How secure is virtualisation? We meet the experts

Every business, from small local companies to global corporations, wants high-performance and low-cost when it comes to its IT operations. So when the use of virtualised environments became substantially cheaper around the mid-point of the last decade, organisations of all nature and size jumped at the chance to unburden their physical servers and build virtualised networks to support the running of their business. When Forrester Research recently surveyed a range of companies on the matter, 85 per cent had adopted, or were planning to adopt virtual systems.

Affordable rolling-contract virtualisation suites assume the roles of expensive hardware devices in the workplace; saving space, maintenance and money, while making operating systems and storage networks simpler and more accessible. With its overall efficiency in both cost and performance so evident, security issues are readily overlooked - shunted to the backburner as businesses are seduced by the financial gain.

And this was the primary concern among the band of security experts that spoke at an exclusive round-table event hosted by Kaspersky Lab last week, and ITProPortal was invited to attend.

The event came after a Kaspersky Lab study found that one third of companies around the world, with 100 or more IT workstations, admitted they only invested in security for physical environments, leaving their virtual systems unprotected and vulnerable to attack. 42 per cent of companies believed their virtual servers were more secure than physical ones, despite one-in-three admitting their knowledge of virtualisation was only 'basic'.

Leading the debate was Andrew Lintell, director for corporate sales at Kaspersky, who admitted that, “The security industry is playing catch up with virtualisation as a whole.”

“Customers tend to have a good grip of what they need, but not necessarily the risks associated with it,” Lintell argued. “Businesses are under a lot of pressure to find different ways of utilising different platforms to increase efficiency and reduce cost”, and thus the relevant security issues with virtualisation are merely “tagged on at the end” of the adoption process, he said.

Colleague, David Emm, a senior researcher at the firm concurred. “It’s that creeping nature of the security issues. It's like the tide when you don’t see it coming and suddenly it’s there.” Because businesses rarely adopt virtualisation, wholesale and only certain areas of IT are run on virtualised servers, Emm said “it doesn’t have the burning concern as an IT manager or at board level as it would if it was the entire enterprise, and before you know it, the tide comes in.”

He continued, “That’s a general trend; historically it’s not the first thing that’s in people’s minds. It's the same as when businesses first started using the Internet; they saw the convenience and the benefits of a new system, they didn’t necessarily realise the security dimension - which doesn’t become apparent until actual incidents happen.”

By which time, it is often too late. Just ask RBS. Senior analyst at Forrester, Andrew Rose, highlighted a similar case in point from February 2011, when pharmaceutical firm Shionogi had its virtualised system hacked by an ex-employee with disastrous consequences. The offender gained access to 15 'virtual hosts’, the equivalent of 88 computer servers, and deleted all the data he encountered, including the company finance records, email server and order tracking system. The hack froze business operations for a number of days and cost Shionogi $800,000 (£510,000). “It shows administration is another major thing to think of in virtualisation solutions”, said Rose.

But it’s not just large international firms like Shionogi whose virtualised systems are under threat. Risks abound regardless of a company’s size, and those further down the ladder are often in greater danger as they frequently don’t have the resources and man-power to maintain a safe virtualised environment effectively.

As director of products and services at Kaspersky Lab, Peter Beardmore explained, “Big companies can have the virtualisation specialists, but mid and small businesses obviously can’t afford that and the knowledge with dealing with the security issues gets less and less as you go down the business scale.

“We did some research recently with businesses of all sizes based on their overall confidence with their virtual environment, and over 75 per cent of them were running ‘mission critical’ business applications on those virtual servers, yet nearly 50 per cent admitted they didn’t really have a handle on the whole [virtual] situation. That’s just from the virtualisation standpoint before you get to the security issues within that, so it’s going to become a bigger and bigger issue as the technology moves down the market.”

Having a master of one’s virtual system and the security connotations are crucial, as Beardmore tellingly stated, “Virtual machines are just as susceptible to malware intended for physical machines.”

Yet from an implementation perspective, the nature of virtualisation means security needs to be looked at differently, compared with physical environments. “What’s inherent in virtualisation, unlike those other technologies,” Beardmore said, “is the convenience factor which makes it easy to forget to secure all those machines. It’s particularly dangerous with testing applications and that kind of thing, as those machines have a tendency to stay dormant for a very long period of time. Meanwhile, new vulnerabilities have been discovered - and this can prove a big problem in virtual environments.”

As Kaspersky Lab seeks to make its new ‘Kaspersky Security for Virtualisation’ the market-leader in its arena, Beardmore explained the necessity to incorporate physical and virtual solutions into one, so users can mitigate the “whole separate workflow” brought by virtualisation and keep tabs on all threats across an IT network. “What we advocate at Kaspersky is getting it all on the same screen. Still discerning between what is virtual and what is not, but putting it on the same screen so you can apply policies to all of your devices and report it all together. Because ultimately it’s all your network, and the stuff should be working together.”

A discussion about security within a particular area of computing is always likely to be shaped by ominous forecasts and an emphasis on the dangers involved in said arena - not least when the panel comprises three members of a firm selling security software - but there was also a nod to the potential security benefits brought by virtualisation.

One example cited by Beardmore was in the case of BYOD (Bring Your Own Device); a policy that is becoming increasingly popular in the office environment as companies make the most of the numerous employees who own a tablet and/or laptop. Beardmore said, “With BYOD, when you’ve got different devices coming in and out of the business and you want to implement some sort of control mechanism, virtual desktop for example is potentially a great way of doing that.”

So, we can say that if virtualised platforms are handled the right way, those cost and efficiency benefits that attracted so many in the first place can certainly be enjoyed.

But coming away from the discussion, the abiding feeling was that there needs to be much greater focus on the education and understanding of virtualisation, than on the solutions you can buy. Time and again the experts’ arguments simply boiled down to the user’s grasp of virtual systems and the potential threats involved. The very appreciation that beneath all the business benefits lays important security issues is pivotal. These issues need to be taken into account just as when other IT systems were adopted for the first time, and if vendors and companies fail to get over the education barrier, then the same problems will persist.

Indeed, Beardmore says that “businesses really need to invest in understanding the concept of virtualisation. Basic knowledge is simply not sufficient when the security of your business is at stake. The industry needs to wake up to this situation and invest in adequate security solutions alongside a comprehensive education programme.”

In light of all the evidence presented at the round-table in London, and what is needed for both vendors and users to improve security in virtualisation, it is Beardmore’s last five words that resonate the strongest.