Security Pros Mistakenly Believe Virtual Servers Are More Secure
In addition to an increase in the use of Linux as the primary server platform, companies are increasingly going virtual. One-third of survey respondents say that more than 50 percent of their servers are virtual. Also, half of the respondents said they had deployed virtual desktops, are in the process of rolling them out or have plans to do so.
Goddess says many IT and security professionals believe that their virtual servers are more secure than their physical servers, despite a 2012 Gartner study that found 60 percent of virtualized servers were less secure than the physical servers they replaced.
"People think their virtual servers are more secure than their physical servers, but that's just not the case," Goddess says. "They're really the same vulnerabilities that you find elsewhere in physical servers, but somehow they think of virtual servers as not being as much on the frontline."
For instance, she says, many professionals think the frequent re-imaging of virtual servers protects them from advanced threats. However, she notes, these threats frequently get in and do their damage within 15 minutes, moving on to other areas quickly.
In fact, when asked to rank types of servers according to the risk they represent, only 6 percent of respondents considered virtual servers to be high risk. Most respondents (66 percent) felt Web servers were the most high risk; 38 percent felt file servers were high risk; 34 percent pointed to email servers; 26 percent cited domain controllers; 14 percent labeled application servers high risk; and 11 percent ranked databases as high risk.
Goddess says that may indicate that IT and security professionals are looking in the wrong direction. After all, the most valuable enterprise information is found on file servers (e.g., intellectual property), databases (e.g., customer information) and especially domain controllers (e.g., passwords, administrative rights).
IT and security professionals are also concerned about the administrative effort required by security solutions. When asked to rank their top concerns about server security, nearly 12 percent cited "too much administrative effort on security solution" as a top concern, ranking it even higher than an actual attack.
"These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources-before they execute-while decreasing the security-related administrative workloads of IT and security professionals," said Brian Hazzard, vice president of product management for Bit9. "The key to securing enterprise servers-both physical and virtual-is to allow only trusted software to execute and prevent all other files from running."
Sign up for Computerworld eNewsletters.