Editor’s Note: This news story is part of SearchSecurity.com's "Eye On" series that brings together various perspectives on security topics throughout the year from SearchSecurity and its sister sites. In the month of May the series examines virtualization security.
When customers began virtualizing their servers in record numbers, some solution providers expected sales of virtualization security products and services would grow apace. But industry observers say that hasn’t happened just yet.
Virtualization is widely implemented
Over the past couple of years, most end-user organizations have virtualized many of their servers and desktops. In its Global IT Budget, Priorities, and Emerging Technology Tracking Survey, published in June 2010, Forrester Research Inc. found 68% of organizations had already virtualized at least some of their servers, while 24% planned to implement virtualization on their servers by the end of 2011.
That, in turn, would seem to create a need for virtualization security. In a recent Gartner Inc. press release entitled Gartner Says 60 Percent of Virtualized Servers Will Be Less Secure Than the Physical Servers They Replace Through 2012, Gartner Vice President Neil MacDonald, stated: “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely."
Virtual security projects are slow to materialize
To help customers plug the security gaps in virtualized environments, some security solution providers began forging relationships with vendors of security add-on products for virtualized servers and desktops. But the expected security projects for the virtualized systems have not materialized.
“It hasn’t really panned out because customers are still investing so much in the VM infrastructure,” said Josh Huston, founder and security advisor of Amesbury Mass.-based security solution provider Exultium Inc. “The first order of business [for enterprises] was getting the VM infrastructure operational, and worrying about security later.”
What we’re seeing now is phase one of virtualization security sales. Customers are assessing the virtual environment they’ve created and wondering what controls they can put in place for it.
Many customers who deployed virtualization are just now beginning to turn their sights to security concerns. They recognize that even the hypervisor itself can be attacked, which would cause chaos for all the virtual machines in one layer. To guard against this, customers need security tools specifically designed for virtual environments.
Huston, whose company primarily works with enterprise customers, cited firewall products, capable of inspecting traffic that travels between guest operating systems, as one area that customers are beginning to look at.
Even so, he doesn’t expect to see significant sales of these products until 2012 or 2013. “What we’re seeing now is phase one of virtualization security sales,” Huston said. “Customers are assessing the virtual environment they’ve created and wondering what controls they can put in place for it.”
Some security solution providers are waiting to acquire tools for performing security audits or assessments of virtual environments. “Right now customers are at the early stages of just being sensitive to the quality of the security in their virtualized environment,” said Harry Segal, president of Hudson Mass.-based Networks Unlimited Inc., a security consulting and integration firm that focuses on small and midsized business customers. “We haven’t seen high enough demand yet for virtual security products and services to put this on our priority list.”
Infrastructure providers likely to get initial security revenues
When more customers start hiring solution providers to ensure their virtual systems are secure, the question will be: Will that revenue go to the solution provider who installed the virtual infrastructure, or to a security-focused solution provider?
Jim Kelton, managing principal of Costa Mesa, Calif.-based security consulting firm Altius Information Technologies Inc., is betting the revenue will go to the infrastructure partner.
“Most customers like to work with one or very few providers, so whoever does the install gets the follow-up work,” Kelton said. Some of his company’s customers have reduced the number of vendors they engage , thus reducing the administrative and management overhead involved in having a larger number of contractual relationships.
Segal agreed, but added that he expects this to change in the next 2-3 years, as customers realize solid security requires the skills of solution providers who focus on security full-time.
Recommendation to security solution providers
Although customers are not yet calling on security solution providers to lock down their virtualized environments, there are steps solution providers can take now to lay the groundwork for projects in the future.
“Stay involved as a consultant with your customer’s infrastructure project, so you are top of mind when they turn to security,” advised Huston. “Or better yet, try to get the infrastructure project scoped out to include security services down the road.”
Even if the virtualization infrastructure is already well under way, there should still be plenty of opportunities for security solution providers. Kelton notes that customers are going to need to have their virtual systems audited by an independent consultant. “The infrastructure provider may have implemented the security policies and tools in the virtual environment,” he said, “but it will probably be the security solution provider who is called in to audit the whole thing.”