Some 335 senior business and IT decision makers in 15 countries (the U.S., Germany, the U.K., France, Italy, Denmark, Finland, Norway, Sweden, Belgium, Netherlands, Luxemburg, Portugal, Spain, and Switzerland) responded to the CA Technologies commissioned virtualisation security survey, "Security?An Essential Prerequisite for Success in Virtualisation", conducted by KuppingerCole, a leading European-based analyst company for identity focused information security.
Major concerns, including hypervisor privileges and `data sprawl'(1) are not being sufficiently addressed by current virtualisation security technologies and policies.
Data sprawl, defined as the risk of data moving around virtualised IT systems without control and ending up in less secure environments, is considered to be the greatest threat. The study reveals that 81 percent of respondents consider the risk of data sprawl as `very important' or `important'. Data loss prevention (DLP) effectively mitigates the risks of data sprawl, however only 38 percent of organisations have implemented DLP.
Likewise, 73 percent of organisations are concerned that the far-reaching privileges presented by hypervisors might lead to mistakes or abuse by privileged users. The hypervisor administration account has extensive access privileges with very few limitations or security controls. The hypervisor also introduces an extra layer into virtualised environments creating new attack surfaces, opening the door to abuse by privileged users. However, according to the study, 49 percent of these organisations have neither implemented a privileged user management (PUM) nor a security log management solution.
Too many security activities, the survey also finds, remain dependent upon manual processes, performed without supporting technology?putting organisational security at risk.
Only 65 percent of respondents claimed to enforce a separation of duties for administrative tasks across virtual platforms?an essential prerequisite for compliance and security best practices. Interestingly, the survey reveals, more than 40 percent of these respondents do not use the critical software tools necessary to automate this enforcement: access certification, privileged user management, or log management. Only 42 percent of the respondents perform regular access certifications for privileged users or are able to adequately monitor and log privileged access.
"This demonstrates that the automation technologies available to mitigate the risks from privileged access in virtualised environments are not yet widely deployed," says Shirief Nosseir, EMEA Product Marketing Director, Security Management, CA Technologies. "If they were, IT organisations could control the risks arising from virtualisation security and ultimately better leverage the benefits of virtualisation."
Virtualisation trends: security management remains a major inhibitor to adoption
Interestingly, virtualisation isn't the standard foundation for IT production environments in most organisations yet. Only 34 percent of the companies surveyed have deployed server virtualisation for more than 50 percent of their systems. Other types of virtualisation have even fewer deployments. Storage, application and desktop virtualisation are used for more than 50 percent of the systems only in 16 percent, 10 percent and 8 percent of the organisations respectively. These figures demonstrate the gap between the hype around virtualisation and its real, phased implementation.
While the major driver for virtualisation is the improvement of IT operational efficiency, cited by 91 percent of respondents, security is a significant concern when it comes to the adoption of virtualisation. 39 percent of organisations believe that virtual environments are more difficult to secure than physical environments.
What is holding virtualisation security implementation back?
So why aren't more organisations implementing virtualisation security? The major reason is the lack of skills to implement it?19 percent of organisations named this as a `major inhibitor'.
However, when looking at the sum total of responses for `major inhibitor' and `inhibitor' to virtualisation security, the most significant factors are `budget and upfront cost of implementation', according to 55 percent of respondents, as well as `the complexity of managing security across virtual environments and platforms', cited by 53 percent. It is no surprise that budgets and upfront costs are barriers: security comes at a price, and unfortunately this is widely ignored when embarking on projects.
"There are two key aspects associated with complexity and virtualisation security," says Martin Kuppinger, Founder and Principal Analyst, KuppingerCole. "First, managing security in virtualised environments is more difficult because virtualisation leads to an increased number of instances, like the location of applications and data moving between different host systems and other aspects of data sprawl. Second, different platforms and environments provided by different vendors need to be managed and secured."
