Dormant Virtual Machines (VMs) Represent Significant Business Risk

Virtualization is a highly effective method for increasing the efficiency and availability of physical IT infrastructures, and reducing traditionally high fixed infrastructure costs. According to leading research firms, as many as 95% of enterprises are using some form of virtualization. Today, organizations of all sizes are leveraging virtualization throughout a wide array of applications – including both test and production environments.

However, according to a recent ComputerWeekly.com article, “despite the benefits companies can reap from virtualizing their data centers, virtualization can do more harm than good if you fail to consider the potential risks.”

The ease of provisioning is creating a rapid proliferation of virtual machines, many of which ultimately become dormant. However, just because these VMs are dormant, doesn’t necessarily mean they can be deleted. Often, the VM images must be retained for years for archival and compliance reasons – and ultimately must be secured regardless of whether they reside within the company’s physical infrastructure, or are sent to the cloud or other hosted storage environments. Dormant VMs pose an even greater security risk because VMs that are offline do not receive security upgrades/patches – leaving them vulnerable when they are brought back online.

“With more than half of all data center workloads now virtualized, enterprises need defined virtualization security processes,” according to Neil MacDonald, Vice President, VP and Gartner Fellow Emeritus. “Dormant virtual machines pose a more significant security risk than their physical counterparts. Stealing a VM becomes as simple as stealing a file. VMs, like files, should be encrypted to protect their contents and be protected from tampering.”

And dormant VMs, which may contain personally identifiable information (PII) or other sensitive data, are not immune to compliance requirements. For example, Section 3.7 of PCI DSS Virtualization Guidelines states that “data in a VM’s memory, which may include unencrypted primary account numbers (PANs), is often captured in its dormant state, resulting in unintentional storage of the data. Though dormant, inactive VMs represent a viable security threat and therefore must be identified and tracked so appropriate security controls can be applied.”

Earlier today, PKWARE introduced vZip™, a software application that addresses the security vulnerabilities of dormant VMs. PKWARE vZip, allows organizations utilizing virtual infrastructures to secure and reduce dormant VMs – eliminating the risk of non-compliance, enhancing security, and decreasing storage costs and transfer times when moving VMs to the cloud.