Security of Virtualization, Cloud Computing Divides IT and Security

Is moving to virtualization and cloud computing making network security easier or harder? When some 2,100 top IT and security managers in 27 countries were asked, the response revealed a profound lack of consensus, showing how divided attitudes are within the enterprise.

Is moving to virtualization and cloud computing making network security easier or harder? When some 2,100 top IT and security managers in 27 countries were asked, the response revealed a profound lack of consensus, showing how divided attitudes are within the enterprise.

The "2010 State of Enterprise Security Survey - Global Data" report shows that about one-third believe virtualization and cloud computing make security "harder," while one-third said it was "more or less the same," and the remainder said it was "easier." The telephone survey was done by Applied Research last month on behalf of Symantec, and it covered 120 questions about technology use -- organizations remain overwhelmingly Microsoft Windows-based -- and cyberattacks on organizations.

Contending with virtualization hangover  

To explain such different perceptions about the security impact of virtualization and cloud computing, Matthew Steele, Symantec director of strategic technology, said the best way to understand these answers is to know that "if they had a real security background, they immediately got concerned. But if they care for IT operations, they were thinking about it from an IT optimization standpoint." And the middle-of-the-road responses -- it's all "more of less the same" -- tended to originate from those with budget responsibilities. "If the business is still moving, things are OK," Steele remarked.

Although endpoint virtualization is widely believed to trail server-based virtualization, 8% of the survey's respondents said they had implemented the former, 16% were in the course of implementing it, 9% were in a "trial stage," 26% had plans for it and 25% were in "early discussion," whereas 16% weren't considering it.

And on the question of whether endpoint virtualization makes it "easier or harder to do your job with regards to network security," the opinion was divided, with about a third each way thinking it's "easier," "harder" or about the same.

The survey showed that the median annual budget for enterprise security in 2010 is $600,000, an 11% increase over 2009, with yet another 11% increase anticipated in 2011. But despite incremental budget growth, the survey's respondents -- who hail from banking, healthcare, telecommunications and other sectors as well as local and federal government agencies -- often indicated they had a hard time finding and retaining security personnel.

Organizations on average assigned 120 staffers to IT and compliance matters, with larger enterprises of 5,000 or more assigning 232. But much of the time this was seen as insufficient, with 51% of respondents saying finding qualified applicants was a "huge" or "big" problem.

Difficulty in finding the right expertise was a driver in all manner of outsourcing, including use of managed security services, which about half the organizations used. But only about half were truly "satisfied" with outsourcing arrangements, even as they contemplated expansion into software-as-a-service, platform-as-a-service, and infrastructure-as-a-service, which Symantec defined as everything from use of Google Apps to full-blown hardware and operating system rental on demand, making up today's evolving concept of "cloud computing."

In fact, 40% of the respondents indicated their organizations were currently using applications in the cloud in some way -- yet 40% said it would be more difficult to prevent or react to data loss under their firm's cloud-computing strategy.

And when asked "Does your cloud-computing strategy make the risk of losing data bigger or smaller?" 38% said it would be higher, with the reminder pretty much split saying it would be the same or lower. The answers broke the same way on the question of virtualization strategy.

When it comes to cyberattacks and data loss, the situation looks bleak based on the responses in the report.

Three quarters of respondents said their organization had experienced cyberattacks in the past 12 months, with 36% calling them "somewhat/highly effective." The annual cost of a cyberattack was pegged at more than $2 million for large enterprises when tallying up lost productivity, theft of intellectual property, loss of customers, legal fees and more.

"Every day we see new viruses, new spyware, new backdoors. It is beyond crazy," one IT director is quoted as saying. The survey showed the most frequent types of attacks were malware implantation, social-engineering ploys and denial-of-service (DoS) attacks.

On average, Web properties were targeted twice last year with the implanting of malware, and also suffered one significant DoS attack and one theft of information.

Data losses were attributed to numerous sources, including outsiders (20%) and accidental insider actions (15%).

Healthcare providers specifically reported 58% of data loss was accidental exposure of patient information, 22% was theft, with identity theft and even malware attacks on medical equipment a problem as well.

Patching is regarded by 87% of the respondents as one of the most effective measures to ward off cyberattacks, with about three quarters also putting trust in perimeter security and authentication processes, along with antimalware controls.

According to the survey, a surprising 20% of Windows-based PCs in use by employees were selected, purchased and owned by the employee, along with 12% of their laptops and 6% of smartphones. But 52% of the survey's IT and security pros viewed that as something that could compromise security.

With Windows 7 just released, one survey question on that topic indicated that 19% had "no plans" to use Windows 7, but 9% already had, and the rest were discussing or had plans for it. In all, 72% of the survey's respondents think Windows 7 offers improved security over previous Windows versions.

Finally, in something of a blow to Symantec and other security vendors, the survey asked telecom companies who they considered their main security vendor and the found about two-thirds said "network equipment providers" and only a third said "security companies."

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2010 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)