Enthusiasm for virtualisation creates security problems
"Organisations that rush into server virtualisation are storing up trouble for themselves, security experts have warned. They say that many implementations have been done with little or no consideration for the added virtualisation security risks.
"Most people don't realise the security issues, and those that do understand are quite happy to accept the platitudes from the suppliers that virtualisation is secure," said Ian Kilpatrick, chairman of Wick Hill Group Ltd., a distributor focusing on the security market.
Kilpatrick said that running multiple virtual machines (VMs) within a single server is inherently harder to control and requires higher levels of security. But in his experience, companies are relying on the same weak controls they used before the introduction of virtualisation.
"Communicating from one physical server to another can be easily controlled, but in a virtual environment, it is more complex. If I get in as a guest on a virtual machine, then it is much easier to get to others. If I can breach one VM, then I can breach many," he said.
Stronger authentication of users will limit that risk, but as Kilpatrick said, "90% of the world is not using any form of two-factor authentication. Anyone working in a virtual environment without two-factor authentication is a lunatic. If I can get on to the hypervisor and get administrator rights to the whole thing, I have the keys to the farm."
He added that security fears have been ignored because virtualisation is so attractive in most other respects. In a time of economic belt-tightening, the technology allows companies to make better use of resources, reduce the number of actual servers they run, cut infrastructure costs and also reduce their energy bills."