‘Virtualization increases risk of data loss?‘ Let it be very clear that this is not my opinion but a quote from an article published today by the ‘Automatiserings Gids’ (NL) in which it quotes James Lyne, security specialist at Sophos. Lyne made his statements during this podcast.
Normally I don’t respond to articles like this but this one is too ridiculous not to.
First of all, James Lyne is working for a Security/Antivirus manufacturer making these claims? Not very trustworthy. Do they have a new product to promote? The situation is identical to what Anne Jan wrote about on March 24th, ‘IT personnel lack communication skills‘.
Second of all, the claims made in the article do not show a very good understanding of reality.
I will try to translate and quote as precise and realistically as possible.
‘There is a bit of an unrecognized risk with the shift to virtualization that is compromising the security model that was traditionally in place. When you had a physical server, it was locked down in the data center and you controlled access to that resource using the operating system. You define access control lists that said that HR had access to this resource here or sales had access to these portions of data. With that physical system those access controls were very much a gate to getting access to the data because the only you could access it was over the network. With a virtual system we’re taking that physical hard drive and you’re putting it in a convenient file and that file, as it is the normal design of virtualization infrastructure, is placed on a SAN or some kind of shared storage, where people go to access data. And people are now not thinking about how they define controls over access to that file system. They’re not thinking about the fact that anyone who has access to the virtualization infrastructure now has raw access to the files that contain their most sensitive data.’
(more…)
