At the Gartner Symposium IT/Expo this week, thousands of IT managers packed into sessions on the topic of virtualization of enterprise computers, along with the prospect of adopting public cloud-based services or building private ones. Some say the revolution is underway, and security managers are caught in the middle, losing their earlier controls.
Gartner analysts, including David Cearley and Gene Phifer, trotted out user case studies involving FedEx, Presidio Health, Johnson Diversey and others extolling the public or private cloud, while in a separate session Michael Lock, head of enterprise sales at Google, found himself looking like a budding rock star in front of an huge audience of high-tech execs eager to hear about Google Apps. With new ways of conducting enterprise computing and application development shaking up established IT practices, the darker mood about it all was mainly heard from Gartner's security analysts, recognizing the revolution underway is ripping away the security controls of today.
“Our nightmare scenario is here now,” said Gartner analyst John Pescatore. Botnet-driven cybercrime is clearly accelerating as online predators involved in “cybercrime as a service” plunder corporate and consumer data for financial gain. In addition, corporate employees are now using handheld smartphones the company didn’t even issue and spending substantial time on networks not owned by the enterprise.
Now comes cloud computing as service offerings and “obviously attacks will come after this,” Pescatore said. In many instances, the fact is the “IT organization is being driven to have less control over software and hardware.”
The implication of this, Pescatore said, is they can sit and dream of something pleasant, like the return of the mainframe, or they will have to make a shift to using or developing “security as a service” to adapt to new threat scenarios in both public cloud computing and virtualization of their IT infrastructure.
With the cloud taking shape nebulously as many types of public, private and hybrid services, an important technology to turn to will likely be encryption services. “In the next few years, you'll see encryption services out there,” Pescatore said.
Gartner analyst Neil MacDonald also minced no words in describing the implications for security in the virtualization and cloud-computing revolution.
“We're at a critical point,” MacDonald said. Adoption of consumer technologies and the transformation of the technical infrastructure in the enterprise means that there's “frustration of the business units with us,” MacDonald said.
With virtualization, the key concept of “locking down a physical device” is disappearing in favor of virtual machine-oriented security, such as virtual security appliances as software instead of physical appliances, he said. In addition, the enabling of quick deployment of virtualized applications and databases to facilitate business partnerships will need to be done, though “security becomes very difficult in this environment.”
Cloud computing and virtualization “break one of the foundational principles of security architecture: Us and them,” MacDonald said.
Known technologies such as signature-based antivirus are now insufficient, increasingly useless and he added, way overpriced. Antivirus must be buttressed with whitelisting to control application use, and the newer software-based virtual appliances for security have to be examined for use in a virtual-machine environment.
About the physical security appliances out on the market today, MacDonald said “these boxes are expensive,” and he disparaged Cisco, Juniper and TippingPoint as “not having much going on now because they like to sell boxes.”
When it comes to cloud computing services, the security professional is being pressured to “get out of the way” and figure out something that's “secure enough,” said MacDonald, though the impulse will be to say no to the cloud.
Though the public cloud “makes sense for less-sensitive data,” there are limits, such as “PCI stuff, no way,” MacDonald said, referring to the data falling under the Payment Card Industry security requirements.
But there are going to be “trade-offs” as new cloud service offerings, and the stance the security professional should take is to clearly explain the risks to the business owners of the data and make sure they accept it, not push it back onto the security and IT department.
“They get all the accolades and you take all the risk, who wants that job?” he pointed out.
Speaking on a panel at the Gartner conference, a number of CIOs acknowledged their prime concerns are about security in cloud computing.
June Hartley, CIO at the National Business Center of the U.S. Department of the Interior, said security requirements known as FISMA that the U.S. government uses for security compliance will likely be changed to meet the new world of private and public cloud computing.
Casey Coleman, CIO at the General Services Administration and co-chair of what's known as the Federal Cloud Council, agreed, but both indicated there was no apparent barrier to that.
Sometimes there are some unexpected risks.
Sal Allavarpu, senior director, product marketing at Citrix Systems, a player in the virtualization market which has created virtual appliance versions of its Access Gateway, Branch Repeater and NetScaler security, network and application control appliances, says there are new security issues that arise in virtualization and cloud computing.
For one thing, it's not advised to run applications with different levels of trust controls on virtual machines located on the same physical server, he says. “It's best to keep them separate, virtual machines with the same trust controls on the same physical server,” he said, noting auditors prefer this.
Without sharing detail, he said he knows of a recent occurrence in a cloud-computing arrangement where law enforcement going after someone seized the data for the entire physical server even though the suspect had data on just one virtual machine on that server. This caused a lot of consternation among other companies whose data happened to be on that same physical server in separate virtual machines. He noted that virtualization and cloud computing is new to law enforcement in some instances and this kind of issue is still being hammered out.