Next week, the IT industry will gather in San Francisco to discuss all things cloud and virtualization at VMworld. The discussion will center on “software-defined data centers” which will quickly morph to “software-defined security” in my world (Writer’s note: In my humble opinion, this is a meaningless marketing term and I don’t understand why an industry that should be focused on digital safety acts like its selling snake oil). So we are likely to hear about the latest virtual security widgets, VMware NSX, and OpenStack integration, virtual security orchestration, etc.
This will make for fun and visionary discussions, but there’s one critical problem: while almost every enterprise has embraced server virtualization and many are playing with cloud platforms, lots of organizations continue to eschew or minimize the use of virtual security technologies – even though they’ve had years of experience with VMware, Hyper-V, KVM, Xen, etc. According to ESG research, 25% of enterprises use virtual security technologies “extensively,” while 49% use virtual security technologies “somewhat,” and the remaining 25% endure on the sidelines (note: I am an ESG employee).
This is not a new situation – ESG cloud/virtualization guru Mark Bowker and I uncovered this very behavior with some research we did back in 2010. That data indicated that everyone loved server virtualization for its ability to consolidate workloads, but as soon as the virtual server infrastructure grew more complex and needed advanced security, network, or storage support, many organizations hit the brakes. Things have advanced somewhat, but a large part of the market remains reluctant to move from tried-and-true physical security controls to the virtual unknown.
Recently, ESG research dug into this issue further, asking security professionals why their organizations aren’t using virtual security appliances/technologies more extensively. Here are the top 5 responses:
- 37% of security professionals said that IT/compliance auditors are uncomfortable with virtual security appliances/technologies.
- 34% of security professionals said that they prefer to use existing security controls/technologies, even if this is not the most efficient method for virtual security
- 32% of security professionals said that they have a lack of trust with virtual security appliances/technologies
- 32% of security professionals said that virtual security appliances/technologies require additional management which is too much of a burden for the IT operations staff
- 28% of security professionals said that they had a lack of knowledge/understanding about virtual security appliances/technologies
To be clear, I don’t think this situation is sustainable. At some point, the security requirements for server virtualization/cloud computing simply can’t be addressed by status quo physical security technologies and best practices. This may be true, but it seems like many security professionals are ignoring this inevitable transition.
Rather than focus on whiz-bang functionality and banal “software-defined security” labels, the server virtualization, cloud computing, and security industry faces a much more fundamental task – educating security professionals on virtual technologies, convincing them that virtual controls work, and providing them with a clear and concise migration/integration plan. I doubt whether this will happen at VMworld but it really needs to happen soon.