Virtualisation and third-party hosting pose security risks: Kaspersky

By Digital News Asia October 20, 2014

Most businesses use 3rd-party hosting and maintenance to manage virtualisation
Are they paying close enough attention to what their providers are doing?

Virtualisation and third-party hosting pose security risks: Kaspersky

LESS than one-third of businesses keep their virtualisation servers on-premise and managed entirely by their own internal IT staff, according to a Kaspersky Lab survey of 3,900 IT professionals worldwide.

As virtual infrastructure increasingly handles more business-critical services, the reliance on external hosting and management services raises potential security concerns, particularly for smaller businesses, the company said in a statement.

Off-site vs. on-premise

According to the more than 2,000 survey respondents who use virtual servers, only 29% report that their physical machines were located within the walls of their business and maintained by only internal staff.

On the opposite end of the spectrum, 17% of business rely completely on third-party contractors to house and maintain their virtual servers and services.

By far, the largest proportion of businesses, approximately 50%, relies on a mixture of third-party hosting and maintenance.

It should come as no surprise that the vast majority of businesses are using hosting services in some capacity for their virtual infrastructure, Kaspersky Lab said.

The benefits of reduced cost and complexity for most IT departments are clear, and these service providers can more easily add capacity to support growing businesses.

When examining the responses based on the business size, the data supports the conventional wisdom that smaller companies, which have fewer IT staffers and a smaller IT budget, are more likely to use a third-party provider, whereas larger companies are most likely to manage their virtualisation servers and services in-house.

It’s clear that small businesses are most likely to rely solely on third-party providers to provide and manage all of their virtual computing needs, Kaspersky Lab said.

To give a few examples, 41% of small businesses report using a third-party service to store all of their virtual servers at an off-site location, compared with just 26% of enterprises.

For maintaining these virtual servers and the services they provide, 33% of small businesses rely completely on their third-party hosting provider, compared with just 18% of enterprises.

Very similar rates of both small businesses and enterprises use a mixture of in-house and external resources for storing virtual servers (23% for small business, 29% for enterprise) and maintaining the servers (31% for both small businesses and enterprises), Kaspersky Lab said.

Critical business data in the cloud

As most businesses are content to store data beyond their own walls, it’s important to understand exactly what types of data are being entrusted to third-party providers, Kaspersky Lab said.

The company has previously reported that virtualisation is rapidly becoming used for more than just IT department tasks, as 52% of survey respondents agreed that virtual environments are now housing core elements of business IT infrastructure.

Kaspersky Lab’s survey investigated what business functions are being implemented on virtual infrastructure, and found this perception was indeed correct.

According to the responses of businesses using some form of virtualisation, these are the rates that services/applications are being implemented on virtual infrastructure compared to physical infrastructure:

Email and communications applications (e.g., Microsoft Exchange) – 68% using virtual infrastructure;

Database applications (e.g., Microsoft SQL Server and Oracle) – 65% using virtual infrastructure;

Customer relationship management (CRM) platforms – 65% using virtual infrastructure; and

Financial management/accounting applications – 56% using virtual infrastructure.

It’s clear that businesses are very willing to put their most precious business data in virtual environments, and in turn, trust the management of these virtual environments to third-party providers, the company said.

The question of whether these businesses are paying close enough attention to what their providers are doing is particularly worrisome for SMBs (small and medium businesses), which likely lack the resources and sophistication to implement their own internal security measures and effectively evaluate the measures of their virtualisation providers, Kaspersky argued.

Here are some basic steps that SMBs can take to ensure the security of virtual networks on their own end, and to put appropriate scrutiny on the security measures of their third-party providers:

Become familiar with expert resources on cloud security management. This paper from the Cloud Security Alliance, The Notorious Nine: Cloud Computing Top Threats in 2013, is a good place to start gathering information about threats to cloud-based data.

Perform a thorough assessment of the security measures of any prospective virtualisation services provider, and ensure they conform to industry standards like ISO 27001 and CSA STAR.

Install a multi-layered security suite featuring heuristic and behavioural antivirus protection, host intrusion prevention system (HIPS), and protection against vulnerability exploitation on each workstation on the network.