If you attended VMworld in late August, you know that virtualization security was featured extensively. Ditto for VMworld Europe where VMware CEO Paul Maritz included a few security slides in his keynote presentation. Maritz and VMware get it–virtualization security has been somewhat neglected until recently. If server virtualization is truly to become next-generation cloud infrastructure, security must be integrated throughout the technology.

VMware vShield and partner products are a great start toward bridging this virtualization security gap. Unfortunately, security technology is only part of the problem. ESG recently surveyed 463 large mid-market (i.e., 500-1000 employees) and enterprise (i.e., more than 1000 employees) organizations in North America, to gauge how they were using server virtualization technology. The goal was to understand current use, future plans, successes, and challenges. It turns out that security problems are pretty persistent. For example:

1. Security is often an afterthought. You know the “throw it over the wall” IT story? It happens here with security. Server virtualization projects are often well along the way before the security team gets involved. In these cases, server virtualization infrastructure adds security risk from the get-go.
2. Security professionals lack server virtualization skills. When the security team gets called into the project, they aren’t really qualified to help. Since projects tend to continue, server virtualization security risks increase while the security team gets up to speed.
3. There are no best practices. This may be changing but security professionals complain that server virtualization security doesn’t fit neatly into existing security frameworks and operating models.

In aggregate, there is a people problem (i.e., security skills), an organizational problem (i.e., project management/cooperation), and a process problem (i.e., no best practices). Yes, these issues do ease over time but it is clear to me that they never go away. At some point, highly-regulated organizations are likely to slow down server virtualization projects to address these security gaps. When this happens, server virtualization/cloud vendors will see sales slow to a crawl.

VMware is a technology company so it is doing what comes naturally–addressing security holes with new products and industry relationships. Nevertheless, VMware needs additional help from standards bodies, IT and security professional organizations, and professional services firms. The ESG Research clearly illustrates that server virtualization is a paradigm-shifting technology that changes IT organizations and processes. The real revolutionary potential of server virtualization won’t occur until IT organization and process changes become as pervasive as hypervisors.

Related posts:

1. Heterogeneous Server Virtualization
2. Cloud Computing? We Still Haven’t Mastered Server Virtualization!
3. People May Be the Weakest Link in the Server Virtualization Chain
4. Get Ready for Multiple Virtualization Platforms
5. Networking and Virtualization Vendors Should Join the Open vSwitch Effort

Tags: Cisco, cyber security, EMC, ESG Research, IT security, Paul Maritz, RSA Security, Trend Micro, VMware, vShield