A leading IT security expert has spoken out to dispel the idea that virtualised environments are inherently more secure than conventional IT systems. In fact, says the direct or of IBM Internet Security Systems X-Force research group, Kris Lamb, virtualised environments pose unique threats to the corporate IT security, and risk of such threats being exploited is growing as an increasing number of flaws are surfacing in products from market leading vendors such as VMware.
In a blog posted on Friday, Lamb notes that due to the growing popularity of virtualisation “vulnerability discovery energies have increasingly focussed on finding ways of to exploit virtualisation technologies.” This increased effort is being rewarded by the discovery of an increasing number of vulnerabilities in virtualisation products, including those of the market leader, VMware.
According to Lamb, since 1999 of the 100 vulnerabilities that have been discovered in VMware products and associated third-party products and components the majority – 62% – have been found in third-party code. However, 72% of these vulnerabilities (of which 46% are regarded as high-risk) have been discovered in the last two years and this year, for the first time, the majority have been found in VMware’s first-party code.
Lamb’s X-Force team has not attempted to collect similar data on virtualisation products from other vendors, and it is not suggested that VMware’s products are any less secure than of its competitors. However, Lamb argues that the growing incidence of vulnerabilities associated with virtualisation technology poses a worrying extra dimension to the IT security challenge.
In particular, he says, the potential risk posed by new threats such as virtual rootkits is magnified by the fact that “all your exploitation risks are now consolidated into one physical target where exploiting one system could potentially allow access [to] and control of multiple systems.”
“Virtualisation does not equal security” said Lamb, who also called on virtualisation software vendors to work more closely with security technology vendors to build safeguards into their virtualised environments.