Virtualisation Security: The Need for a New Security Mindset

Virtualisation Security: The Need

for a New Security Mindset

A survey report exploring the impact that virtualisation and cloud computing are having

on IT security for UK businesses

Virtualisation has long been delivering benefits to organisations of all sizes; with on-demand capacity scaling and reduced hardware costs just some of the key benefits. However, the shift to virtualisation has created a whole new paradigm for IT security, with the movement of applications, processes and infrastructure creating added complexity.

Trend Micro has partnered with Vanson Bourne to undertake research to find out how UK enterprise organisations are addressing their virtualisation security needs and whether they’re struggling to manage this added complexity.

The research has found that the majority of UK businesses are failing to upgrade their security tools to manage virtualised environments and as such are struggling to keep their IT infrastructure secure. This is despite the fact that almost half of organisations believe that virtualised environments need more security as they introduce new risks. As a result, nine in 10 businesses are concerned that they will fall victim to security breaches.

This report explores these findings in more detail and asks whether a new security mindset is required to ensure that businesses are addressing their virtualisation security in the best way.

Security in the days of on-premises infrastructure was a pretty straightforward model. You created a fortress to secure the data within, using firewalls, antivirus, DMZs (demilitarised zones) and group policy.

Security was about defending that fortress. To that end, IT departments managed the hardware tightly, issuing solutions that they had sourced and set up.

From a compliance point of view, things were straightforward: all the data was on-premises and the fortress model meant that the IT department knew precisely how it was secured.

The shift to virtualisation, superseding physical on-premises infrastructure, has created a new paradigm for IT departments and requires a new way of thinking for the C-suite.

The fortress approach to security was no longer applicable: not only were people using their own devices, as software, services and even infrastructure moved out of the office and into the cloud, a whole new paradigm of security and compliance applied.

Latterly, enterprises have gone a step further, with individual business units making decisions about buying and using cloud services. In some cases, this move – dubbed technology autonomy, or shadow IT – is done in a haphazard way, without the input of the IT department and without strategic direction from the C-suite.

The move to virtualisation and the cloud is well under way, and in many cases, enterprises are not only outsourcing services and software, but also infrastructure.

Trend Micro, the global leader in cloud security, together with Vanson Bourne, has created a snapshot of where British companies are today on their journey to virtualisation and the cloud, focusing on security for virtualised and cloud environments. Quantitative research was conducted with 100 IT decision makers from UK enterprise organisations with more than 1000 employees.

There’s no doubt that the move to virtualisation is proving a challenge for IT managers. Although the survey found that 66% of organisations have updated their infrastructure within the past year, nearly three-quarters of those surveyed said that their infrastructures are more complex than they were five years ago.

The move to the cloud has also taken off over the past five or so years, and improvements in technology mean it’s easier to create additional servers via virtualisation. A small handful of businesses have moved everything into the cloud, while others have gone for a hybrid approach, taking some services into the cloud while retaining other services, infrastructure or their data in-house.

The benefits are clear: virtualised machines and cloud services mean that it’s easy to scale capacity quickly according to demand, and handing over responsibility for maintenance can create cost savings as in-house IT departments can be streamlined.

However, moving some applications, processes and infrastructure creates complexity. One issue is that virtual machines (VMs) can be in any number of locations. Additionally, businesses need assurance from their providers that access to the company’s assets – including data – is properly managed.

Turkish steel producer _{İÇDAŞ found all of these} challenges when it needed to update its main data centre in Istanbul. IT manager Nilgün Aksoy says: “Our IT department was having a hard time responding to new server and resource requests from other departments. New server procurements, upgrade requirements of our former servers, infrastructure requirements, business sustainability requirements, and the various needs of management personnel were increasing with each day.

Most respondents (96%) to the survey agreed that they were struggling to secure their more complex infrastructures, with 93% saying that virtualisation has contributed to that complexity.

