Easing Some Of Virtual Security's Complexities

Virtualization and cloud computing pretty much dominate the IT world, but security and compliance with IT standards are neither trivial concerns nor going away any time soon. But in some ways, security is easier to accomplish in virtual systems than in physical ones.

Take the task of tracking an inventory of IT assets in a data center, for instance. Catbird, a security and compliance technology vendor, has just introduced Version 5.0 of its vSecurity suite of tools for securing virtual, cloud and physical networks. One feature of the product is Automated Asset Inventory: Every time a new device is attached to the network--a server, a router or a printer, for example--the inventory feature sees it and applies the appropriate security rules to it.

This is an example of something you can't do in the physical world, says the company. You can never have a perfect inventory. Invariably, someone plugs in a printer without telling anyone or buys his or her own Wi-Fi router at BestBuy.

"These are the kinds of things that drive IT people crazy but are a huge security problem," says Catbird's Tamar Newberger. "If you can't monitor something, you can't detect if there is a problem with it."

According to new data from InformationWeek Research, cloud progress is slowing down. At the start of 2011, the cloud survey found 60% more IT organizations reporting using cloud services: 31% vs. 18% the previous year. This year, there was a measly two-point gain, with 33% of respondents saying that they're using cloud services. The easy stuff has been done. Integration challenges and security concerns are as real as they ever were.

Catbird's vSecurity suite also delivers intrusion detection and prevention, network access control, vulnerability monitoring, compliance enforcement, policy management and configuration management. While that array of functions is comprehensive, the company says customers can use similar tools from other vendors and vSecurity 5.0 will integrate with them.

Security and compliance in virtual environments is a mixed bag, Newberger adds, because auditors don't all agree on how or whether to certify those systems. Some auditors will certify a virtual environment but others won't. Only last year did the PCI Security Standards Council issue a set of new guidelines for passing PCI audits for virtualized environments. PCI is the Payment Card Industry standard for the security of networks that process debit or credit card payments.

The Security Standards Council issued a report Jan. 20 advising companies that want to move PCI systems to the cloud that, even if they outsource those functions, they're still ultimately responsible for compliance and for safeguarding their data. The council has certified widely used cloud computing platforms such as Amazon Web Services and Verizon's Computing as a Service as PCI-compliant.

But not all network standards-setting bodies have virtualization-specific rules. The National Institute of Standards & Technology, like PCI, has virtualization rules, but the Health Insurance Portability and Accountability Act (HIPAA) in health care does not, she says.

"So there's a little bit of chaos going on," Newberger adds.

But while compliance is important, compliance doesn't guarantee security, she says. Newberger recently was given new Visa and MasterCard credit cards to replace ones she had, with new account numbers. She believes it was a result of a breach at Zappos.com, a shoe and apparel shopping website that disclosed that personal data of 24 million customers was compromised in mid-January.

"I'm sure they were PCI-compliant at Zappos. I'm sure they are all sorts of compliant," Newberger says. "What's driving a lot of virtualization security thinking is actually compliance. Part of that is because there's really not an empirical measure of security that we know of except compliance standards. And they are imperfect for sure."

Learn more about Strategy: How to Pick Endpoint Protection by subscribing to Network Computing Pro Reports (free, registration required).