Virtualisation Security: The Need for a New Security Mindset · Virtualisation Security: The Need for a New Security Mindset ... Virtualisation has long been delivering benefits to

Virtualisation Security: The Need for a New Security Mindset

A survey report exploring the impact that virtualisation and cloud computing are having on IT security for UK businesses

>>

Page 2 of 12


Virtualisation has long been delivering benefits to organisations of all sizes; with on-demand capacity scaling and reduced

hardware costs just some of the key benefits. However, the shift to virtualisation has created a whole new paradigm for

IT security, with the movement of applications, processes and infrastructure creating added complexity.

Trend Micro has partnered with Vanson Bourne to undertake research to find out how UK enterprise organisations are

addressing their virtualisation security needs and whether they’re struggling to manage this added complexity.

The research has found that the majority of UK businesses are failing to upgrade their security tools to manage virtualised

environments and as such are struggling to keep their IT infrastructure secure. This is despite the fact that almost half

of organisations believe that virtualised environments need more security as they introduce new risks. As a result, nine

in 10 businesses are concerned that they will fall victim to security breaches.

This report explores these findings in more detail and asks whether a new security mindset is required to ensure that

businesses are addressing their virtualisation security in the best way.

Executive summary

Page 3 of 12


Security in the days of on-premises infrastructure was a

pretty straightforward model. You created a fortress to

secure the data within, using firewalls, antivirus, DMZs

(demilitarised zones) and group policy.

Security was about defending that fortress. To that end,

IT departments managed the hardware tightly, issuing

solutions that they had sourced and set up.

From a compliance point of view, things were

straightforward: all the data was on-premises and the

fortress model meant that the IT department knew

precisely how it was secured.

The shift to virtualisation, superseding physical

on-premises infrastructure, has created a new paradigm

for IT departments and requires a new way of thinking for

the C-suite.

The fortress approach to security was no longer applicable:

not only were people using their own devices, as software,

services and even infrastructure moved out of the office

and into the cloud, a whole new paradigm of security and

compliance applied.

Latterly, enterprises have gone a step further, with

individual business units making decisions about buying

and using cloud services. In some cases, this move –

dubbed technology autonomy, or shadow IT – is done in a

haphazard way, without the input of the IT department and

without strategic direction from the C-suite.

The move to virtualisation and the cloud is well under way,

and in many cases, enterprises are not only outsourcing

services and software, but also infrastructure.

Trend Micro, the global leader in cloud security, together

with Vanson Bourne, has created a snapshot of where British

companies are today on their journey to virtualisation and

the cloud, focusing on security for virtualised and cloud

environments. Quantitative research was conducted with

100 IT decision makers from UK enterprise organisations

with more than 1000 employees.

Introduction

Page 4 of 12


There’s no doubt that the move to virtualisation is proving a

challenge for IT managers. Although the survey found that

66% of organisations have updated their infrastructure

within the past year, nearly three-quarters of those

surveyed said that their infrastructures are more complex

than they were five years ago.

The move to the cloud has also taken off over the past

five or so years, and improvements in technology mean

it’s easier to create additional servers via virtualisation. A

small handful of businesses have moved everything into

the cloud, while others have gone for a hybrid approach,

taking some services into the cloud while retaining other

services, infrastructure or their data in-house.

The benefits are clear: virtualised machines and cloud

services mean that it’s easy to scale capacity quickly

according to demand, and handing over responsibility

for maintenance can create cost savings as in-house IT

departments can be streamlined.

However, moving some applications, processes and

infrastructure creates complexity. One issue is that

virtual machines (VMs) can be in any number of locations.

Additionally, businesses need assurance from their

providers that access to the company’s assets – including

data – is properly managed.

Turkish steel producer İÇDAŞ found all of these

challenges when it needed to update its main data

centre in Istanbul. IT manager Nilgün Aksoy says: “Our

IT department was having a hard time responding to new

server and resource requests from other departments.

New server procurements, upgrade requirements of our

former servers, infrastructure requirements, business

sustainability requirements, and the various needs of

management personnel were increasing with each day.

Most respondents (96%) to the survey agreed that

they were struggling to secure their more complex

infrastructures, with 93% saying that virtualisation has

contributed to that complexity.

The struggle to secure complex virtualised IT infrastructures

“It was necessary to establish access

control, virus prevention and cyber-attack

protection against internal attacks to our

virtual servers, but security solutions

were interfering with accessibility, server

performance, and manageability.”

Nilgün Aksoy,

IT Manager of Turkish steel producer İÇDAŞ

Page 5 of 12


Figure 1: Is your IT infrastructure more complex than it

was five years ago?

Updating becomes much more of a challenge in the

virtualised environment, too: not only do you have to

provide a seamless service to your users so that they

won’t notice any downtime as updates are applied, you

also have to manage a number of virtual machines in a

range of different states – on, off, dormant.

This issue is reflected in the survey responses: 72% said

they had issues with keeping applications patched in a

virtual environment, with 34% admitting that they often

can’t patch applications in a timely fashion.

Figure 2: Do you find it difficult to keep applications and

operating systems patched?

The role of security in virtual environments

The move to a virtualised environment means that

security has to become part of the strategy discussed

in the C-suite: it can no longer simply be an arcane

conversation between geeks in a back office.

It’s clear that British businesses recognise the importance

of factoring security into their virtualisation roadmap:

95 per cent said that security is an integral part of

moving to a virtualised environment. However, some

have made a rod for their own back, with the majority of

organisations not acting on this belief; 59 per cent admit

to not consulting security teams throughout virtualisation

deployments and 8% saying the security team wasn’t

consulted at all during the transition to the virtualised

environment.

72%

13%

15%

Yes

No

About the same

72%

13%

15%

Yes

No

About the same

34%

38%

28%

Yes, I frequently cannot patch systems on time

Sometimes, when there are significant numbers of patches released

No, my patching is always up to date

Page 6 of 12


Figure 3: Was the security team consulted during the

move to a virtualised environment?

One of the challenges of managing the move to a

virtualised environment is to engage everyone who

needs to be on board. The survey found that there is a

sharp difference in the approach to security between

the managers of data centres and information security

managers.

That’s because the two groups have different priorities:

the data centre manager is focused on getting services

up and keeping them up, and making sure that they are

accessible and useable as fast as possible. A primary

concern of the data centre manager is uptime, and for

that role, security can be a hindrance.

For the information security manager, the prime concern

is the safety of the data; uptime is less of a concern.

That split is clearly highlighted in the survey responses,

with 56% of security managers agreeing that security is

integral in the plan to move to a virtualised environment,

compared to just 40% of data centre managers who

agreed with that comment.

Figure 4: In your opinion, is security an integral part of

the plan in moving to a virtualised infrastructure by ITDM

type, yes answers.

The need to understand that different security models are

required in a virtualised environment is a concern. The

differences between the in-house “tin box” set-up, where

security is managed within a fortress, and the virtualised

environment mean that the challenges are different.

However, the survey reveals that many organisations

(34%) haven’t updated their security models.

41%

29%

18%

4%

8%

Yes – throughout the transition

Yes – at the consulting stage

Yes – but not frequently enough

No

I don’t know

0

10

20

30

40

50

60

Information securityresponsibility

Data centreresponsibility

56%

40%

The survey found that there is a sharp

difference in the approach to security

between the managers of data centres

and information security managers.

Page 7 of 12


Many organisations (85%) are still using the same tools

for their virtualised environments, such as antivirus

and firewalls, as they did for their in-house physical

machine set-ups. Only just over half (52%) of the survey

respondents that had experienced a data breach, said

they had discovered their breaches as a result of

security monitoring.

Figure 5: How was the breach discovered? Asked to

those that had experienced a breach.

Siemens Enterprise Communications, which offers

enterprise communication services and solutions, found

itself using old tools – virus and malware protection,

and often from different vendors – on UC application

servers that were personalised to each customer. The

disadvantages were clear, says Frank Semmler, head of

solution management security.

Virtualisation technology offers new ways to manage

security: rather than having to deploy software

applications across each VM, which in turn might not

be integrated into the overall infrastructure. With Trend

MicroTM Deep Security you can manage patching and

updates centrally, creating high levels of security with

very little impact on the individual VMs.

The threat of security breaches

The survey shows very clearly that there is a split

between the public sector and private-sector enterprises

in how they manage security threats in a virtualised

environment. Most private-sector businesses say they

review their security arrangements every three months,

but for those in the public sector, it’s every four months.

And despite the best intentions, security breaches do

happen: 24% of respondents said they had had at least

one breach in the past two years, with a further 26%

reporting a breach within the past five years.

In any business, whether it has moved into the cloud or

retains its IT on-premises, the infrastructure and the data

it holds is potentially always at risk. Users can abuse their

privileges and if the virtual infrastructure isn’t properly

secured, with users isolated and only able to get at what

they need, data can too easily be compromised.

Indeed, nearly a third of respondents (27%) who had

suffered a breach said that was due to deliberate misuse

of the system by an employee, while configuration errors

by an admin accounted for 23% of breaches.

52%

20%

18%

9%

2%

Routine internal security monitoring

Alerted by systems outage

Reported by a third party

Discovered by accident

Other (please specify)

“Our goal … was to provide a high standard of security at a reasonable cost, but we clearly

weren’t going to achieve that with the approach we had. Moving to a standardised solution

by deploying Trend Micro Deep Security solved the problem, allowing Siemens to offer a

high level of protection to customers with a reduced impact.”

Frank Semmler, Head of Solution Management Security, Siemens

More than nine in 10 businesses remain concerned that they will fall victim to future security breaches.

Page 8 of 12


Figure 6: How concerned are you that your organisation

will be the victim of a breach in the future?

Virtualisation in the cloud

Since the move to the cloud began some six or seven

years ago, businesses have embraced the opportunities,

with over two in five (44%) of organisations with a

virtualised environment either using or planning to use an

Infrastructure-as-a-Service provider, with the majority

(61 per cent) of organisations purchasing security as part

of the service.

Though half address the security of these services by

deploying the same controls as used in their data centre.

Almost four in ten (39%) of those using IaaS believe that

its use has made managing IT security more complex.

Organisations in the private sector are far more likely

to have used a solution such as Amazon Web Services

than the public sector: 40% of private-sector respondents

had chosen such a service, compared to just 24% in the

public sector.

41%

26%

17%

4%

12%

1 - Not at all concerned

2 3 4

5 - Very concerned

0 10 20 30 40 50 60 70 80

Purchased security as part of the service from the provider

Deployed the same security controls as used in our data centre

Other (please specify)

We did not address security specifically

61%

50%

6%

0%

Figure 7: How did you address security of the workloads running in the service provider cloud?

Page 9 of 12


Compliance is a high priority for organisations dealing

with sensitive data, such as healthcare providers. In

some cases, a private cloud is the best choice, as was the

case for Globality Health when it moved to a virtualised

environment.

“We installed our own company cloud in Luxembourg,

where the strictest data protection laws are in place. This

is an essential element when dealing with information

as personal and highly sensitive as medical records,”

explains CIO Patrick Klass.

For those preferring a third-party cloud provider, most

respondents (61%) also purchased security as part of

their package, although the awareness of the need for

security and the understanding that old models are

not appropriate was much higher among those with

responsibility for data security.

Data-centre managers, by contrast, were less alert: just

56% said they bought security as a service from their

cloud provider, and 61% said they used the same security

controls as they had in their on-premises set-up.

“Moving to a virtualised environment

is a paradigm shift. Issues relating to

data security and data privacy continue

to dominate the mindset of corporate

Britain as it transitions to the cloud. Cloud

providers need to be clearer upfront with

their customers at communicating the

approach to security they provide and what

options are available without compromising

security in the process.”

Alex Hilton, CEO of the Cloud Industry Forum

Page 10 of 12


According to Michael Darlington, technical director at Trend Micro: “Virtualisation security is still being viewed as an

afterthought as businesses ‘make do’ with the same security policies, process and tools they would use in a physical

environment. This approach is leaving organisations open to the risk of cyber-attack as they fail to realise that a new

security mindset is required.

“In a dynamic virtual network, security should be built in from the outset instead of being treated as a bolt-on. IT

transformation is at its most impactful when security and virtualisation experts work together to create a solution that

reduces cost and improves productivity whilst managing risk.”

Although take-up of virtualisation and cloud services is high, there are concerns about how security is implemented.

Data-centre managers need to become more aware of both the need for different security models and what those new

models are.

FiVe proVen besT pracTices To ensure your VirTualisaTion enVironmenT is secure:

1Both the information security and data-centre management teams must be involved in any virtualisation project, with the aim of making sure that both teams are working towards the common goal of a high-performing and secure virtual environment.

2Use the right security tools from the start: don’t be tempted to rely on your existing security technology, which was not designed for the virtual environment. Relying on the old tools will leave your business vulnerable to breaches.

3Don’t rely on luck to detect a security breach: just under half of the respondents in the survey said they had discovered their breaches accidentally rather than as a result of monitoring. Deploying intrusion protection and prevention and integrity monitoring will help secure your data.

