Virtualisation, mobility and social networking were flagged as posing most security risk to businesses, partly because there is no accepted set of best practices yet to protect them, IT Roadmap attendees were told.
These three technologies have left traditional corporate security models in tatters, often lacking flexibility to keep up with threats designed to exploit weaknesses in each, John Burke, an analyst with Nemertes Research, told attendees at Network World's IT Roadmap event.
The issues are worth paying attention to, he says, because the technology behind virtualisation, mobility and social networks is making significant inroads. A Nemertes Research survey finds 67% of businesses have policies that call for teleworkers to use inherently dangerous public Wi-Fi networks using mobile devices. And 46% say use of personal mobile technology in corporate networks influences IT decisions.
In the largest corporations, 68% of the corporate workload gets done on virtual machines.
Social computing and mobile devices combine to create a primary avenue for data loss, because enterprises are blind to mobile use of social computing. There are no tools for separating who can access what social networks on their mobile devices, Burke says.
Virtualisation blurs the duties of security, server, networking, storage and systems workers, and in that blurring, important tasks can be lost, he says. "Keeping the virtual environment performing well may lead to security policies not being enforced," he says.
Less than 20% of organisations surveyed specify virtual security that peers into the host server. There seems to be a disconnect, though, because 51.9% rank their virtual security as excellent, perhaps because they haven't seen it compromised yet.
So far businesses have been slow to expand data centers to the cloud, with less than 10% having done so, according to a survey last spring. But preliminary results of a survey this year have that jumping to 18% or 19%, and that doubling is expected to continue for the next year or two.
"You're making it part of what you need to worry about for security," Burke says. "Security for virtual environments seems to be ill defined."
To effectively battle new threats, businesses need to set up comprehensive, overarching security plans that incorporate tools that integrate policy to as many devices as possible. This is important both to consistency of policies and to making the task manageable for IT staff.
Businesses need to build visibility into traffic into virtual environments and among virtual machines, and Burke suggests virtual firewalls and IDS/IPS products to accomplish this.
Social computing controls require identity management so privileges can be meted out to those who need them. Who gets what privileges requires input from business unit leaders who best know the needs of their workers, Burke says.
A network proxy outside the data centre is needed, he says, to create an audit trail of what mobile devices are up to. This may be necessary for regulators, but is also important if businesses hope to secure data centre resources.
Conventional threats include phishing attacks bent on ID theft and compromise of corporate intellectual property, cross-site scripting and SQL injection attacks, polymorphic malware and botnets, Burke says.
"They target your network for attack, then they fire the shotgun and try everything," he says. That includes tricks like dropping thumb drives with malware onboard at coffee shops frequented by corporate employees in hopes they'll plug them in to their mobile devices. It also includes monitoring employees' activities on Facebook and other social networks in hopes of gleaning valuable corporate data or a means for accessing it.
Adversaries are also becoming more sophisticated, dividing the chores involved in exploits into specialised fields such as finding vulnerabilities, creating exploit tools to take advantage of them, creating attack vehicles such as botnets, carrying out the exploit and stealing data and finally cashing in on the stolen data.
Compliance itself can be viewed as a threat, Burke says, because businesses not only face penalties for failure to meet standards, they also face damage to their public reputations if regulations force them to reveal when their networks have been breached.