Security practices wanting in virtual machine world, survey finds

While organizations have been hot to virtualize their machine operations, that zeal hasn't been transferred to their adoption of good security practices, according to a survey released on Wednesday.

Nearly half (42 percent) of the 346 administrators participating in the security vendor BeyondTrust's survey said they don't use any security tools regularly as part of operating their virtual systems, and more than half (57 percent) acknowledged that they used existing image templates for producing new virtual images.

In addition, nearly two-thirds of the respondents (64 percent) revealed that their organizations do not have any controls in place that require a security sign-off before a new image or template is released.

Insecure practices when creating new virtual images is a systemic problem among administrators, said Michael Yaffe, BeyondTrust's senior director for product marketing. "As these guys are cloning images, we saw they could actually be perpetuating templates with vulnerabilities across the organization," he told CSO.

Unless security due diligence is done on those templates before they're duplicated severe, critical flaws can be spread throughout an organization, he continued. "While VMware is fantastic tool to help productivity, it can -- because of its scale and scope and people's ability to use it -- introduce significant security risks if you don't do your due diligence ahead of time."

Vulnerabilities spread by dirty templates can be in the guest operating systems on the virtual machine or in the virtual software itself, explained BeyondTrust's senior director for program management, Morey Haber.

In conjunction with its survey, BeyondTrust released a new plug-in for VMware vCenter that provides vulnerability information to virtual machine administrators in the existing VMware console. The tool adds a tab to the console that shows all the vulnerabilities and security risks of all running virtual machines.

[Also see:Ã'Â Crisis malware infects VMware virtual machines, researchers say]

"If an administrator clones a machine or rolls back a snapshot," Haber said, "the security risks that those machines represent are bubbled up to the administrator, and they can make decisions as to whether they should be powered on, off or left in state."

That's especially important if an organization must meet compliance rules like PCI and HIPAA. "When you deal with any of those regulatory initiatives, you shouldn't be bringing machines online that have vulnerabilities older than 30 days," Haber said.

"Our technology allows you to view that data in near-real time on those dashboards so you can make the proper assessments," he added.

While the findings in the survey are interesting, they're far from shocking, observed Simon Crosby, CTO and co-founder ofÃ'Â Bromium, a maker of security software for virtual environments. "It's pretty clear that virtualization has ripped up operational practices and that security lags woefully behind the operational practice of managing the virtual infrastructure," he said in an interview.

Making matters worse is that traditional security tools don't work very well in virtual environments, he added.

In addition, he continued, system operators believe that somehow virtualization provides their environments with security not found in the world of physical machines. "Because their virtual machines are hidden in the data center, they believe that they're more secure," he said. "They certainly are not."

Those sentiments are fed by security vendors, he added. "What worries me a lot is that the language used by the security industry is absolutely bankrupt," he said. "Every single security vendor promises security, and they all lie."

"Every product sounds the same," he continued. "They all make you secure. And none of them deliver."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags application virtualizationapplicationssecurityData Protection | Application SecurityAccess control and authenticationvirtual machinessoftwaresecurity softwaredata protectionVMwarevirtualization

More about CSOVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts