virtualisation security: the need for a new security mindset · virtualisation security: the need...
TRANSCRIPT
Virtualisation Security: The Need for a New Security Mindset
A survey report exploring the impact that virtualisation and cloud computing are having on IT security for UK businesses
>>
Page 2 of 12
Virtualisation Security: The Need for a New Security Mindset
Virtualisation has long been delivering benefits to organisations of all sizes; with on-demand capacity scaling and reduced
hardware costs just some of the key benefits. However, the shift to virtualisation has created a whole new paradigm for
IT security, with the movement of applications, processes and infrastructure creating added complexity.
Trend Micro has partnered with Vanson Bourne to undertake research to find out how UK enterprise organisations are
addressing their virtualisation security needs and whether they’re struggling to manage this added complexity.
The research has found that the majority of UK businesses are failing to upgrade their security tools to manage virtualised
environments and as such are struggling to keep their IT infrastructure secure. This is despite the fact that almost half
of organisations believe that virtualised environments need more security as they introduce new risks. As a result, nine
in 10 businesses are concerned that they will fall victim to security breaches.
This report explores these findings in more detail and asks whether a new security mindset is required to ensure that
businesses are addressing their virtualisation security in the best way.
Executive summary
Page 3 of 12
Virtualisation Security: The Need for a New Security Mindset
Security in the days of on-premises infrastructure was a
pretty straightforward model. You created a fortress to
secure the data within, using firewalls, antivirus, DMZs
(demilitarised zones) and group policy.
Security was about defending that fortress. To that end,
IT departments managed the hardware tightly, issuing
solutions that they had sourced and set up.
From a compliance point of view, things were
straightforward: all the data was on-premises and the
fortress model meant that the IT department knew
precisely how it was secured.
The shift to virtualisation, superseding physical
on-premises infrastructure, has created a new paradigm
for IT departments and requires a new way of thinking for
the C-suite.
The fortress approach to security was no longer applicable:
not only were people using their own devices, as software,
services and even infrastructure moved out of the office
and into the cloud, a whole new paradigm of security and
compliance applied.
Latterly, enterprises have gone a step further, with
individual business units making decisions about buying
and using cloud services. In some cases, this move –
dubbed technology autonomy, or shadow IT – is done in a
haphazard way, without the input of the IT department and
without strategic direction from the C-suite.
The move to virtualisation and the cloud is well under way,
and in many cases, enterprises are not only outsourcing
services and software, but also infrastructure.
Trend Micro, the global leader in cloud security, together
with Vanson Bourne, has created a snapshot of where British
companies are today on their journey to virtualisation and
the cloud, focusing on security for virtualised and cloud
environments. Quantitative research was conducted with
100 IT decision makers from UK enterprise organisations
with more than 1000 employees.
Introduction
Page 4 of 12
Virtualisation Security: The Need for a New Security Mindset
There’s no doubt that the move to virtualisation is proving a
challenge for IT managers. Although the survey found that
66% of organisations have updated their infrastructure
within the past year, nearly three-quarters of those
surveyed said that their infrastructures are more complex
than they were five years ago.
The move to the cloud has also taken off over the past
five or so years, and improvements in technology mean
it’s easier to create additional servers via virtualisation. A
small handful of businesses have moved everything into
the cloud, while others have gone for a hybrid approach,
taking some services into the cloud while retaining other
services, infrastructure or their data in-house.
The benefits are clear: virtualised machines and cloud
services mean that it’s easy to scale capacity quickly
according to demand, and handing over responsibility
for maintenance can create cost savings as in-house IT
departments can be streamlined.
However, moving some applications, processes and
infrastructure creates complexity. One issue is that
virtual machines (VMs) can be in any number of locations.
Additionally, businesses need assurance from their
providers that access to the company’s assets – including
data – is properly managed.
Turkish steel producer İÇDAŞ found all of these
challenges when it needed to update its main data
centre in Istanbul. IT manager Nilgün Aksoy says: “Our
IT department was having a hard time responding to new
server and resource requests from other departments.
New server procurements, upgrade requirements of our
former servers, infrastructure requirements, business
sustainability requirements, and the various needs of
management personnel were increasing with each day.
Most respondents (96%) to the survey agreed that
they were struggling to secure their more complex
infrastructures, with 93% saying that virtualisation has
contributed to that complexity.
The struggle to secure complex virtualised IT infrastructures
“It was necessary to establish access
control, virus prevention and cyber-attack
protection against internal attacks to our
virtual servers, but security solutions
were interfering with accessibility, server
performance, and manageability.”
