The October conference schedule is now complete and it was a tough one but very rewarding. The events that happened in October were numerous and overlapping in some cases. Travel was one week here and the next week there, yet we managed to get through it. Of the mass of conferences, I attended IPexpo as a guest and The ExecEvent and Hacker Halted as a speaker. I discovered something very strange – virtualization and cloud security are merely after thoughts. I felt this should have changed by now, but alas this is not the case. Is it that our scope is incorrect, or is it that there is no Return on Investment on security tools, procedures, etc?
The security vendors have an up hill battle to gain any traction, and that could be the issue. At The ExecEvent, we had a wonderful presentation about selling to CIOs and while the model was interesting, Security services did not fall into any of the categories comfortably. In essence, the CIO will spend money on two basic categories of systems:
- Those things that are hot-buttons for the CIO
- Reduce cost on ongoing maintenance of an existing environment
The first of these far exceeds in dollars spent the other one by many times. However, security is neither a hot-button nor really ongoing maintenance and may not actually reduce cost. So CIOs are spending money on the bare necessity of security, such as maintaining regulatory compliance, than they are on new security endeavors, as such this is an up hill battle for security vendors. The only time security becomes a hot button for a CIO is when there was a security breach, and then spending is through the roof, but at the same time, I am not sure spending is in the correct areas or even time frame. In general, it is a knee-jerk reaction to the threat and not a comprehensive review of the entire environment with the thought of persistent threats whether advanced or not.
Given that there is no one tool that will provide 100% security, purchasing one tool only will not solve your security problems just close one gap while perhaps ignoring others. For a virtualization and hybrid cloud environment review The Virtualization’s Practice End-to-End Virtualization Security whitepaper. Which outlines where many of the virtualization and security vendors fit into the overall hybrid cloud environment. But it is more than that, it is also about education.
When at The ExecEvent I spoke at a high level on virtualization and hybrid cloud security to mostly storage vendors about the need to extend product security focus to how the product will be used, instead of just on the product itself. CIOs and Security Administrators are struggling with how to secure environments with a myriad of subsystems, each of which could individually have their own weaknesses. However, when you combine them even more weaknesses are present. One example is Data at Rest encryption. This is a VERY useful tool to alleviate the risk if hardware is stolen, but in a virtual and cloud environment data is never at rest and as such always visible on the wire, within the hypervisor, within management environments, and within the virtual machines. So while Data at Rest encryption solves one problem, it does not necessarily solve them all.
What was eye-opening for me, is that the attendees (CxO, VPs, etc.) at major and upcoming storage companies, did not seem to know about the risks to their own products when used in the environment they are targeted to be used. This lack of understanding affects the vendors risk, but also affects the purchasers risk.
The other conferences, IPExpo and Hacker Halted, that I attended also showed me that product security, and where each product falls within the security of a virtual or hybrid cloud environment is unknown to the vendors (granted Hacker Halted had some sharp vendors there, yet they are still trying to get their tools into the physical environment, so many are ignoring the virtual environment). Some vendors need to pull in more technical folks to talk about the security of their own products or even how they would help to secure the virtual and hybrid cloud environment.
Virtualization and Hybrid Cloud Security companies are way ahead of their customers when it comes to security products, and they are thinking about problems that customers have yet to realize they face. There is still a lot of ‘it cannot happen to us’ going on when a breach is announced. Is this because of lack of knowledge? Education? or are people putting their heads in the sand?
The simplest security measure is also the easiest and cheapest to implement; form a cross-functional team to review your security from the following groups: Network, Storage, Virtualization, Security, Compliance, Application, Legal, Business Owners. This team should review all procedures, policies, documentation, etc. To assess current and future risk.
It could be a combination of all three, or perhaps the right people are not involved in the conversation from the beginning, and as such cannot help to educate anyone of the risks to an environment. For example, do most people even realize that there is an attack suite that targets all virtual environments with a list of 30+ well-known attacks? Do we still use bastions and assume they could never be broken? Do people really understand how social engineering really works?
If more CxOs attended the events that I attend regularly (TakeDownCon, HackerHalted, InfoSec, etc.) , they would see that no environment is 100% secure, but the most we can do is minimize our short and long term risks by continually educating, monitoring, auditing, and testing our virtual and hybrid cloud environments. We should also not limit our scope to just the virtual but include the physical interconnects or our environments. Changing our scope will change our risk assessments to include all systems.
Virtualization and hybrid cloud security should be a hot-button for any CIO. The return on investment for virtual and hybrid cloud security is the protection of the data. Have you put a price on your data yet