The struggle to secure complex virtualised

IT infrastructures

“It was necessary to establish access

control, virus prevention and cyber-attack

protection against internal attacks to our

virtual servers, but security solutions

were interfering with accessibility, server

performance, and manageability.”

Nilgün Aksoy,

Figure 1: Is your IT infrastructure more complex than it was five years ago?

Updating becomes much more of a challenge in the virtualised environment, too: not only do you have to provide a seamless service to your users so that they won’t notice any downtime as updates are applied, you also have to manage a number of virtual machines in a range of different states – on, off, dormant.

This issue is reflected in the survey responses: 72% said they had issues with keeping applications patched in a virtual environment, with 34% admitting that they often can’t patch applications in a timely fashion.

Figure 2: Do you find it difficult to keep applications and operating systems patched?

The role of security in virtual environments

The move to a virtualised environment means that security has to become part of the strategy discussed in the C-suite: it can no longer simply be an arcane conversation between geeks in a back office.

It’s clear that British businesses recognise the importance of factoring security into their virtualisation roadmap: 95 per cent said that security is an integral part of moving to a virtualised environment. However, some have made a rod for their own back, with the majority of organisations not acting on this belief; 59 per cent admit to not consulting security teams throughout virtualisation deployments and 8% saying the security team wasn’t consulted at all during the transition to the virtualised environment.

72%

13%

15%

Yes No

About the same

72%

13%

15%

Yes No

About the same

34%

38%

28%

Yes, I frequently cannot patch systems on time Sometimes, when there are significant numbers of patches released

Figure 3: Was the security team consulted during the move to a virtualised environment?

One of the challenges of managing the move to a virtualised environment is to engage everyone who needs to be on board. The survey found that there is a sharp difference in the approach to security between the managers of data centres and information security managers.

That’s because the two groups have different priorities: the data centre manager is focused on getting services up and keeping them up, and making sure that they are accessible and useable as fast as possible. A primary concern of the data centre manager is uptime, and for that role, security can be a hindrance.

For the information security manager, the prime concern is the safety of the data; uptime is less of a concern. That split is clearly highlighted in the survey responses, with 56% of security managers agreeing that security is integral in the plan to move to a virtualised environment, compared to just 40% of data centre managers who agreed with that comment.

Figure 4: In your opinion, is security an integral part of the plan in moving to a virtualised infrastructure by ITDM type, yes answers.

The need to understand that different security models are required in a virtualised environment is a concern. The differences between the in-house “tin box” set-up, where security is managed within a fortress, and the virtualised environment mean that the challenges are different. However, the survey reveals that many organisations (34%) haven’t updated their security models.

41%

29%

18%

4%

8%

Yes – throughout the transition Yes – at the consulting stage Yes – but not frequently enough No I don’t know 0 10 20 30 40 50 60 Information security responsibility Data centre responsibility

56%

40%

The survey found that there is a sharp

difference in the approach to security

between the managers of data centres

and information security managers.

Many organisations (85%) are still using the same tools for their virtualised environments, such as antivirus and firewalls, as they did for their in-house physical machine set-ups. Only just over half (52%) of the survey respondents that had experienced a data breach, said they had discovered their breaches as a result of security monitoring.

Figure 5: How was the breach discovered? Asked to those that had experienced a breach.

Siemens Enterprise Communications, which offers enterprise communication services and solutions, found itself using old tools – virus and malware protection, and often from different vendors – on UC application servers that were personalised to each customer. The disadvantages were clear, says Frank Semmler, head of solution management security.

Virtualisation technology offers new ways to manage security: rather than having to deploy software applications across each VM, which in turn might not be integrated into the overall infrastructure. With Trend MicroTM _{Deep Security you can manage patching and} updates centrally, creating high levels of security with very little impact on the individual VMs.

The threat of security breaches

The survey shows very clearly that there is a split between the public sector and private-sector enterprises in how they manage security threats in a virtualised environment. Most private-sector businesses say they review their security arrangements every three months, but for those in the public sector, it’s every four months. And despite the best intentions, security breaches do happen: 24% of respondents said they had had at least one breach in the past two years, with a further 26% reporting a breach within the past five years.

