New research defines virtualization security and offers advice on how to simplify the process
BOULDER, Colo. Sept. 11, 2008 –Enterprise Management Associates (EMA), a leading IT management research and consulting firm, today released new research and recommended practices for secure virtualization in its report, “Virtualization Security: The Early Stages of a New Battleground.” EMA security and risk management analyst Mike Montecillo and research director Scott Crawford co-wrote the study to help provide a better understanding of the emerging virtualization security market while outlining best practices that IT security and operations teams can follow to successfully deploy practical and effective secure virtualization.
In this new report, EMA focuses primarily on how organizations can assure secure virtualization by identifying potential virtualization threats and vulnerabilities, and implementing techniques for securing the virtual environment.
“Virtualization is at the forefront of many security professionals’ minds. Unfortunately, it has become very difficult to create a strategy that addresses the real security issues without being drawn in by the hype,” said Montecillo. “This report is designed to help organizations understand the high-level issues and create a simplified approach to securing virtualization.”
EMA defines virtualization security in terms of the relationship between virtualization and security, including:
- Virtualized security – security solutions that are themselves virtualized, which can benefit virtualized as well as non-virtualized environments
- Secure virtualization – safeguarding primary virtualization functionality against security risks, which may leverage both virtualized and non-virtualized security techniques
- Security through virtualization – the security benefits of this emerging and disruptive technology
Given the relative youth of virtualized security, this report primarily targets the issues IT professionals face in securing virtualization and highlights its security benefits. Although the field of virtualization security is very young, there is already concern that organizations are at risk of overlooking the opportunity to create a safe environment in early stages of deployment. EMA has identified a number of potential threats against virtualization security that includes VM escapes, solution-specific threats and traditional attacks. These threats, combined with vulnerabilities in virtualization, are cause for alarm. In fact, Enterprise Management Associates’ 2008 survey on virtualization found that although many organizations extend existing security-enhancing measures to the virtualized environment, the numbers decreased when the techniques became more specific to virtualization. Nearly two-thirds of the respondents extend configuration and change controls to the virtualized environment. The lowest numbers in the survey, however, related to questions regarding specific controls to the hypervisor (an emerging virtualization platform that allows multiple operating systems to run on a host computer at the same time). Only 26 percent of respondents said they have security controls in place to prevent hypervisor threats. In addition, only 17 percent leverage measures to detect these types of threats.
“EMA research repeatedly demonstrates that a disciplined approach to IT management reduces risk while yielding business benefits across multiple interests – and nowhere is this more true than in virtualization. Security is no exception, and may in fact be one of the greatest beneficiaries of a disciplined approach to virtual systems management,” says Crawford.
Many of today’s gaps and potential security risks of virtualization are related directly to the maturity and effectiveness of management. In earlier EMA studies focused on the effectiveness of IT risk control, research indicates that the highest performers have four cardinal virtues in common: 1) They define IT risk management and compliance objectives; 2) They actually implement them; 3) They investigate the environment to monitor and assess their effectiveness; and 4) They enforce adherence to requirements – through education and positive incentives, as well as through negative consequences for deviations.
EMA believes the key to any security strategy is to simplify the approach. This especially is true in the world of virtualization security where hype and publicity has created an awareness based on a warning, rather than an actual real-world threat. By becoming aware of the environments in which virtual technologies operate and understanding the technology itself, enterprises can develop and properly implement an effective virtualization security strategy and attain the full benefits of virtualization.
To purchase a copy of the report, “Virtualization Security: The Early Stages of a New Battleground,” contact sales@enterprisemanagement.com or +1.303.543.9500.
About Enterprise Management Associates
Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst and consulting firm dedicated to the IT management market. The firm provides IT vendors and enterprise IT professionals with objective insight into the real-world business value of long-established and emerging technologies, ranging from security, storage and IT Service Management (ITSM) to the Configuration Management Database (CMDB), virtualization and service-oriented architecture (SOA). Even with its rapid growth, EMA has never lost sight of the client, and continues to offer personalized support and convenient access to its analysts. For more information on the firm’s extensive library of IT management research, free online IT Management Solutions Center and IT consulting offerings, visit www.www.enterprisemanagement.com.