Security in the days of on-premise infrastructure was a pretty straightforward model. You created a fortress to secure the data within, using firewalls, antivirus, DMZs (demilitarized zones) and group policy. Security was about defending that fortress. To that end, IT departments managed the hardware tightly, issuing solutions that they had sourced and set up.
From a compliance point of view, things were straightforward - all the data was on-premise and the fortress model meant that the IT department knew precisely how it was secured.
The shift to virtualization, superseding physical on-premise infrastructure, has created a new paradigm for IT departments and requires a new way of thinking for the C-suite.
The fortress approach to security is no longer applicable: not only are people using their own devices, as software, services and even infrastructure moved out of the office and into the Cloud, a whole new paradigm of security and compliance applies.
Latterly, enterprises have gone a step further, with individual business units making decisions about buying and using cloud services. In some cases, this move – dubbed technology autonomy, or shadow IT – is done in a haphazard way, without the input of the IT department and without strategic direction from the C-suite.
The move to virtualization and the Cloud is well under way, and in many cases, enterprises are not only outsourcing services and software, but also infrastructure.
In order to look at this further, we partnered with Vanson Bourne to create a snapshot of where British companies are today on their journey to virtualization and the Cloud, focusing on security for virtualized and cloud environments. Quantitative research was conducted with 100 IT decision makers from UK enterprise organizations with more than 1000 employees.
The struggle to secure complex virtualized IT infrastructures
There’s no doubt that the move to virtualization is proving a challenge for IT managers. Although the survey found that 66% of organizations have updated their infrastructure within the past year, nearly three-quarters of those surveyed said that their infrastructures are more complex than they were five years ago.
The move to the Cloud has also taken off over the past five or so years, and improvements in technology mean it’s easier to create additional servers via virtualization. A small handful of businesses have moved everything into the Cloud, while others have gone for a hybrid approach, taking some services into the cloud while retaining other services, infrastructure or their data in-house.
The benefits are clear: virtualized machines and cloud services mean that it’s easy to scale capacity quickly according to demand, and handing over responsibility for maintenance can create cost savings as in-house IT departments can be streamlined.
However, moving some applications, processes and infrastructure creates complexity. One issue is that virtual machines (VMs) can be in any number of locations. Additionally, businesses need assurance from their providers that access to the company’s assets – including data – is properly managed.
Most respondents (96%) to the survey agreed that they were struggling to secure their more complex infrastructures, with 93% saying that virtualization has contributed to that complexity.
The role of security in virtual environments
The move to a virtualized environment means that security has to become part of the strategy discussed in the C-suite: it can no longer simply be an arcane conversation between geeks in a back office.
It’s clear that British businesses recognize the importance of factoring security into their virtualization roadmap: 95% said that security is an integral part of moving to a virtualized environment. However, some have made a rod for their own back, with the majority of organizations not acting on this belief; 59% admit to not consulting security teams throughout virtualization deployments and 8% saying the security team wasn’t consulted at all during the transition to the virtualized environment.
What came as a big surprise is that the majority of organizations (85%) are still using the same tools for their virtualized environments, such as antivirus and firewalls, as they did for their in-house physical machine set-ups. This shows that virtualization security is still being viewed as an afterthought as businesses ‘make do’ with the same security policies, process and tools they would use in a physical environment. This approach is leaving organizations open to the risk of cyber-attack as they fail to realize that a new security mind-set is required.
Virtualized environments present organizations with new security risks and demand a new approach to security to tackle these accordingly. However, it is important to note that virtualized environments can be as secure if not more secure than physical environments.
In a dynamic virtual network, security should be built in from the outset instead of being treated as a bolt-on. IT transformation is at its most impactful when security and virtualization experts work together to create a solution that reduces cost and improves productivity whilst managing risk.
Here are a few steps that businesses can take to ensure they’re realizing the benefits of virtualization without compromising on security:
1. Both the information security and data-center management teams must be involved in any virtualization project, with the aim of making sure that both teams are working towards the common goal of a high-performing and secure virtual environment.
2. Use the right security tools from the start: don’t be tempted to rely on your existing security technology, which was not designed for the virtual environment. Relying on the old tools will leave your business vulnerable to breaches.
3. Don’t rely on luck to detect a security breach: just under half of the respondents in the survey said they had discovered their breaches accidentally rather than as a result of monitoring. Deploying intrusion protection and prevention and integrity monitoring will help secure your data.
4. Have one security model and deploy it across the whole of your infrastructure: physical, virtual and cloud. One security model can be managed from one console, making the task easier and the security tighter.
5. Make sure security follows the workload. In a physical infrastructure, machines don’t move, but in a virtual one, they do. When machines move around the virtual environment or cross the border from on-premises into the Cloud, security controls must move with those machines.