Tripwire recently surveyed enterprise IT professionals to assess how vigorously virtualization is expanding within production server environments and to measure how security, change controls and compliance requirements are keeping pace. According to the survey report, "Is Virtualization Under Control: Current Opinions on Security and Controls for Virtual Servers in Production Environments," virtualization has clearly gained a lasting foothold. However, who shoulders the responsibility for ensuring that security and controls are implemented across virtual infrastructure is open for debate, varying greatly between functional groups.

More than 90 percent of those interviewed said that virtualized servers are now deployed in their production environments. In fact, three of four respondents reported that up to half of all their production servers are now virtualized.

While more than 80 percent of respondents said their change management and compliance controls are no different between physical and virtual infrastructure, and 26 percent felt security controls for virtualized servers are actually more stringent, responses indicate that a "tug of war" may be underway over who is accountable for security and controls for virtual servers. Just half of those surveyed felt that ensuring security, change control, and compliance for virtual servers is the responsibility of system administrators and their management. On the other hand, 37 percent of those associated with the Security group claim responsibility for security controls.

Moreover, a serious issue waits for some organizations deploying virtual servers in production environments. The majority of respondents agree that security risks for virtual servers are the result of misconfiguration, not inherent weaknesses of virtualization technology.

"If an increasingly overworked IT staff is more likely to make mistakes, and configuration errors are the cause of security exposures in virtual servers, then IT management must consider how they can mitigate this risk," said Mark Gaydos, Tripwire VP of Marketing. "As more of the production workload becomes virtualized and those managing virtual servers continue to be overwhelmed, it is apparent that automated configuration control must play a larger role to ensure appropriate server configuration and adequate security." In fact, a majority (69 percent) of respondents agreed that a dedicated configuration tool is needed to ensure proper configuration of virtualized servers, with two-thirds of these respondents noting they are in the process of evaluating or planning to acquire such a tool over the next 12 months.

The Tripwire survey report, "Is Virtualization Under Control: Current Opinions on Security and Controls for Virtual Servers in Production Environments," can be downloaded for free at http://www.tripwire.com/solutions/virtualization.cfm.