The technology industry is about to come together next week for VMworld in San Francisco. In the span of a few short years, this show has become a real showcase of the latest and greatest IT technology and industry vision. At VMware, every company wants its IT department to look like Amazon, Google, or Zynga, running applications on fully-automated and orchestrated cloud computing platforms, and easily managing thousands of servers and petabytes of data across multiple data centers.
Maybe we’ll get there someday – maybe. For now however, many companies can’t get beyond basic use of these technologies. Why? There are lots of reasons but information security issues remain at the top of the list.
In a recent survey of 315 security professionals working at enterprise (i.e., more than 1,000 employees) organizations, 69% of the enterprises said that cloud computing made security management and operations “much more difficult” or “somewhat more difficult” at their organization. Just over half (51%) of respondents said that server virtualization made security management and operations “much more difficult” or “somewhat more difficult” at their organization.
So the good news is that server virtualization doesn’t present as many security challenges as cloud computing. The bad news is that server virtualization continues to make security management and operations more difficult even though the technology has been around for several years.
There are lots of reasons why cloud computing and server virtualization stress out CISOs but ESG Research reveals one primary issue – there just aren’t enough IT professionals out there who are proficient with information security AND cloud computing/server virtualization technology. When ESG asked security professionals to identify areas where their organizations had a “problematic shortage” of skills, 43% pointed to cloud computing and server virtualization security. This was the #1 security skills deficit identified by a wide margin (the next most popular response was selected by 31% of the survey population).
I hate to be a party pooper but if the industry doesn’t address the growing information security gap in server virtualization and cloud computing, its blue-sky vision will never come to fruition. To its credit, VMware recognizes this problem so it will be making some significant announcements at VMworld aimed at bridging the cloud computing/server virtualization security gap. Other vendors should follow this lead as soon as possible.
The whole vision of dynamic IT and ubiquitous connectivity is awesome but security needs to be baked in at every layer of the technology stack. And given the general IT and profound information security skills shortage, new security technologies must be extremely intelligent and automated. Finally, new technologies are worthless if no one knows how to use them.
These lessons should be obvious but in its race to the new new thing, the technology industry downplayed them in the past. Now the security chickens are coming home to roost.