Nilgün Aksoy,
IT Manager of Turkish steel producer İÇDAŞ
Page 5 of 12
Virtualisation Security: The Need for a New Security Mindset
Figure 1: Is your IT infrastructure more complex than it
was five years ago?
Updating becomes much more of a challenge in the
virtualised environment, too: not only do you have to
provide a seamless service to your users so that they
won’t notice any downtime as updates are applied, you
also have to manage a number of virtual machines in a
range of different states – on, off, dormant.
This issue is reflected in the survey responses: 72% said
they had issues with keeping applications patched in a
virtual environment, with 34% admitting that they often
can’t patch applications in a timely fashion.
Figure 2: Do you find it difficult to keep applications and
operating systems patched?
The role of security in virtual environments
The move to a virtualised environment means that
security has to become part of the strategy discussed
in the C-suite: it can no longer simply be an arcane
conversation between geeks in a back office.
It’s clear that British businesses recognise the importance
of factoring security into their virtualisation roadmap:
95 per cent said that security is an integral part of
moving to a virtualised environment. However, some
have made a rod for their own back, with the majority of
organisations not acting on this belief; 59 per cent admit
to not consulting security teams throughout virtualisation
deployments and 8% saying the security team wasn’t
consulted at all during the transition to the virtualised
environment.
72%
13%
15%
Yes
No
About the same
72%
13%
15%
Yes
No
About the same
34%
38%
28%
Yes, I frequently cannot patch systems on time
Sometimes, when there are significant numbers of patches released
No, my patching is always up to date
Page 6 of 12
Virtualisation Security: The Need for a New Security Mindset
Figure 3: Was the security team consulted during the
move to a virtualised environment?
One of the challenges of managing the move to a
virtualised environment is to engage everyone who
needs to be on board. The survey found that there is a
sharp difference in the approach to security between
the managers of data centres and information security
managers.
That’s because the two groups have different priorities:
the data centre manager is focused on getting services
up and keeping them up, and making sure that they are
accessible and useable as fast as possible. A primary
concern of the data centre manager is uptime, and for
that role, security can be a hindrance.
For the information security manager, the prime concern
is the safety of the data; uptime is less of a concern.
That split is clearly highlighted in the survey responses,
with 56% of security managers agreeing that security is
integral in the plan to move to a virtualised environment,
compared to just 40% of data centre managers who
agreed with that comment.
Figure 4: In your opinion, is security an integral part of
the plan in moving to a virtualised infrastructure by ITDM
type, yes answers.
The need to understand that different security models are
required in a virtualised environment is a concern. The
differences between the in-house “tin box” set-up, where
security is managed within a fortress, and the virtualised
environment mean that the challenges are different.
However, the survey reveals that many organisations
(34%) haven’t updated their security models.
41%
29%
18%
4%
8%
Yes – throughout the transition
Yes – at the consulting stage
Yes – but not frequently enough
No
I don’t know
0
10
20
30
40
50
60
Information securityresponsibility
Data centreresponsibility
56%
40%
The survey found that there is a sharp
difference in the approach to security
between the managers of data centres
and information security managers.
Page 7 of 12
Virtualisation Security: The Need for a New Security Mindset
Many organisations (85%) are still using the same tools
for their virtualised environments, such as antivirus
and firewalls, as they did for their in-house physical
machine set-ups. Only just over half (52%) of the survey
respondents that had experienced a data breach, said
they had discovered their breaches as a result of
security monitoring.
Figure 5: How was the breach discovered? Asked to
those that had experienced a breach.
Siemens Enterprise Communications, which offers
enterprise communication services and solutions, found
itself using old tools – virus and malware protection,
and often from different vendors – on UC application
servers that were personalised to each customer. The
disadvantages were clear, says Frank Semmler, head of
solution management security.
Virtualisation technology offers new ways to manage
security: rather than having to deploy software
applications across each VM, which in turn might not
be integrated into the overall infrastructure. With Trend
MicroTM Deep Security you can manage patching and
updates centrally, creating high levels of security with
very little impact on the individual VMs.
The threat of security breaches
The survey shows very clearly that there is a split
between the public sector and private-sector enterprises
in how they manage security threats in a virtualised
environment. Most private-sector businesses say they
review their security arrangements every three months,
but for those in the public sector, it’s every four months.
And despite the best intentions, security breaches do
happen: 24% of respondents said they had had at least
one breach in the past two years, with a further 26%
reporting a breach within the past five years.
