SC Think Tank: Security in a virtual world
Our Think Tank experts tackle the challenge of implementing virtualisation in a rapidly changing world.
Cloud services and virtualisation are here to stay as businesses seek efficiencies in IT architectures. But what are the security implications? Paul Fisher and five experts gathered around the SC table.
Spencer Mott, CISO, Electronic Arts
In two or three years, today's corporate IT department will not exist. Security and risk management departments will become very relevant, particularly from a service management perspective, and the remaining IT functions will be very business-like, with technical-type skills.
Do we spend a lot of time stressing about cloud and SaaS and virtualisation or do we really focus now on putting resources into good architecture?
Mark Corrigan, business manager for the security division, Arrow ECS
I think the interesting thing is the endpoint, the physical device that people will use – because that will influence what you can and cannot deploy. There are all sorts of different technologies and approaches from the virtualisation vendors and security vendors who are trying to overlay that.
Russell Poole, sales director, 2E2
When we look at cloud services and virtualisation, we see a different way of protecting our information rather than looking at points. We are looking to understanding what data we have, our data assets; ensuring the controls protect those data assets, rather than the flow of travel.
Caroline Ikomi, technical director, Check Point
You must tie the security policy to the specific applications, because as soon as you start virtualising you copy and replicate. ‘How many licences do I have for this product?' becomes a very difficult question. Plus, how do you delete something if you do not know where it is stored? This is moving from a 5mph to a 100mph culture.
Paul Fisher, editor, SC Magazine
Do you mean the speed of adoption or the speed of virtualisation itself? Who is driving this?
Caroline Ikomi No. All the processes and procedures you have in place in your physical world work at a certain pace. I can see somebody physically walking out with a server; I cannot necessarily see them copying a virtual server, so visibility is a really big issue.
We are not taking the lead as security professionals. It is about going back into our organisations and driving them. Security is a good thing. The reason you have it is to mitigate risk.
James Gay, CISO, Travelex
I would challenge that business is driving this. This business is changing so quickly, as is the security business, because we are not actually doing security anymore. We are part of a risk management environment which is at least reporting into, if not at, board level. We are part of the solution. It really is a change in the environment.
Spencer Mott I completely agree, but I do think there are two camps. There are people who have realised that this is a discussion that must be on the table with a business – and you must invite yourself to that table, otherwise they will have the discussion without you.
The business is driving this, but not only from a cost perspective. IT departments have to get their head around the idea of being more of a business-type organisation instead of a utility service. If they do not get into that space, they will struggle to survive, because it is now so easy to engage with cloud services – you do not need to be technical to do it, because there are technical people in the cloud to help you.
Paul Fisher To the point, then: can you trust your cloud provider to be secure?
Caroline Ikomi If you start looking at the companies doing cloud, at the very high end, some of them have very good security architectures in place. It is not about adding it afterwards, but about building the architecture to include security from the beginning.
Russell Poole You are now able to secure data centrally rather than having core pockets wherever your end-users are on their laptops, so you are taking better security and control. It is always a challenge when you have distributed users who implement the security policy.
Spencer Mott The main concern is that the size of the breach will be greater now. That is the sort of risk management you must get your head around.
Mark Corrigan That is where it comes back to. How many providers will say they will deliver that and protect, in terms of the cost and insuring against those breaches? That will be quite significant.
Russell Poole We are also seeing that securities are differentiated with cloud. Therefore if you can get the security right, you can prove it is embedded into your solution and you will have more opportunity because you are answering concerns that people have. Even the virtual environment offerings, such as VMware and Microsoft, are realising they need to provide securities embedded, otherwise they cannot play.
Paul Fisher Is a data breach more of a fear than, say, malware?
Caroline Ikomi Malware will be more of a reality but a data breach, if it does happen, will have a far more apparent effect in ruining your reputation.
Paul Fisher Which is more likely or more of a threat when you virtualise? Or does it make no difference?
James Gay It depends on your industry. If I was running the accelerator in the server, I would be really worried about malware and not so about a data breach. HMRC? I would worry more about a data breach. It depends on your circumstances and industry and where you are in the virtualisation journey.
Mark Corrigan Data breaching tends to be at the endpoint, as opposed to malware, which can spread from anywhere in an organisation. Therefore, in terms of the threat, I am not sure virtualisation makes it any worse. There are technologies that are coming on that will make it more manageable and maybe more visible. These should reduce the cost of implementing that. Does it make it more secure? It depends on how clever the hackers can get. Ultimately there will always be a threat from criminal activity.
Paul Fisher Indeed. Can we separate cloud from virtualisation in all this?
Mark Corrigan I am not sure I am convinced about cloud. I am convinced about virtualisation and security and the importance of it within that because cloud is not much more than SaaS. While they have been reasonably popular in the US, they are really not at the same level of spend in other markets.
Caroline Ikomi As a company, we use Sales Force, but we ensure that the data is not stored externally to this. We store our data within our business. We are not prepared to let our own data outside our organisation, because this is crucial to our business opportunities. You can use a cloud-based service in a non-proprietary cloud way, and that is probably the way we will see more organisations move.
Spencer Mott I am curious that you did not trust cloud, that you trusted your own environment. Was it because you wanted to keep responsibility for data if you had a breach, as opposed to having a responsibility, but not having the control?
Caroline Ikomi No, we own our data. Security is what we do. For us, a data or security breach would be dreadful for our reputation. It would destroy us.
Paul Fisher What about training and roles? Does virtualisation make any difference to how you train people in what they do and in terms of responsibility? Because we all are being virtualised in a sense – traditional workforces are disappearing.
Spencer Mott Virtualisation is a reflection of the way the workforce has changed to sit at the endpoint. It is the natural evolution of how environments are working, faster, more short term; there's no job for life anymore.
For video footage of this SC Think Tank, please visit: www.scstudio.tv