While most small to medium-sized businesses around the globe are at least considering server virtualization, most who’ve started the process aren’t securing those servers adequately, Symantec Corp. says.
The security vendor says that 70 per cent of businesses with five to 249 employees are considering virtualization, based on an Applied Research poll of 658 organizations worldwide. But only 10 per cent have completed a server virtualization implementation to date, and many small businesses are neglecting to use a firewall, endpoint protection, or antivirus software to secure their virtual servers.
Only 52 per cent are using a firewall, 26 per cent endpoint protection, and 22 per cent antivirus, and that’s not good enough according to Kevin Rowney, director of breach response for Symantec.
“There’s neglectful securing of this environment,” he says. “It feels like there is a different standard for protection of virtualized environments.”
That is surprising news to Ken Piper, the IT manager at Calgary-based Vision 200 Travel Group. The independent travel company has almost 300 employees in 25 offices across Canada, and implemented virtual servers in 2008. It uses a Fortinet FortiGate firewall and Symantec.cloud endpoint protection service to guard its servers.
“In my opinion, anything less than this, and your business is in jeopardy,” he says. “The risks are significant.”
Vision 200 Travel Group had CTech Consulting roll out its virtual server implementation. It took just three months to complete, Piper says, doing an in-place upgrade to systems. Now the travel management firm can deploy a new server instance in a matter of hours. It also made it easier for the company to have a solid disaster recovery plan.
But not all businesses with virtual servers are taking advantage of easy backups. According to Symantec’s survey, just 15 per cent of firms say they always backup virtual servers, 28 per cent usually do, and 23 per cent describe their backup as “spotty” or never.
That’s a sign the SMB virtualization market is still maturing, Rowney says, describing the technology as a “sledgehammer of transformation in IT.”
The biggest motivators given by firms to pursue server virtualization was to save money. Businesses hope to reduce capital expenditure over the long term (70 percent) and operating expenditure (68 per cent) more immediately, according to the survey. Yet some businesses are still holding off on the trend, citing staffing issues (23 per cent) and budget issues (53 per cent) as the main inhibitors.
Smaller firms lacking IT staff often don’t have time to consider server virtualization, says David Briand, a solutions architect at Toronto-based Scalar Decisions.
“As far as organizations that actually bite down on it and start consolidating workloads, that’s where it drops off,” he says. “Even though it’s seen as beneficial, it’s also seen as risky.”
Scalar Decisions is a value-added reseller that works with numerous vendors, and operating virtual servers for SMBs is probably about a third of its overall business, Briand estimates. It has been in the business since 2004, but noticed a rise in interest in the last two years. That’s because small firms are starting to realize IT can help set them apart from the competition.
“Maybe they have a hard time wrapping their heads around securing something that’s not physical,” he says. “We always make sure security is one of the top things we address.”
Scalar Decisions will install a virtual server without security safeguards if requested by a client, and that might make sense in certain environments with limited exposure – such as servers used for quality analysis or development, Briand says. A firm must also make different considerations for a virtual server compared to a traditional one.
“The way a virus scan affects a hypervisor is not the same way a virus scan affects a traditional server,” he says. “You could introduce other risks into the environment that would affect the performance and manageability of the infrastructure.”
Symantec recommends that smaller firms define a security strategy, and make sure virtual servers are secured to protect their data.
“Try to foresee these levels of complexity in each wave of the virtualization effort and make sure you map out the right path,” Rowney says.
If working with a third party to implement server virtualization, probe them on their abilities to support business critical applications, he adds.