80 per cent of data centres still using physical security to protect virtualised estate

And only a fifth of those are taking steps to phase it out

Eighty per cent of organisations still employ software and services designed to protect physical servers despite having moved to a virtual server estate, Computing research has revealed.

The research, revealed during Tuesday's "Protecting the Modern Data Centre" web seminar, also found that only a quarter of those respondents currently deploying physical security in this way are now taking steps to phase it out.

The practice of applying physical, legacy security measures to virtualised environments is particularly worrying, Mark Nunnikhoven, Trend Micro's VP of cloud and emerging technologies, said.

"The crux of the issue is, we have two very different environments in a modern data centre. In the traditional, physical environment where we know where everything is – rack 3, slot 4 etc – we can point things out and know where they are, but with virtualised you cannot be certain where anything is at a given time."

Nunnikhoven compared traditional physical security with a wall.

"Everything on the other side of that wall is what's being protected," he explained, while virtualised security is more like a football team.

"Where they are right now depends on what's happening in the field. If we're in the offensive half, in the box, we're all pushed forward, but as we go on the defensive, we all move back. It depends on field conditions. Having a big wall round it, you're going to constrain what the team can do."

Nunnikhoven explained how companies using physical security in a virtual estate are at risk of missing out on many of the advantages that virtualisation provides, by imposing security boundaries on specific physical servers. They may also be leaving gaps in their defences.

"They're missing the layer of abstraction. What they're ignoring is what we call a fabric," he said.

"[Virtualisation means] you're not worrying about one particular server at a time, you're talking about overall computing power."

Nunnikhoven said he is not accusing IT managers of ignoring the glaring issues in an attempt "to move forward", but instead sees a lack of awareness in what needs to be done.

"The natural tendency is to say ‘We've already got this base – let's extend it, even if it's a bit brittle'.

"But you can't go half way like that. You can't say, ‘Well I protected you nine out of 10 times that someone tried to mug you on the road' – that's not good enough. That's not reality. You can't go to your board and say I'm sorry we didn't bother to take the time and analyse this properly."