Quick, what’s the hardest part of being a security pariah? None of the other pariahs want to be seen with you. Though a joke, it sums-up how security, within IT, has and continues to operate. From the beginning of IT, security has consistently been a bolt-on afterthought, and we have only ourselves and everyone else to blame. Surely given the pace of virtualization, cloud, and all of the other profound paradigm shifts that are providing rich opportunities, security and IT can reunite (for the first time), a ‘rebirth’, if you will. Then again, maybe we are letting history repeat itself.
With technology, we struggle again and again to support the old and while bringing-in the new. Backwards compatibility is never infinite, and so we end up with islands of technology (I have a fine collection of VHS tapes somewhere to prove it). It is no different with datacenter computing. We’ve created islands of supporting technology and people are assembled around the technology. Unlike storage, computing hardware, or network hardware, security isn’t viewed as a building block. It’s an add-on that slows-down projects, and should be addressed long after a project is in-motion, and with as little intrusion as possible.
What are the biggest new silos?
VMware and Citrix have led an extremely successful charge on changing how datacenters are designed and operated. If there’s a phrase I’ve heard more than enough recently, it’s “software-defined”. Storage to network, everything has changed. Just about every organization is somewhere on the virtualization spectrum. Most have virtualized some servers, while others are moving along with virtualizing end-user systems.
While security has been affected by virtualization, it has been slow to adapt to it. Well along the way into the journey, VMware created vShield to give security companies technologies to help remove security roadblocks. The reaction of vendors has been less than impressive. For reasons that are likely particular to each, only a few vendors have bolted-on vShield Endpoint integrations to their endpoint products. This has created a short list of products that are capable of enforcing endpoint security. However, being built on old management console architectures, they tend to create as many problems as they solve.
Although endpoints have been virtualized, management consoles have not. There is a difference between something that can run in a virtualized environment, and one that is built to. Preparing a Windows server environment, SQL database, and web servers for a management console is just odd nowadays. Yet, endpoint security products still operate this way. Nobody wants to perform installations of n-tier applications; they want to import them. Really, it should take longer to download a management console than get it up and running.
By ensuring that securing virtualized endpoints is decidedly an island, we also have the dreaded point solutions. These are new consoles (though, often built on old architectures) that add to console fatigue. If the security team is lucky, they might report up into a common console, but management of virtualized endpoints alongside traditional ones is a rarity.
Virtualizing end-user systems makes this silo especially extraordinary. In the past, server and end-user system security were treated differently. They had different requirements, different policies, etc., and of course, while the end-user systems lived at a desk, airport, or wherever the end-user was, servers lived in the datacenter. Now the two can run on the same blades in datacenters, yet the security is likely managed from different consoles (different for servers, traditional endpoints, and VDI instances… console sprawl really starts to add-up quickly – and we can throw mobile devices into the mix too).Bottom line, legacy security management consoles are holding-back the vision of centralized computing a la private cloud.
If virtualization has renovated datacenters, public cloud computing is demolishing them. Anti-malware for public cloud endpoints is all-but non-existent. As with virtualization, admins have had no choice but to cobble tired old products onto shiny new endpoints.
While one of the major pushes at VMworld 2013 was Hybrid (mixing public cloud and private datacenter computing), endpoint security vendors haven’t even been able to get around to fixing how to license for it. Using a traditional full anti-malware client on cloud instances is one thing, licensing them with yearly endpoint-counts is another. As organizations get a better handle on automating public and private cloud, the concept of per-endpoint licensing of ‘anything’ will fade away. But if the past is a reliable predictor, endpoint security licensing will be the last to change.
Higher adoption of public cloud is also going to create endpoint security management problems beyond figuring-out how many licenses to buy. Creating, applying, and monitoring common security policies across private datacenters and public clouds (yes – multiple public clouds) is simply impossible with the vast majority of consoles today.
Mobile devices are yet another new breed of endpoints that enterprise security folks need to worry about. There are a variety of products out there, from full-blown mobile device management, to security-focused products. As with public cloud and virtualization, they have been created as either stand-alone solutions or as bolted-on features in old consoles.
Unified solutions need to be the future
Across these three silos of endpoints, applying security policy and monitoring is difficult. Multiple point solutions create islands of information and uneven security. Bolted-on features in old consoles provide simple checkboxes, but also bring all of the baggage of management consoles that were designed while the dot-com bubble was still growing. Part of the problem is that these solutions form a “good enough” grid of security that organizations have held together with great effort and willpower.
As these areas come to completely dominate, we as security experts, vendors, and consumers have a great opportunity to trade-in “good enough” and replace it with truly great security. It will take anticipation and planning ahead, rather than bolting-on after-the-fact. It may also take some gentle prodding by forward thinkers. After-all, there are many who get very comfortable in their silos. But like any birth (*ahem*…rebirth), the results will be worth it.