IT pros divided about security of virtualization, cloud computing

Survey reveals one-third of enterprise security managers believe the technologies make security 'harder,' while one-third say it was 'easier'

Is moving to virtualization and cloud computing making network security easier or harder? When some 2,100 top IT and security managers in 27 countries were asked, the response revealed a profound lack of consensus, showing how divided attitudes are within the enterprise.

The "2010 State of Enterprise Security Survey -- Global Data" report shows that about one-third believe virtualization and cloud computing make security "harder," while one-third said it was "more or less the same," and the remainder said it was "easier." The telephone survey was done by Applied Research last month on behalf of Symantec, and it covered 120 questions about technology use -- organizations remain overwhelmingly Microsoft Windows-based -- and cyber attacks on organizations.

[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

Contending with virtualization hangover

To explain such different perceptions about the security impact of virtualization and cloud computing, Matthew Steele, Symantec director of strategic technology, said the best way to understand these answers is to know that "if they had a real security background, they immediately got concerned. But if they care for IT operations, they were thinking about it from an IT optimization standpoint." And the middle-of-the-road responses -- it's all "more of less the same" -- tended to originate from those with budget responsibilities. "If the business is still moving, things are OK," Steele remarked.

Although endpoint virtualization is widely believed to trail server-based virtualization, 8 percent of the survey's respondents said they had implemented the former, 16 percent were in the course of implementing it, 9 percent were in a "trial stage," 26 percent had plans for it and 25 percent were in "early discussion," whereas 16 percent weren't considering it.

And on the question of whether endpoint virtualization makes it "easier or harder to do your job with regards to network security," the opinion was divided, with about a third each way thinking it's "easier," "harder" or about the same.

The survey showed that the median annual budget for enterprise security in 2010 is $600,000, an 11 percent increase over 2009, with yet another 11 percent increase anticipated in 2011. But despite incremental budget growth, the survey's respondents -- who hail from banking, healthcare, telecommunications and other sectors as well as local and federal government agencies -- often indicated they had a hard time finding and retaining security personnel.

Organizations on average assigned 120 staffers to IT and compliance matters, with larger enterprises of 5,000 or more assigning 232. But much of the time this was seen as insufficient, with 51 percent of respondents saying finding qualified applicants was a "huge" or "big" problem.

Difficulty in finding the right expertise was a driver in all manner of outsourcing, including use of managed security services, which about half the organizations used. But only about half were truly "satisfied" with outsourcing arrangements, even as they contemplated expansion into software-as-a-service, platform-as-a-service, and infrastructure-as-a-service, which Symantec defined as everything from use of Google Apps to full-blown hardware and operating system rental on demand, making up today's evolving concept of "cloud computing."

In fact, 40 percent of the respondents indicated their organizations were currently using applications in the cloud in some way -- yet 40 percent said it would be more difficult to prevent or react to data loss under their firm's cloud-computing strategy.

And when asked "Does your cloud-computing strategy make the risk of losing data bigger or smaller?" 38 percent said it would be higher, with the reminder pretty much split saying it would be the same or lower. The answers broke the same way on the question of virtualization strategy.

When it comes to cyber attacks and data loss, the situation looks bleak based on the responses in the report.

Three quarters of respondents said their organization had experienced cyber attacks in the past 12 months, with 36 percent calling them "somewhat/highly effective." The annual cost of a cyber attack was pegged at more than $2 million for large enterprises when tallying up lost productivity, theft of intellectual property, loss of customers, legal fees and more.

"Every day we see new viruses, new spyware, new backdoors. It is beyond crazy," one IT director is quoted as saying. The survey showed the most frequent types of attacks were malware implantation, social-engineering ploys and denial-of-service (DoS) attacks.

On average, Web properties were targeted twice last year with the implanting of malware, and also suffered one significant DoS attack and one theft of information.

Data losses were attributed to numerous sources, including outsiders (20 percent) and accidental insider actions (15 percent).

Healthcare providers specifically reported 58 percent of data loss was accidental exposure of patient information, 22 percent was theft, with identity theft and even malware attacks on medical equipment a problem as well.

Patching is regarded by 87 percent of the respondents as one of the most effective measures to ward off cyber attacks, with about three quarters also putting trust in perimeter security and authentication processes, along with antimalware controls.

According to the survey, a surprising 20 percent of Windows-based PCs in use by employees were selected, purchased and owned by the employee, along with 12 percent of their laptops and 6 percent of smartphones. But 52 percent of the survey's IT and security pros viewed that as something that could compromise security.

With Windows 7 just released, one survey question on that topic indicated that 19 percent had "no plans" to use Windows 7, but 9 percent already had, and the rest were discussing or had plans for it. In all, 72 percent of the survey's respondents think Windows 7 offers improved security over previous Windows versions.

Finally, in something of a blow to Symantec and other security vendors, the survey asked telecom companies who they considered their main security vendor and the found about two-thirds said "network equipment providers" and only a third said "security companies."

Read more about wide area network in Network World's Wide Area Network section.

This story, "IT pros divided about security of virtualization, cloud computing" was originally published by Network World.