According to the survey, most organisations use at least two different virtualisation technology providers: VMware is deployed by 83 percent of respondents, Citrix by 52 percent, and Microsoft (mainly Hyper-V) by 41 percent, for example. In addition, 84 percent of respondents state they prefer integrated solutions to seamlessly secure both virtual and physical environments. However, only 56 percent of the organisations surveyed have implemented or are in the process of implementing the same security solutions for virtual and physical environments.
"This underscores the importance of using strategies and tools that flexibly support heterogeneous platforms and allow the unified management of virtual and physical systems," adds Nosseir. "The alternative is a fragmented, siloed infrastructure which is more expensive to manage (owing to the lack of centralised management), is inefficient (due to the lack of automation), and has an inadequate security posture (because of a lack of consistent policies between platforms)."
The survey also reveals that most organisations are unaware of the importance of integrating security management with infrastructure and service management to reach the automation levels needed in virtual environments. Although 39 percent of respondents believe that more automation is required to secure virtual environments compared to physical environments, integration between security management and infrastructure and service management is viewed as the least important challenge related to virtualisation security (only 66 percent of respondents believe it is `very important' or `important').
Even worse is the reported state of integration between virtualisation, security, and service management. Half of the organisations in the survey have implemented or are implementing integration between change and configuration management and IT security management. However, the implementation rate of the other main elements in the three key areas (i.e. `integration of virtualisation security with incident and problem management', `applying service levels to virtualisation security management', and `managing performance of security services') is consistently below 50 percent. "Such integration is a major challenge for agile IT infrastructures and should be one of the key decision criteria when choosing vendors in both IT management and security management market segments," Kuppinger comments.
Security concerns put brake on move to private cloud
The study also surveyed about the plans organisations have for private cloud as an evolution of their virtual environment. When asked for the major inhibitors to quickly move towards a private cloud strategy, the strongest factors were `cloud privacy and compliance issues' and `cloud security issues', both cited by almost 85 percent of respondents.
While 38 percent expect to eliminate the security issues by the end of 2011, only 30 percent believe this will become true for the privacy and compliance issues, meaning that users think privacy and regulatory compliance might delay the evolution of IT towards cloud principles. On a more positive note, the research demonstrates organisational awareness that security?in particular identity and access management (IAM) and governance, risk and compliance?are prerequisites for a successful cloud computing strategy.
"Despite the rapid growth in server virtualisation, many organisations still have quite a way to go before they reach the level of maturity and automation required to reap the true benefits of virtualisation," Nosseir concludes. "This survey highlights the need for a unified approach to address the current IT and security management silos and to help simplify the complexity of virtual environments. Without this integration, organisations will struggle to automate their processes and reap the real rewards of virtualisation. Moreover, this integration becomes essential when transitioning to cloud-enabled data centres as the focus shifts more on delivering and consuming IT and security services."
"This survey provides demonstrable proof that security is a key success factor to virtualisation," Kuppinger concludes. "Organisations transitioning to a virtualised or cloud IT model need to invest in a security strategy, in organisation and skills, and in technology. They need to turn to vendors which offer seamless integration between security and service management plus tools which better support both heterogeneous virtualised and physical environments."
About the Study
The research for "Security? An Essential Prerequisite for Success in Virtualisation" was conducted during September/October 2010 with IT Directors, Senior IT Security Managers, and other IT Managers in 15 countries. Respondents were represented from the following vertical markets: Financial Services and Insurance, Telecoms and Media, Public Sector, Manufacturing, Pharmaceuticals, Utilities, and others.
(1)The risk of data moving around without control and ending up in less secure environments.
About CA Technologies
CA Technologies (NASDAQ: CA) is an IT management software and solutions company with expertise across all IT environments - from mainframe and distributed, to virtual and cloud. CA Technologies manages and secures IT environments and enables customers to deliver more flexible IT services. CA Technologies innovative products and services provide the insight and control essential for IT organisations to power business agility. The majority of the Global Fortune 500 relies on CA Technologies to manage evolving IT ecosystems. For additional information, visit CA Technologies at www.ca.com.
Copyright c 2010 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Vice President Communications, Europe
Tel: +44 (0)1753 242191
Senior Manager Communications, Italy
Tel: +39 02 9046 4739