Nearly half (48%) of IT staff either report or suspect unauthorised access to files on virtualised server, according to a study by Varonis.
The data governance software firm's research finds that data security in virtualised environments is often neglected by IT organisations, with many treating it as a Black Box.
The study, conducted at VM World conferences, suggests that there is a limited awareness of security matters when it comes to virtualised servers, with 70% of respondents having little or no auditing in place on virtual servers.
This could be a big problem. According to analyst Gartner, there are more than 50 million installed virtual machines (VMs) on servers.
Indeed, application servers have been virtualised by almost all respondents (87%), mainly due to speedier deployment (76%) and disaster recovery (74%).
On the other hand, those who do not virtualise cite disk storage (37%), performance (30%) and a lack of advantages (20%) as the three main reasons for not doing so.
But while almost 60% of respondents said they were very careful about setting permissions and controlling updates, almost three quarters (70%) had implemented little or no auditing – even in high end organisations.
In fact, 20% of enterprises with more than 5,000 employees admitted to having no file logging capabilities in place.
"We suspect that for IT departments, virtualisation may be something of a black box," suggests David Gibson, vice president of strategy at Varonis.
"We have found that, after a workload is virtualised, the details of managing file permissions and monitoring access are considered to be automatically taken care of," he continues.
"It is also quite possible that the teams managing virtualisation projects see file security and governance as outside their discipline. The security team may have no visibility of what is happening," he adds.
The bottom line: while virtualisation has been groundbreaking in allowing IT to isolate applications and services with a few clicks, it doesn't solve permissions management and access auditing – in fact it might make it even more complex.