The virtualization giant surveyed more than 1,700 members of its independent VMware User Group (VMUG) to learn more about its customers' security practices and requirements. According to a VMware blog post on the subject, some of the highlights from this survey include:
- Two-thirds of respondents have established maintenance policies and schedules, and they're generally up-to-date with security patches (no more than four patches behind)
- One-third follow a monthly maintenance schedule, and another third have a quarterly maintenance cycle
- Alarmingly, one-third of respondents said they are well behind on security updates (23 percent) or never apply them (10 percent)
- Two-thirds consider vendor-supplied workarounds as either a temporary or permanent alternative to patching
- Nearly half of those responding said they would prefer a scheduled set of patches, while the remainder said they would prefer patches to be released immediately as they become available
- Two-thirds claimed they protect their vSphere management networks primarily using VLANs, though many share this network with other infrastructure services
In response to the survey information gathered, VMware said they are considering initiatives to increase awareness of security updates, as well as the potential for product improvements to reduce the burden of keeping up-to-date on security. The company will also provide more details within the VMware Security Advisories (VMSAs).
But with users split 50/50 in favor of either scheduled patches or just-in-time patches, VMware said it would continue to gather data before making a change from its current process. Don't expect VMware to move to a regularly scheduled set of security patches just yet.
In the end, no matter what security update method VMware chooses to go with, one thing is clear: With VMware product threats potentially on the rise, if VMware releases a patch or update that is marked as "critical," don't blink. VMware customers shouldn't take any chances with their virtualized infrastructures. In a physical environment, hackers have to concentrate on hacking individual servers or individual applications. But when you use virtualization, a hacker can sometimes get away with entry through a single point and gain access to everything (the keys to the kingdom).
This article, "VMware pledges to improve security, considers scheduling patch updates," was originally published at InfoWorld.com. Follow the latest developments in virtualization at InfoWorld.com.