Next week, the IT industry will gather in San Francisco to discuss all things cloud and virtualization at VMworld. The discussion will center on “software-defined data centers” which will quickly morph to “software-defined security” in my world (Writer’s note: In my humble opinion, this is a meaningless marketing term and I don’t understand why an industry that should be focused on digital safety acts like it's selling snake oil). So we are likely to hear about the latest virtual security widgets, VMware NSX and OpenStack integration, virtual security orchestration, etc.
This will make for fun and visionary discussions but there’s one critical problem: While almost every enterprise has embraced server virtualization and many are playing with cloud platforms, lots of organizations continue to eschew or minimize the use of virtual security technologies – even though they’ve had years of experience with VMware, Hyper-V, KVM, Xen, etc. According to ESG research, 25% of enterprises use virtual security technologies extensively, while 49% use virtual security technologies somewhat, and the remaining 25% endure on the sidelines (Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014).
This is not a new situation – ESG cloud/virtualization guru Mark Bowker and I uncovered this very behavior with some research we did back in 2010. That data indicated that everyone loved server virtualization for its ability to consolidate workloads, but as soon as the virtual server infrastructure grew more complex and needed advanced security, network, or storage support, many organizations hit the brakes (Source: ESG Research Report, The Evolution of Server Virtualization, November 2010). Things have advanced somewhat, but a large part of the market remains reluctant to move from tried-and-true physical security controls to the virtual unknown.
Recently, ESG research dug into this issue further, asking security professionals why their organizations aren’t using virtual security appliances/technologies more extensively (Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014). Here are the top 5 responses:
- 37% of security professionals said that IT/compliance auditors are uncomfortable with virtual security appliances/technologies.
- 34% of security professionals said that they prefer to use existing security controls/technologies, even if this is not the most efficient method for virtual security.
- 32% of security professionals said that they have a lack of trust with virtual security appliances/technologies.
- 32% of security professionals said that virtual security appliances/technologies require additional management which is too much of a burden for the IT operations staff.
- 28% of security professionals said that they had a lack of knowledge/understanding about virtual security appliances/technologies.
To be clear, I don’t think this situation is sustainable. At some point, the security requirements for server virtualization/cloud computing simply can’t be addressed by status quo physical security technologies and best practices. This may be true, but it seems like many security professionals are ignoring this inevitable transition.
Rather than focus on whiz-bang functionality and banal “software-defined security” labels, the server virtualization, cloud computing, and security industry faces a much more fundamental task – educating security professionals on virtual technologies, convincing them that virtual controls work, and providing them with a clear and concise migration/integration plan. I doubt this will happen at VMworld but it really needs to happen soon.