A clear sign that there is something different about securing systems, data and operations in a cloud-based environment, has come from a recent survey undertaken by researchers, Vanson Bourne, and sponsored by security tools specialist, Trend Micro.
The research shows that 25 percent of British organisations lack sufficient knowledge to manage virtual security deployments, with 52 percent pointing the finger directly at a lack of training or funds available to train.
The study found that 65 percent of IT decision makers want to see their organisations boost investment in training, while at the same time 64 percent of security professionals –who, after all, are the ones that really need to know about this as cloud services become more common - want to up-skill in virtual environment security in order to address this knowledge gap.
At an industry level, 57 percent of British businesses want to see virtual security guidelines put in to help organisations understand best practice. Additionally, over half of UK businesses are seeking more guidance from vendors when it comes to securing virtual environments.
This does seem to represent a direct challenge to the Cloud Industry Forum, which has put in a good deal of work on best practice generally, cloud security issues and the production of guidelines. There would certainly seem to be a need for CIF to find ways of getting its message across to a wider audience, or indeed start running specialist seminars that can kick start the obvious need for a better learning process.
“Trend research from earlier this year revealed an alarming number of British businesses are struggling to keep their virtual systems secure and our latest report finds that a lack of training and education is the main contributor to this issue,” said Michael Darlington, Technical Director at Trend Micro. “However, it is promising that security professionals recognise the problem and are demanding investment in up-skilling to better equip them to manage new, complex IT infrastructures.
“Ultimately the responsibility lies with organisations to provide their staff with the training and support necessary to ensure business data is safe. Without this investment, we will see businesses continue to struggle to secure their virtual networks, leaving themselves open to the risk of cyber attacks.”
This is true, up to a point. But if the situation is as bad as the survey seems to suggest, there is an argument that the security industry needs to work to pull together to develop comprehensive training services that can help resolve what seems to be a pretty poor state of affairs.
The survey also showed that the fundamental importance of security services, especially in the cloud, was being missed by many professional staff amongst the user community. For example, some 70 percent of them are prioritising product cost over the solution’s effectiveness at detecting and stopping threats. When it comes to working with any form of virtual environment this is certainly a fundamental flaw in the decision-making process – and one that can presumably be laid at the door of senior financial management.
The ease of deployment and management of the solutions is the next priority, at 62 percent, with effectiveness at keeping the infrastructure secure coming in at third in the list of priorities. This would indicate a desperate need for education, as it is as inappropriate as buying a wheelbarrow to make a house move.
British businesses are demonstrating a lack of understanding over where the responsibility of the security of their virtual machines actually lies. One in four organisations have their virtual infrastructure hosted in a third party data centre, while 33 percent have it hosted both on-premise and in a datacentre. This is leading to a lack of clarity over who is responsible for information security.
There are hopeful signs, however, as 41 per cent understand that responsibility for securing these virtual machines lies with both the organisation and the datacentre provider. However, almost a third of respondents think that the responsibility lies solely with the datacentre provider, meaning they’re trying to wash their hands of the problem.
“Given that third party hosting of virtual machines isn’t exactly a new concept, it’s surprising that UK organisations are still unsure over where responsibility lies with managing the security of these devices,” said Darlington. “We need to look at introducing industry-wide guidelines to provide businesses with clarity here, ensuring that they are working with data centre managers to protect their virtual assets in the best possible way.”