Are Virtual Servers Less Secure Than Physical Servers?

The rush to virtualization has yielded a major vulnerability. According to a study just released by Gartner, the majority of servers being virtualized are less secure than they were when they were separate, physical servers.

Virtualization has been used as part of a consolidation strategy to put a multitude of underutilized servers on one physical hardware unit. One modern server with lots of memory can house dozens or hundreds of virtual servers, thus saving floor space and electricity for power and cooling.

But as companies make the move, issues often crop up that weren’t anticipated. In its new report, Gartner found 60 percent of virtualized servers deployed between now and 2012 will be less secure than the physical ones they’ve replaced, thanks to bad practices by IT departments or a lack of proper tools to do the job.

“Most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants,” said Neil MacDonald, vice president and Gartner fellow, in a statement.

Gartner based its findings on surveys taken at Gartner conferences in late 2009, some of which include shocking admissions by IT professionals. For example, about 40 percent of virtualization deployment projects did not involve the information security team in the initial architecture and planning stages.

Survey respondents said their operations teams argued that nothing really changed because it’s all the same hardware, workloads, and software. But Gartner noted that there is a hypervisor and virtual machine monitor (VMM) that is introduced when workloads are virtualized and it changes the basic operation of the server.

Gartner said the hypervisor is rather vulnerable to attack, and seems to hint that cybercriminals are already targeting the hypervisor, since it enjoys a privileged level of access to the system. The research firm advised IT that the hypervisor layer should be treated as the most critical part of the server platform even though many today pay it no mind at all.

It’s still early in the game as far as a broad virtualization. Gartner estimates that at the end of 2009, only 18 percent of enterprise datacenter workloads that could be virtualized had been virtualized. That will grow to 50 percent by 2012, and by 2015, Gartner thinks the percentage of unsecured servers will fall to 30 percent, which is still a large figure.

The company said that security needs to be brought in to the discussion of virtualization of workloads from the beginning. Gartner also recommends that at a minimum, organizations require the same type of monitoring for virtualized systems as physical systems. Administrative access to the hypervisor layer must be tightly controlled, given how important the hypervisor is.

The report, “Addressing the Most Common Security Risks in Data Center Virtualization Projects,” is available on the Gartner Web site for $95.

Andy Patrizio is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.