Virtual Servers, virtual security

Network World reporting on news from Gartner:

Sixty percent of virtual servers are less secure than the physical servers they replace, the analyst firm Gartner said in new research Monday.

This state of affairs will remain true until 2012, but security should improve substantially after that point, Gartner said.

Gartner predicted that by 2015, only 30% of virtualized servers will be less secure than the physical machines they replaced.

The basis of the issue is the new layer of virtualizing middleware that is emerging to help such virtual systems operate easily. These are new pieces of software, largely untested, and 40% are developed by people who know not a lot about high end system security.

There are 5 other main risks identified (see the press release here)

- A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads

- The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM

- Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation

- Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking

- There Is a Potential Loss of Separation of Duties for Network and Security Controls

Quite why its going to get amazingly better in 5 years is not made clear in the press release, I would have thought there is at least 5 years of FUD and Greed in there. The report is sitting behind a $95 paywall - so here's a free opinion:

There will be a load of cowboys entering the game in the next 3 years, by 2015 there will have been some major security f*ckups, and by 2015 many customers will have been spooked - and the big players who do this stuff in their sleep (they are called Telcos and Web 1.0 Hosters) will enter the game and just integrate it all as part of their infrastructure.