While more than 80 percent of respondents said their change management and compliance controls are no different between physical and virtual infrastructure, and 26 percent felt security controls for virtualised servers are actually more stringent, responses indicate that a "tug of war" may be underway over who is accountable for security and controls for virtual servers. Just half of those surveyed felt that ensuring security, change control, and compliance for virtual servers is the responsibility of system administrators and their management. On the other hand, 37 percent of those associated with the Security group claim responsibility for security controls.
Moreover, a serious issue waits for some organisations deploying virtual servers in production environments. The majority of respondents agree that security risks for virtual servers are the result of misconfiguration, not inherent weaknesses of virtualisation technology.
"If an increasingly overworked IT staff is more likely to make mistakes, and configuration errors are the cause of security exposures in virtual servers, then IT management must consider how they can mitigate this risk," said Mark Gaydos, Tripwire VP of Marketing. "As more of the production workload becomes virtualised and those managing virtual servers continue to be overwhelmed, it is apparent that automated configuration control must play a larger role to ensure appropriate server configuration and adequate security."
A majority (69 percent) of respondents agreed that dedicated configuration tools are needed to ensure proper configuration of virtualised servers, with two-thirds of these respondents noting they are in the process of evaluating or planning to acquire such tools over the next 12 months.
The Tripwire survey report, "Is Virtualisation Under Control: Current Opinions on Security and Controls for Virtual Servers in production Environments", can be downloaded for free at www.tripwire.com/solutions/virtuali.... [August 22, 2008]
Send this IT news to a friend