In any business, whether it has moved into the cloud or retains its IT on-premises, the infrastructure and the data it holds is potentially always at risk. Users can abuse their privileges and if the virtual infrastructure isn’t properly secured, with users isolated and only able to get at what they need, data can too easily be compromised.

Indeed, nearly a third of respondents (27%) who had suffered a breach said that was due to deliberate misuse of the system by an employee, while configuration errors by an admin accounted for 23% of breaches.

52%

20%

18%

9%

2%

Routine internal security monitoring Alerted by systems outage

Reported by a third party Discovered by accident Other (please specify)

“Our goal … was to provide a high standard of security at a reasonable cost, but we clearly

weren’t going to achieve that with the approach we had. Moving to a standardised solution

by deploying Trend Micro Deep Security solved the problem, allowing Siemens to offer a

high level of protection to customers with a reduced impact.”

Frank Semmler, Head of Solution Management Security, Siemens

More than nine in 10 businesses remain concerned that they will fall victim to future security breaches.

Figure 6: How concerned are you that your organisation will be the victim of a breach in the future?

Virtualisation in the cloud

Since the move to the cloud began some six or seven years ago, businesses have embraced the opportunities, with over two in five (44%) of organisations with a virtualised environment either using or planning to use an Infrastructure-as-a-Service provider, with the majority (61 per cent) of organisations purchasing security as part of the service.

Though half address the security of these services by deploying the same controls as used in their data centre. Almost four in ten (39%) of those using IaaS believe that its use has made managing IT security more complex. Organisations in the private sector are far more likely to have used a solution such as Amazon Web Services than the public sector: 40% of private-sector respondents had chosen such a service, compared to just 24% in the public sector.

41%

26%

17%

4%

12%

1 - Not at all concerned

2 3 4

5 - Very concerned

0 10 20 30 40 50 60 70 80

Purchased security as part of the service from the provider Deployed the same security controls as used in our data centre Other (please specify) We did not address security specifically

61%

50%

6%

0%

Compliance is a high priority for organisations dealing with sensitive data, such as healthcare providers. In some cases, a private cloud is the best choice, as was the case for Globality Health when it moved to a virtualised environment.

“We installed our own company cloud in Luxembourg, where the strictest data protection laws are in place. This is an essential element when dealing with information as personal and highly sensitive as medical records,” explains CIO Patrick Klass.

For those preferring a third-party cloud provider, most respondents (61%) also purchased security as part of their package, although the awareness of the need for security and the understanding that old models are not appropriate was much higher among those with responsibility for data security.

Data-centre managers, by contrast, were less alert: just 56% said they bought security as a service from their cloud provider, and 61% said they used the same security controls as they had in their on-premises set-up.

“Moving to a virtualised environment

is a paradigm shift. Issues relating to

data security and data privacy continue

to dominate the mindset of corporate

Britain as it transitions to the cloud. Cloud

providers need to be clearer upfront with

their customers at communicating the

approach to security they provide and what

options are available without compromising

security in the process.”

According to Michael Darlington, technical director at Trend Micro: “Virtualisation security is still being viewed as an afterthought as businesses ‘make do’ with the same security policies, process and tools they would use in a physical environment. This approach is leaving organisations open to the risk of cyber-attack as they fail to realise that a new security mindset is required.

“In a dynamic virtual network, security should be built in from the outset instead of being treated as a bolt-on. IT transformation is at its most impactful when security and virtualisation experts work together to create a solution that reduces cost and improves productivity whilst managing risk.”

Although take-up of virtualisation and cloud services is high, there are concerns about how security is implemented. Data-centre managers need to become more aware of both the need for different security models and what those new models are.

FiVe proVen besT pracTices To ensure your VirTualisaTion enVironmenT is secure:

1

Both the information security and data-centre management teams must be involved in any virtualisation project, with the aim of making sure that both teams are working towards the common goal of a high-performing and secure virtual environment.

