- David Gibson, Vice President of Marketing, Varonis, says:
In recent
research conducted by Varonis, we found that data security in virtualized
environments is often neglected by IT organizations, with 48% either reporting
or suspecting unauthorized access to files on virtualized servers. The study
suggests that there is a limited awareness of security matters when it comes to
virtualized servers, with 70% of respondents having little or no auditing in
place on virtual servers.
According to
Gartner, there are more than 50 million installed virtual machines (VMs) on servers. In
line with this, application servers were virtualized by almost all respondents
(87%), mainly due to speedier deployment (76%) and disaster recovery (74%).
On the other
hand, those who do not virtualize cite disk storage (37%), performance (30%)
and a lack of advantages (20%) as the three main reasons for not doing so.
Across
different company sizes, one area that appears to be neglected by organizations
is file security. While almost 60% said they were very careful about setting
permissions and controlling subsequent updates, a revealing 70%, regardless of
company size, had implemented little or no auditing – even at the high end of
the enterprise space. In fact, 20% of enterprises with more than 5,000
employees admitted to having no file logging capabilities in place.
The lack of
sufficient security is further highlighted by 48% either reporting or
suspecting unauthorized access to files on their virtualized servers – putting
sensitive company information at risk of being misused, lost or stolen.
Surprisingly, even for those who do audit all activity, a significant 68%
believe there is still unauthorized access.
We suspect
that for IT departments, virtualization may be something of a black box. We
have found that, after a workload is virtualized, the actual details of
managing file permissions and monitoring access is considered to be
automatically ‘taken care of.’ It is also quite possible that the teams
managing virtualization projects see file security and governance as outside
their discipline. The security team may have no visibility of what is
happening.
The results
suggest that, while virtualization has been groundbreaking in allowing IT to
isolate applications and services with a few clicks, it doesn’t solve
permissions management and access auditing – in fact it might make it even more
complex.
Data
protection, obviously, requires the same level of vigilance in a virtual
environment – and perhaps even more so given the complexities of managing
multiple operating systems on a single computing box. For organizations to stay
on top of their digital assets it is vital to further IT education in this
area, both in terms of training staff in understanding virtual file systems, as
well as in effectively using automation to uncover security holes, monitor activity, and
control permissions.
To download
the full virtualization research report, visit http://hub.varonis.com/virtualization-report
No comments:
Post a Comment