Gartner's statement about 60% of virtualized servers being less secure than physical servers
HyTrust, located in Mountain View, California, is a rapidly growing early-stage company that is focused on virtualization platform security and compliance.
I had the pleasure in an interview related to this issue with Eric Chiu president and founder of HyTrust. (http://www.HyTrust.com) I want to thank him for the time and effort to this. Eric has over 13 years of experience in high tech management and finance. Most recently, Eric was VP of Sales and Business Development for Cemaphore Systems, a leader in disaster recovery.
According Gartner, through 2012, 60 percent of virtualized servers will be less secure than physical servers. Although Gartner expects this figure to fall to 30 percent by the end of 2015, analysts warned that many virtualization deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages.
Response from Eric Chiu:
1. In relation to Gartner's statement about 60% of virtualized servers being less secure than the physical ones they replace through the end of this year (Gartner's statement), how secure do you think the latest Hypervisor layer (VMware ESXi) is? According to VMware this appears to be the most secure hypervisor they build.
The statement from Gartner was focused more on the fact that 60% of virtualization deployments are architected without the security team involved. As it relates to ESXi, the threat surface area is smaller given that the service console has been eliminated -- this helps address hypervisor-level attacks which tend to be more theoretical in nature. However, the biggest real issues around security for virtual environments tend to center around access control, auditing and configuration management, which are not improved by ESXi.
2. According Gartner, hackers have already begun targeting the virtualization layer. How real is this threat?
I believe this is a real threat. Breaches are becoming more common (87% of companies have been breached) and most of the serious breaches (56%) involve an insider threat. Combine this with datacenters becoming virtual and APTs getting more sophisticated, and you will see more major exploits specifically attacking the virtual infrastructure going forward.
3. In my opinion, an infrastructure is only as strong as its weakest employee. What's your perspective?
I agree, and this is highlighted in a recent article from the Wall Street Journal on the "enemy within". Given that the most serious breaches tend to involve insider threats, this is a major issue -- especially in virtualization since the admin has access to all virtualized resources.
4. Will moving to the cloud solve all your problems?
With the cloud, you are merely shifting the responsibility but not solving the problem. To solve the problem, companies need to make sure that they have the appropriate security and compliance controls to address their regulatory compliance requirements as well as corporate governance requirements. Companies that are looking to move the cloud have to make sure that the service provider can meet these needs as well.
Virtualization is currently the number 1 priority among CIOs, and the biggest challenge area for enterprise today is to virtualize mission-critical and compliance applications. These mission-critical applications require additional security controls and visibility which aren't addressed by the virtualization platform; therefore, purpose-built solutions are needed. The payoff is big -- by addressing these issues, companies can virtualize the next 50% of their datacenters, realizing the great ROI that virtualization offers.