Enterprise IT Virtualization Makes Security a Harsh Reality

Posted on May 15, 2014 by David Wallace

Enterprise IT virtualization is a multi-syllable way of saying "software in the cloud," and companies are finding that its benefits are real—but so are its challenges. The same selling points that attract users—budget savings, the convenience of working from anywhere, and the elimination of software service updates and incompatibilities—also create headaches for IT help desks and CIOs. The difficulties often get less attention than the convenience of working remotely, which makes it harder to manage and secure the roaming workforce.

The result is a kind of chicken-and-egg conundrum: Do you run a massive security cleanup BEFORE shifting to enterprise-wide IT? Or wait until the rollout to look for leaks and vulnerabilities? The answer is a bit of both: You need to see where current enterprise IT functions are working virtually and include them in a plan. Then, as new needs mature, you can match the concerns with the right enforcement policies, security measures, and tactics.

Plenty of do-it-yourselfers have taken their own virtualization into the cloud with Box, Dropbox, Zoho, Office365, Google Apps, Salesforce, or countless other apps that host both software and data. Collaboration, real-time analytics, and other tools are dictating enterprise IT, rather than the other way around.

One estimate says the average ownership cost of a small business computer is more than $3,000 per year, including hardware and software purchase, support, and power consumption.

But how do you catch up with the dizzying number of applications and authorized users while still protecting the "crown jewels" of your organization's data and giving people the flexibility to work from anywhere, at any time, on any device? Instead of traditional place-based network security, the model has to be access control, authentication of users, and a dose of vigilance. Network security used to mean "set it and forget it" until alarms went off. Not anymore.

Security, especially for apps and cloud data, needs to be a first priority—not an afterthought. That's doubly important for finance and regulated industries like insurance and health care, where every interaction has to pass compliance requirements or state and federal privacy rules.

A lot also depends on whether the company is a start-from-scratch venture with the newest technology and systems or if it's been assembled over time from parts. Acquisitions, mergers, and buyouts lead to a headache of integrating software and habits for the company's current and future needs. The same is true for security: What protected you last week may not stop next week's threats.

Employees may be able to work from anywhere, but laws on data retention or security standards are often place-based and specific to your country, state, or county, which adds to the complexity of the security issue. Especially in finance, medical record keeping, law, or accounting, compliance audits alone can require major time commitment and expense for enterprise IT managers. Those issues and remote-work encryption were on the agenda at the 2014 RSA Conference in San Francisco.

Instead of looking at security as a cost, think of it as a feature that should appeal to savvy customers and as an investment in your own future. Server capacity and networking configuration doesn't limit growth the way that infrastructure used to determine a company's functionality may do so. Cloud-based IT virtualization lets a service provider balance high-demand functions like desktop publishing or computer-assisted design with more basic applications.

That kind of quick on/off functionality helps you sleep at night: If an employee leaves the company, an IT manager just removes the person's login to end access to any company information or software. Password protection, identity management (network-wide security that requires individual user permission to access information), and more difficulty for outsiders attempting a malicious attack are a few ways that virtualization makes your systems safer.

One estimate from IT analyst Gartner, Inc. predicted 25 percent of businesses would go virtual by 2015. And although virtualization is getting easier and cheaper, it comes with a different set of concerns. The days of plug-and-play are nearly done, though, so now it's all about cordless connections.

Contributors

David Wallace

, RSA

cloud security mobile security virtualization, containerization & segmentation

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.