WavebreakmediaMicro - Fotolia

Report says SMB IT still doesn't get virtualization security

A new report makes controversial claims about the costs of breaches in virtualized environments, strongly suggesting IT pros may not understand the challenges of virtualization security.

The 2015 Security of Virtual Infrastructure report, issued by Moscow-based Kaspersky Lab on Monday, offers surprising findings about virtualization security. However, not all experts believe the data related to the cost of a breach is presented fairly.

Kaspersky surveyed 5,500 companies around the globe for the report, which found that small and medium-sized businesses (SMBs) reported average damages from a breach to physical infrastructure of $26,000, but damages jumped to nearly $60,000 when virtualized systems were involved. Kaspersky used the term "expected" damages in the report, which some experts assumed meant the figures were estimates. But Andrey Pozhogin, senior product marketing manager at Kaspersky Lab, clarified that the numbers "were calculated based on actual costs reported by businesses surveyed."

Kaspersky goes on to note in the report that a major reason for the higher costs associated with a breach of virtual systems is that companies tend to use these environments to protect their most important operations.

Jon Oltsik, senior principal analyst at Enterprise Strategy Group Inc., a consultancy firm in Milford, Mass., said the way this data is presented is somewhat misleading.

"[The report] states that the costs associated with a data breach of virtual infrastructure would be higher because virtual infrastructure is often used with mission-critical applications," Oltsik said. "This is an apples-to-oranges comparison. To assess whether costs of a data breach are higher with virtual infrastructure -- as opposed to physical infrastructure -- wouldn't you have to measure those costs on identical workloads?"

Pozhogin said the comparison made in the report was valid partially because Kaspersky believes "all parts of corporate infrastructure deserve equal attention in terms of security," but also because the value of the data being protected was only one reason the costs were higher.

"We observed that 56% of businesses are not fully prepared to deal with security risks in a virtual environment, and just 52% report that they fully understand risks associated with virtual environments," Pozhogin said. "So, virtual infrastructure frequently hosts mission-critical operations and, at the same time, its security agenda is harder for companies to understand. A combination of these two findings is what we feel businesses should pay close attention to."

Pozhogin said it was not the aim to imply that virtualized environments are less secure, but that the "safety of any type of infrastructure depends on the quality of protection."

Kaspersky found in the survey that 34% of respondents were not using security services specially designed for virtualized environments, and were also not aware of the difference between these specialized services and traditional services. Additionally, the survey found that another 39% were aware of the difference, but still didn't use such services. Pozhogin said specialized services could reduce both the total cost of ownership and the risk of a security breach.

Oltsik said that the research and conclusions of Kaspersky's report were likely "flawed," but that it was true that securing virtual infrastructures require specialized tools and skills.

"If you know how to configure things properly and use virtual/cloud-aware tools, you can actually improve security defenses," Oltsik said. "Unfortunately, these skills are fairly esoteric, so many organizations default to what they know and try to use their existing tools in ways they weren't designed for. This creates a problem, which is the main point of the goofy Kaspersky research report."

Oltsik said the key to virtualization security is using tools with "virtual awareness," and monitoring tools that plug into hypervisor APIs in order to maintain visibility. 

Larry Ponemon, chairman and founder of Ponemon Institute LLC in Traverse City, Mich., said that in his research, he has often found that cybersecurity comes down to issues of complexity and resources, and the same should be true for virtualization security.

"The IT environment is very complex in terms of minimizing risk, so you would expect that the more complex the environment, the harder it is to secure," Ponemon said. "We've found that in some ways, virtualization reduces complexity. So if that is true, you would find virtualization to be less costly if all other factors are equal."

Oltsik expanded on this, explaining that virtualized environments are "more complex, as you are sharing a physical box through a hypervisor, virtual switches, virtual NIC cards, virtual storage, etc. 

"You can pretend these things don't exist and set up VM security like you would a physical box. This is the point Kaspersky makes that many organizations do this," Oltsik said. "The general problems here are that you can lose visibility into network traffic and system behavior, and some security tools can be resource hogs."

Ponemon was intrigued by the survey, but said that more research is needed to confirm the results because these results may be influenced by "confounding effects," or other variables that weren't measured or applied.

"It's possible that findings are skewed to small companies," Ponemon said. "SMBs may not have the resources to secure virtual environments properly. If you don't have the resources to apply it to everything, you'll apply it to your crown jewels."

Next Steps

Learn how to maintain a secure virtualization environment.

Virtualization security tools evolve to handle malware.

How to choose the right virtualization security tools.

Dig Deeper on Virtualization security issues and threats