4Have one security model and deploy it across the whole of your infrastructure: physical, virtual and cloud. One security model can be managed from one console, making the task easier and the security tighter.

5Make sure security follows the workload. In a physical infrastructure, machines don’t move, but in a virtual one, they do. When machines move around the virtual environment or cross the border from on-premises into the cloud, security controls must move with those machines.

Conclusions and recommendations

Page 11 of 12


“Virtualisation continues to be adopted at

a rapid pace and it seems that IT teams are

struggling to keep up with the demands of

the business, as IT infrastructure becomes

more complex. However, it is important to

note that virtualised environments can be

as secure if not more secure than physical

environments. By adopting a new mind-set

and recognising the security posture needs

to change in line with IT environments,

businesses will be well placed to realise

the benefits of virtualisation without

compromising on security.”

James Edwards, Product Manager, VMware

In a sense, virtualisation has become its own worst enemy

because of the inherent security risks associated with

easily creating new virtualised servers. What’s clear is

that virtualised environments present organisations with

new security risks and demand a new security mindset

to tackle these accordingly. Only by taking this approach

will organisations ensure that their move to virtualisation

is fully secure and not compromising their entire IT

environment.

Page 12 of 12


research meThodology

Trend Micro commissioned Vanson Bourne to survey

100 UK enterprise organisations with an excess of 1,000

employees. Participating companies were spread across

sectors and size bands, with 75 private and 25 public

sector organisations included. Half of the IT decision

makers included are responsible for security, while the

other half is responsible for the data centre. The survey

was conducted in May 2013.

abouT Trend micro

Trend Micro Incorporated, a global leader in security

software, strives to make the world safe for exchanging

digital information. Our solutions for consumers,

businesses and governments provide layered content

security to protect information on mobile devices,

endpoints, gateways, servers and the cloud. Trend

Micro enables the smart protection of information, with

innovative security technology that is simple to deploy

and manage, and fits an evolving ecosystem. Leveraging

these solutions, organizations can protect their end users,

their evolving data center and cloud resources, and their

information threatened by sophisticated targeted attacks.

All of our solutions are powered by cloud-based global

threat intelligence, the Trend Micro™ Smart Protection

Network™, and are supported by over 1,200 threat

experts around the globe. For more information,

visit www.trendmicro.com.

abouT The cusTomers included

siemens enTerprise communicaTions

Siemens Enterprise Communications, is a global

integrated communications provider that synchronizes,

deploys, and manages technologies such as voice,

video, collaboration, mobility, contact centre, and

network infrastructure. We weave these communication

technologies directly into the way businesses operate.

The result is a transformation of how the enterprise

communicates and collaborates – that amplifies collective

effort, energizes the business, and dramatically improves

business performance.

Born out of the engineering DNA of Siemens, we have

built on this heritage of product reliability, innovation,

open standards, and security to provide integrated

communications solutions for over 75% of the Global

500. Siemens Enterprise Communications is a joint

venture of the Gores Group and Siemens AG.

globaliTy healTh

Globality Health is the international health insurer with

a special focus on expatriates. People who study, live or

work abroad are assured that their health is always in

good hands, no matter where they are. With more than 80

years of experience in health insurance, Globality Health

provides their customers the convincing competence

of an international network of assistance and service

partners. As an integral part of Munich Health, with more

than 5,000 experts at 26 locations, Globality Health offers

innovative healthcare solutions for clients and partners all

over the world. As a member of the Munich Re, Globality

Health gives customers the strength and security of one

of the world’s leading insurers and reinsurers.

İÇDAŞSince 1970, İÇDAŞ has been producing steel bars

and high-alloy steels and has grown to be the biggest

private sector steel producer in Turkey based on

production capacity. Besides the iron and steel

production, İÇDAŞ also operates in the fields of ship

building, port operations, piloting and towing, land and

marine transportation, shipping, brokerage, insurance,

international trade, tourism, construction and power

generation. Exporting most of its production to foreign

countries, İÇDAŞ has assumed an important role in

Turkey’s integration with the modern world, with its

advanced technology and reputation for superior quality.

©2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other

product or company and/or product names may be trademarks or registered trademarks of their owners.

Documents

Virtualisation Security: The Need for a New Security Mindset · Virtualisation Security: The Need for a New Security Mindset ... Virtualisation has long been delivering benefits to