Virtualization in its many forms can provide incredible benefits to businesses. Virtualization allows for more data to be handled (great news in this era of Big Data), fewer physical machines and thus less upkeep, and faster and more efficient processing methods allowing businesses to increase their scope and power. These benefits can have a huge impact on a business’s success, but these benefits often come at the price of increased security threats. The simple truth is that while many virtualized platforms claim to be secure, either the level of security built-in isn’t robust enough or the businesses using these virtualized solutions aren’t taking the necessary measures to ensure their data is secure.
Kaspersky lab released a report in August 2015 highlighting how under-prepared many businesses are when it comes to securing their virtualized data platforms. The report highlights three main issues leading to security’s lag behind virtualization. At least 62 percent of businesses are using some sort of virtualization, yet only 56 percent of these companies are actually prepared to handle the security threats that come along with virtualization. Additionally, only a little over half of companies believe they fully understand the risks associated with virtualization. The widespread use of virtualized infrastructures for central business operations also heightens the risk-versus-reward for businesses. CEO of Voodoo Security laments Dave Shackleford stated, “You’ve got organizations out there that are 90 percent virtualized, which means your whole data center is running in a box out of your storage environment. Nobody is thinking about it this way.”
All of these discrepancies between a business’s perception of virtualization security and the reality of it lead to an enormous cost increase if there is a security breach in a virtualized environment. Kaspersky found that the average cost of a security breach in a virtualized environment was around $800,000, roughly twice of what was found in non-virtualized environments. The doubling in cost should throw up lots of red flags for companies hopping on the virtualization train.
There are, however, ways to securely implement virtualization. Kaspersky offers three general methods for virtualization security: agent-based security where an agent is installed on all virtual machines, agentless security where a separate virtual machine protects all of the connected machines, a combination of the previous two methods called “light-agent” security. Other “baby steps” to improved security include breaking down and understanding your virtual infrastructure, looking at the way you view storage and data differently, always encrypting data and coordinating between security and infrastructure teams so that security is a priority from the onset.
Having a defined flow and understanding of your company’s specific virtualization platform is foundational to success when securing the virtualized environment. The shift in perspective on traditional versus virtualized infrastructure is again highlighted by the 42 percent of companies that falsely believe security threats in virtualized environments are lower than those in traditional environments. Encryption is a basic security principle that should always be implemented but often is not because of the false sense of security virtualized platforms can give off, and of course, communication between security and infrastructure teams early on can only help improve the situation. In short, a company first needs to be educated about the necessity of virtualization-specific security and how those needs differ from traditional security.