Information Age: News, analysis & insight for IT & business leaders

Delegates at Information Age’s most recent roundtable debate saw security as a key barrier to supporting business-critical applications on virtualised platforms

Virtualisation, done right, is one of the most reliable ways for businesses to increase the efficiency of their IT resources. Indeed, the recent wave of server virtualisation could not have come along at a better time – on the cusp of the deepest recession in living memory.

Now that most sizeable organisations have made at least some use of virtualisation, many are wondering how to take the technology further by virtualising the systems that support business-critical applications.  
 
In May 2011 in Manchester, Information Age held its second roundtable discussing the challenges to achieving this. This time, the topic of security in virtualised environments dominated the discussion.

One delegate, the project director of an IT forensics company, summed up the mood. “We have grabbed a tiger by the tail with this technology,” he remarked. “It is outpacing our ability to deal with the security issues.”

A business continuity director at a large telecoms company complained that, despite the fact that high-profile data breaches occur on a near-daily basis, information security considerations are often pushed aside by the need to innovate. “Security is an afterthought of the drive to get a product to market,” he remarked.

That situation is only exacerbated by virtualisation, they added, which can accelerate IT project delivery times and therefore heighten the expectations of the business.

The general feeling was not that virtual systems are necessarily unsafe, but rather that they are an unknown quantity. Many nodded in agreement as one delegate commented that the younger generation of IT engineers placed “too much trust” in new technology.

This optimism can even infect the risk assessments that IT departments undertake when evaluating new systems, some believed. “Risk assessments tend to be pseudo-mathematical exercises that don’t live in the real world,” chided the director of an IT security consultancy.

An IT strategist who had worked for one of Britain’s largest banks remembered its approach to security. “They didn’t make their systems safe, they just put aside enough cash so that when the regulator hit them it didn’t hurt their balance sheet,” he said. “It was cheaper that way.”

It was generally agreed that virtualisation, and its more revolutionary cousin cloud computing, increase the demand for security precautions that focus on data and information, rather than systems or devices. However, there was little agreement as to how such systems might work.

One delegate reminded the group that, while virtualisation may be introducing new security issues, the perception that the information systems of the past were watertight is a misguided belief.

“There is an illusion that the world used to be secure and is now insecure,” said one IT director. “Sensitive data used to be kept in unlocked filing cabinets.”