Virtualization promises to reduce costs for the enterprise, but it comes with attendant security risks. IT administrators will have to grapple with these growing security risks in the near future.
“The rapid adoption, fragmented implementation and lack of standardization of virtual infrastructures will continue to expose gaps in the security, backup and high availability of virtual environments. Although virtualization decreases server costs, organizations are realizing that virtualization is simultaneously increasing management and storage costs, and without a plan to protect these environments, they may not realize the full return on investment”, warned Symantec in its Top Security and Storage Predictions for 2011.
Kevin Haley, director of Symantec Security Response, told Infosecurity that companies should take similar security precautions for virtualized systems as for physical systems. “A virtualized environment is not safer than an unvirtualized one. Unfortunately, it seems to be the attitude of some people that if it is virtualized, the system can be taken down or switched to another system, [and] there is no security issue. That is not the case….The threat is there and people need to take steps to secure those virtualized environments.”
Another technology that promises to reduce costs while increasing risks is the mobile phone. As more employees use their mobile phones at work, IT administrators will struggle to incorporate these devices into the network’s security architecture.
“The exponential consumer adoption of smart mobile devices will increasingly result in these devices making their way into enterprises through the back door, blurring the lines between business and personal use, and driving new IT security models to market in 2011”, according to Symantec.
“We talk about the consumerization of IT where mobile phones come into the organization through employees who want to use them for work. Organizations are finding that they have to find ways to support that. So you get a mix of personal and business information that ends up on that phone. If that phone is lost or if someone hacks into it, then corporate data is at risk”, Haley observed.
To cope with the growing security risks of personal mobile phone use, companies should put in place security measures, such data leakage prevention technology to stop data from getting outside of the organization, remote wipe to remove company data from phones that are lost, and encryption to secure data on the mobile phone, he advised.
Social media, which can improve employee communication and productivity, will also pose increasing risks to the enterprise in the coming year. “Although social media will continue to change the way we collaborate in 2011, IT organizations will also need to understand how to protect and manage these non-standard applications for recovery and discovery of business information that is communicated in these channels”, the company said.
Haley said some companies have made the decision not to allow social media into their environment at all. At the same time, some companies are using social media to attract customers and interact with users. Unfortunately, social media is a “great breeding ground for propagating threats”.
There is also the risk of data leakage – that confidential information about an organization is inadvertently released onto a social network. “So it is really critical that you have security software to prevent threats from social networking, that you have software to stop critical information from leaking out, and it’s really important to educate users about the risk”, he said.
In a blog, Haley predicted that cyber-sabotage and cyber-espionage would become an increasing threat in 2011. He cited the success of Stuxnet in attacking industrial control systems as a “marker” of this new trend.
“Stuxnet has given a blueprint to a lot of people to go out there and assemble this type of attack….We are going to see other types of nation-state attacks that are cyber-based, certainly in the cyber-espionage area”, he told Infosecurity.
“One of the things we saw in Stuxnet and Hydraq, which was a threat we saw at the beginning of 2010, is the use of zero-day vulnerabilities. The bad guys behind those attacks actually discovered those zero-day vulnerabilities and then used them in their own attack. So we expect to see an increase in the number of zero-day attacks and zero-day vulnerabilities being discovered in 2011”, Haley predicted.