Adding to the confusion, virtualization has caused a shift in IT responsibilities in many organizations, says Greg Young, research vice president at Gartner.
The data center usually includes teams trained in network and server ops, but virtualization projects are typically being led by the server team. "The network security issues are things they haven't had to deal with before," Young says.
The average cost to remediate a data breach in a virtualized environment tops $800,000, according to Kapersky Labs, and remediation costs bring the average closer to $1 million - nearly double the cost of a physical infrastructure attack.
Companies don't see technology as the sole answer to these security problems just yet, according to the HyTrust survey. About 44 percent of survey-takers criticize the lack of solutions from current vendors, the immaturity of vendors or new vendor offerings, or issues with cross-platform interoperability.
Even as vendors like Illumio, Catbird, CloudPassage and Bracket Computing emerge with fixes to some virtualization security problems, companies can't afford to wait for the next security solution.
"If you're 50 percent virtualized today, in two years you're going to be 70 percent to 90 percent virtualized, and it's not going to get any easier to add security," Shackleford says.
"If you start moving things out to Amazon or Azure or any big cloud provider, you want to have your security at least thought through or ideally in place before you get there, where you're going to have even less control than you may have had to date."
Four steps toward a more secure environment
These security pros agree that companies can indeed have a secure virtual environment today if they can gain a clear picture of their virtual infrastructure, use some of the technology and security tools they already have, and better align technology and security in the organization.
1. Get a grip on your virtual infrastructure
"You can have very good security just through planning - taking the steps and making sure the safeguards are there," Young says. This starts with inventory management. "The security team needs to get the lay of the land with regards to virtualization," Shackleford says. "
You need to try to get a handle on where hypervisors are, where management consoles are, what's in-house, where it lives, and what the operational processes are around maintaining those. Next, define standards for locking them down. If nothing else, at least lock down the hypervisors," Shackleford adds. Major vendors like VMware and Microsoft have guides to help you, as well as the Center for Internet Security.
2. Rethink the way you look at data and storage.
People seriously need to think about their environment as a set of files, Shackleford says. "It's a very big shift for security professionals to realize that your whole data center runs from your SAN - your storage network. So they need to at least get familiar with the types of controls that they've put in place."
Sign up for CIO Asia eNewsletters.