In any business, whether it has moved into the cloud or
retains its IT on-premises, the infrastructure and the data
it holds is potentially always at risk. Users can abuse their
privileges and if the virtual infrastructure isn’t properly
secured, with users isolated and only able to get at what
they need, data can too easily be compromised.
Indeed, nearly a third of respondents (27%) who had
suffered a breach said that was due to deliberate misuse
of the system by an employee, while configuration errors
by an admin accounted for 23% of breaches.
52%
20%
18%
9%
2%
Routine internal security monitoring
Alerted by systems outage
Reported by a third party
Discovered by accident
Other (please specify)
“Our goal … was to provide a high standard of security at a reasonable cost, but we clearly
weren’t going to achieve that with the approach we had. Moving to a standardised solution
by deploying Trend Micro Deep Security solved the problem, allowing Siemens to offer a
high level of protection to customers with a reduced impact.”
Frank Semmler, Head of Solution Management Security, Siemens
More than nine in 10 businesses remain concerned that they will fall victim to future security breaches.
Page 8 of 12
Virtualisation Security: The Need for a New Security Mindset
Figure 6: How concerned are you that your organisation
will be the victim of a breach in the future?
Virtualisation in the cloud
Since the move to the cloud began some six or seven
years ago, businesses have embraced the opportunities,
with over two in five (44%) of organisations with a
virtualised environment either using or planning to use an
Infrastructure-as-a-Service provider, with the majority
(61 per cent) of organisations purchasing security as part
of the service.
Though half address the security of these services by
deploying the same controls as used in their data centre.
Almost four in ten (39%) of those using IaaS believe that
its use has made managing IT security more complex.
Organisations in the private sector are far more likely
to have used a solution such as Amazon Web Services
than the public sector: 40% of private-sector respondents
had chosen such a service, compared to just 24% in the
public sector.
41%
26%
17%
4%
12%
1 - Not at all concerned
2 3 4
5 - Very concerned
0 10 20 30 40 50 60 70 80
Purchased security as part of the service from the provider
Deployed the same security controls as used in our data centre
Other (please specify)
We did not address security specifically
61%
50%
6%
0%
Figure 7: How did you address security of the workloads running in the service provider cloud?
Page 9 of 12
Virtualisation Security: The Need for a New Security Mindset
Compliance is a high priority for organisations dealing
with sensitive data, such as healthcare providers. In
some cases, a private cloud is the best choice, as was the
case for Globality Health when it moved to a virtualised
environment.
“We installed our own company cloud in Luxembourg,
where the strictest data protection laws are in place. This
is an essential element when dealing with information
as personal and highly sensitive as medical records,”
explains CIO Patrick Klass.
For those preferring a third-party cloud provider, most
respondents (61%) also purchased security as part of
their package, although the awareness of the need for
security and the understanding that old models are
not appropriate was much higher among those with
responsibility for data security.
Data-centre managers, by contrast, were less alert: just
56% said they bought security as a service from their
cloud provider, and 61% said they used the same security
controls as they had in their on-premises set-up.
“Moving to a virtualised environment
is a paradigm shift. Issues relating to
data security and data privacy continue
to dominate the mindset of corporate
Britain as it transitions to the cloud. Cloud
providers need to be clearer upfront with
their customers at communicating the
approach to security they provide and what
options are available without compromising
security in the process.”
Alex Hilton, CEO of the Cloud Industry Forum
Page 10 of 12
Virtualisation Security: The Need for a New Security Mindset
According to Michael Darlington, technical director at Trend Micro: “Virtualisation security is still being viewed as an
afterthought as businesses ‘make do’ with the same security policies, process and tools they would use in a physical
environment. This approach is leaving organisations open to the risk of cyber-attack as they fail to realise that a new
security mindset is required.
“In a dynamic virtual network, security should be built in from the outset instead of being treated as a bolt-on. IT
transformation is at its most impactful when security and virtualisation experts work together to create a solution that
reduces cost and improves productivity whilst managing risk.”
Although take-up of virtualisation and cloud services is high, there are concerns about how security is implemented.
Data-centre managers need to become more aware of both the need for different security models and what those new
models are.
FiVe proVen besT pracTices To ensure your VirTualisaTion enVironmenT is secure:
1Both the information security and data-centre management teams must be involved in any virtualisation project, with the aim of making sure that both teams are working towards the common goal of a high-performing and secure virtual environment.
2Use the right security tools from the start: don’t be tempted to rely on your existing security technology, which was not designed for the virtual environment. Relying on the old tools will leave your business vulnerable to breaches.