2

Use the right security tools from the start: don’t be tempted to rely on your existing security technology, which was _{not designed for the virtual environment. Relying on the old tools will leave your business vulnerable to breaches.}

3

Don’t rely on luck to detect a security breach: just under half of the respondents in the survey said they had discovered their breaches accidentally rather than as a result of monitoring. Deploying intrusion protection and prevention and integrity monitoring will help secure your data.

4

Have one security model and deploy it across the whole of your infrastructure: physical, virtual and cloud. One security _{model can be managed from one console, making the task easier and the security tighter.}

5

Make sure security follows the workload. In a physical infrastructure, machines don’t move, but in a virtual one, they do. When machines move around the virtual environment or cross the border from on-premises into the cloud,

security controls must move with those machines.

“Virtualisation continues to be adopted at

a rapid pace and it seems that IT teams are

struggling to keep up with the demands of

the business, as IT infrastructure becomes

more complex. However, it is important to

note that virtualised environments can be

as secure if not more secure than physical

environments. By adopting a new mind-set

and recognising the security posture needs

to change in line with IT environments,

businesses will be well placed to realise

the benefits of virtualisation without

compromising on security.”

James Edwards, Product Manager, VMware

In a sense, virtualisation has become its own worst enemy because of the inherent security risks associated with easily creating new virtualised servers. What’s clear is that virtualised environments present organisations with new security risks and demand a new security mindset to tackle these accordingly. Only by taking this approach will organisations ensure that their move to virtualisation is fully secure and not compromising their entire IT environment.

research meThodology

Trend Micro commissioned Vanson Bourne to survey 100 UK enterprise organisations with an excess of 1,000 employees. Participating companies were spread across sectors and size bands, with 75 private and 25 public sector organisations included. Half of the IT decision makers included are responsible for security, while the other half is responsible for the data centre. The survey was conducted in May 2013.

abouT Trend micro

Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. Leveraging these solutions, organizations can protect their end users, their evolving data center and cloud resources, and their information threatened by sophisticated targeted attacks. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network™, and are supported by over 1,200 threat experts around the globe. For more information, visit www.trendmicro.com.

abouT The cusTomers included siemens enTerprise communicaTions

Siemens Enterprise Communications, is a global integrated communications provider that synchronizes, deploys, and manages technologies such as voice, video, collaboration, mobility, contact centre, and network infrastructure. We weave these communication technologies directly into the way businesses operate. The result is a transformation of how the enterprise communicates and collaborates – that amplifies collective effort, energizes the business, and dramatically improves business performance.

Born out of the engineering DNA of Siemens, we have built on this heritage of product reliability, innovation, open standards, and security to provide integrated communications solutions for over 75% of the Global 500. Siemens Enterprise Communications is a joint venture of the Gores Group and Siemens AG.

globaliTy healTh

Globality Health is the international health insurer with a special focus on expatriates. People who study, live or work abroad are assured that their health is always in good hands, no matter where they are. With more than 80 years of experience in health insurance, Globality Health provides their customers the convincing competence of an international network of assistance and service partners. As an integral part of Munich Health, with more than 5,000 experts at 26 locations, Globality Health offers innovative healthcare solutions for clients and partners all over the world. As a member of the Munich Re, Globality Health gives customers the strength and security of one of the world’s leading insurers and reinsurers.

İÇDAŞ

Since 1970, İÇDAŞ has been producing steel bars and high-alloy steels and has grown to be the biggest private sector steel producer in Turkey based on production capacity. Besides the iron and steel production, İÇDAŞ also operates in the fields of ship building, port operations, piloting and towing, land and marine transportation, shipping, brokerage, insurance, international trade, tourism, construction and power generation. Exporting most of its production to foreign countries, İÇDAŞ has assumed an important role in Turkey’s integration with the modern world, with its advanced technology and reputation for superior quality.