The Gartner report identified six major categories of risk:
- Information Security Isn't Initially Involved in the Virtualization Projects
- A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
- The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
- Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation
- Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
- There Is a Potential Loss of Separation of Duties for Network and Security Controls
"Virtualization is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
However, according to a BeyondTrust spokesman, "that hasn't stopped 90 percent of virtualized data centers from putting their most sensitive data on virtualized servers.
"Additionally, each virtual administrator has access to several-fold as much data as they would in a traditional environment.
"BeyondTrust is working with VMWare and Oracle to get more of their customers to implement virtual-specific Privileged Identity Management (PIM) systems that monitor, report and control administrative actions in the hypervisor."
iTWire took the opportunity to discuss these issues with BeyondTrust, a new player in the market.