3Don’t rely on luck to detect a security breach: just under half of the respondents in the survey said they had discovered their breaches accidentally rather than as a result of monitoring. Deploying intrusion protection and prevention and integrity monitoring will help secure your data.
4Have one security model and deploy it across the whole of your infrastructure: physical, virtual and cloud. One security model can be managed from one console, making the task easier and the security tighter.
5Make sure security follows the workload. In a physical infrastructure, machines don’t move, but in a virtual one, they do. When machines move around the virtual environment or cross the border from on-premises into the cloud, security controls must move with those machines.
Conclusions and recommendations
Page 11 of 12
Virtualisation Security: The Need for a New Security Mindset
“Virtualisation continues to be adopted at
a rapid pace and it seems that IT teams are
struggling to keep up with the demands of
the business, as IT infrastructure becomes
more complex. However, it is important to
note that virtualised environments can be
as secure if not more secure than physical
environments. By adopting a new mind-set
and recognising the security posture needs
to change in line with IT environments,
businesses will be well placed to realise
the benefits of virtualisation without
compromising on security.”
James Edwards, Product Manager, VMware
In a sense, virtualisation has become its own worst enemy
because of the inherent security risks associated with
easily creating new virtualised servers. What’s clear is
that virtualised environments present organisations with
new security risks and demand a new security mindset
to tackle these accordingly. Only by taking this approach
will organisations ensure that their move to virtualisation
is fully secure and not compromising their entire IT
environment.
Page 12 of 12
Virtualisation Security: The Need for a New Security Mindset
research meThodology
Trend Micro commissioned Vanson Bourne to survey
100 UK enterprise organisations with an excess of 1,000
employees. Participating companies were spread across
sectors and size bands, with 75 private and 25 public
sector organisations included. Half of the IT decision
makers included are responsible for security, while the
other half is responsible for the data centre. The survey
was conducted in May 2013.
abouT Trend micro
Trend Micro Incorporated, a global leader in security
software, strives to make the world safe for exchanging
digital information. Our solutions for consumers,
businesses and governments provide layered content
security to protect information on mobile devices,
endpoints, gateways, servers and the cloud. Trend
Micro enables the smart protection of information, with
innovative security technology that is simple to deploy
and manage, and fits an evolving ecosystem. Leveraging
these solutions, organizations can protect their end users,
their evolving data center and cloud resources, and their
information threatened by sophisticated targeted attacks.
All of our solutions are powered by cloud-based global
threat intelligence, the Trend Micro™ Smart Protection
Network™, and are supported by over 1,200 threat
experts around the globe. For more information,
visit www.trendmicro.com.
abouT The cusTomers included
siemens enTerprise communicaTions
Siemens Enterprise Communications, is a global
integrated communications provider that synchronizes,
deploys, and manages technologies such as voice,
video, collaboration, mobility, contact centre, and
network infrastructure. We weave these communication
technologies directly into the way businesses operate.
The result is a transformation of how the enterprise
communicates and collaborates – that amplifies collective
effort, energizes the business, and dramatically improves
business performance.
Born out of the engineering DNA of Siemens, we have
built on this heritage of product reliability, innovation,
open standards, and security to provide integrated
communications solutions for over 75% of the Global
500. Siemens Enterprise Communications is a joint
venture of the Gores Group and Siemens AG.
globaliTy healTh
Globality Health is the international health insurer with
a special focus on expatriates. People who study, live or
work abroad are assured that their health is always in
good hands, no matter where they are. With more than 80
years of experience in health insurance, Globality Health
provides their customers the convincing competence
of an international network of assistance and service
partners. As an integral part of Munich Health, with more
than 5,000 experts at 26 locations, Globality Health offers
innovative healthcare solutions for clients and partners all
over the world. As a member of the Munich Re, Globality
Health gives customers the strength and security of one
of the world’s leading insurers and reinsurers.
İÇDAŞSince 1970, İÇDAŞ has been producing steel bars
and high-alloy steels and has grown to be the biggest
private sector steel producer in Turkey based on
production capacity. Besides the iron and steel
production, İÇDAŞ also operates in the fields of ship
building, port operations, piloting and towing, land and
marine transportation, shipping, brokerage, insurance,
international trade, tourism, construction and power
generation. Exporting most of its production to foreign
countries, İÇDAŞ has assumed an important role in
Turkey’s integration with the modern world, with its
advanced technology and reputation for superior quality.
©2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other
product or company and/or product names may be trademarks or registered trademarks of their owners.