Why Early Engagement with Security in Cloud and Virtualization Projects Matters

Traditionally, security teams have an on-again, off-again relationship with infrastructure and operations teams. I think most folks who have worked with, or within, IT groups agree that the relationship can sometimes be strained. However, projects around the virtualization of infrastructure, especially virtualized desktops (VDI), and infrastructure-as-a-service (public cloud) present special challenges for IT.

The dysfunction of IT teams stems from a chain of ‘necessary evil’ viewpoints. Quite often, the business part of an organization (sales, marketing, finance, manufacturing… the stuff that isn’t IT) consider IT as a pure cost; it’s a money-pit that needs to be contained in the smallest box possible. Reactively, IT teams become isolated and defensive. Within IT, operations teams view security teams as anti-business. In both relationships, isolation creates companies within companies, and ones who don’t remember what IT is actually for, or are working in circumstances that are not conducive to success.

In a perfect world, IT is a cohesive unit that drives business efficiency. “Efficiency” is a wonderful utility word that often means nothing in marketing, but in this sense it means clearly making life easier for the folks who are the business. To do that, understanding the tasks, requirements, and challenges of groups and individuals within the business is key. Gaining that understanding cannot be done by an IT team that is isolated from the business. For example, if filling-out and processing expense reports manually is extremely time-consuming, IT can help create a system that works best for frequent users (sales, for example) and finance teams that process. Security must also play a role, given that something like an expenses system touches financial systems, and potentially sensitive employee information, etc. Designing a system without security involved and then having a security team approve after-the-fact is a mistake.

As VDI and public cloud use become more common, these fault lines in organizations will be exacerbated. The seemingly simple task of deciding which end-users can best benefit from VDI and which workloads are most appropriate for public cloud will be daunting without strong integration between business, operations, and security teams. Also, in times of tight budgets, providing a clear net benefit is crucial, especially since VDI and public cloud projects create many upfront costs.

The challenge of both VDI and public cloud is that they are disruptive. To the end-users and management, that disruption must be justified. To IT groups, managing and securing these new environments is unlike established, traditional environments. With both, attempting to apply traditional endpoint security can effectively halt a project. In the case of VDI due to performance impact, or on a public cloud project by engaging the security team too late to overcome challenges imposed by existing tool sets in a timely manner. Even considering VDI against virtualizing servers shows how disruptive it can be. If IT provides a service that is measured by user experience, virtualizing an email server is transparent to the end-user; there is no disruption. The cost savings of consolidation are clear, so server virtualization has become ubiquitous and well understood. Contrast that with the impact on user experience of virtualizing desktops. Even within IT, virtualizing Exchange poses little change to the Exchange management and security teams, whereas VDI delivers tremendous disruption in both areas.

I have interacted with quite a few organizations that have experienced these challenges. Roughly speaking, the operations team tests and selects the VDI platform and management software. They may perform testing or use an ROI calculator to figure-out how many VDI instances, running the typical suite of applications, can be run on a host as part of building a business case. Once moving into pilot, or worse yet, into deployment mode, a desktop admin builds the first image templates, including the corporate standard anti-malware. When the first anti-malware scan or update hits and the VDI environment falls over, the security team is called to task. That puts everyone in a tough spot. Had a unified IT and security effort been in place from the start, it could be avoided.

With public cloud, security teams do tend to be engaged early in the project because the perceived risk is higher. However, if security doesn’t understand the full operational picture and business objectives, things can still go wrong. For instance, picture a security team that is asked if they can run their traditional antimalware on a Windows instance hosted on Amazon. The straight security answer is, “Yes”. However, if operations intends to power instances on and off at a high rate to take advantage of usage-based billing, or extend the reach of the business by creating new ‘datacenters’ in different zones, the problem changes. Once again, the risk is that security is put into the position of being a drag on IT and the wider business.

To avoid these pitfalls, operations and security, and IT and the wider business, need to mend fences and learn, in a hurry, to work together. It is easy to say, and hard to do. There has to be a lot of trust. If the business asks, “Can we go with public cloud for this?” the impression from IT may be similar to that of asking about outsourcing. Business needs to work with IT, and IT needs to be proactive on engaging business units. The same trust and working relationships between security and operations within IT, and from security to the business must be fostered. Such large-scale cultural changes are amongst the greatest challenges within organizations. To prepare for VDI and public cloud, the leaders and staff within organizations must embrace this challenge, or risk having VDI and public cloud projects lead to a change of leaders and staff.