Security measures not keeping up with virtualization rush

Major virtualization security concerns of organizations include hypervisor privileges and data sprawl, according to a survey of 335 firms in the US and Europe conducted by KuppingerCole for CA Technologies.

According to the virtualization survey, 73% of organizations are concerned that the far-reaching privileges available to hypervisors could lead to information security mistakes or abuse. The hypervisor administration account in a virtualized system has extensive access privileges with few limitations or security controls, CA Technologies explained.

The hypervisor also introduces an extra layer into virtualized environments, creating new avenues of cyberattack. However, almost half of these organizations have not implemented sufficient hypervisor security measures, such as privileged user management or security log management.

Data sprawl, the risk of data moving around virtualized systems without adequate security controls, is also considered a grave threat. A full 81% of respondents considered the virtualization data sprawl risk “very important” or “important.” At the same time, only 38% of respondents had put in place measures, such as data loss prevention, to mitigate the risks of data sprawl in the virtualized environment, the survey found.

“This demonstrates that the automation technologies available to mitigate the risks from privileged access in virtualized environments are not yet widely deployed”, said Shirief Nosseir, EMEA product marketing director of security management at CA Technologies. “If they were, IT organizations could control the risks arising from virtualization security and ultimately better leverage the benefits of virtualization.”

Only 65% of respondents said they enforced a separation of duties for administrative tasks across virtual platforms, a prerequisite for compliance and security best practices, CA Technologies noted. The survey revealed that more than 40% of respondents did not use software tools to automate this enforcement: access certification, privileged user management, or log management. Only 42% of respondents performed regular access certifications for privileged users or were able to adequately monitor and log privileged access to virtualized systems, the survey found.

What’s hot on Infosecurity Magazine?