on the market. One CISO we spoke with wasn't aware that his organisation's current antivirus vendor offered a virtualisation aware solution. This isn't necessarily surprising; many of the virtualisation aware security solutions are relatively new to the market.  Virtualisation aware solutions afford us the ability to have potentially greater visibility into workloads than we might have in our traditional physical environment.
  • Many security pros have a general discomfort with virtualisation. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren't as confident in their virtualisation knowledge as they would like to be. This is particularly the case when we compare virtualisation with more mature security areas, such as network security.
  • As organisations virtualise more and more servers, the "low hanging fruit" servers have been virtualised and enterprises are now moving on to mission critical workloads. Virtualising these workloads brings up security and compliance concerns that can slow virtualisation adoption.

As organisations seek to increase virtual server utilisation and navigate a complex compliance landscape, it is critical that Security & Risk Professionals take a fresh look into the security of your virtual environments. If you haven't done this, now is the time. As Mark Twain said, "better late than never." You should strive for virtual security that is at least on par with your traditional security and look for opportunities to implement better security and visibility within your virtual environment.  In this report, we discuss the challenges and risks associated with virtual environments, and make recommendations on how to get into the virtualisation security game.

Please join me for a webcast discussing this report on Thursday, February 23 from 6.00pm - 7.00pm GMT.

In the future, we will be writing a detailed report on Zero Trust within virtual environments including guidance for virtual desktop deployments. If you have any questions or comments please let me know.

Posted by Rick Holland