Virtualization and cloud computing pretty much dominate the IT world, but security and compliance with IT standards are neither trivial concerns nor going away any time soon. But in some ways, security is easier to accomplish in virtual systems than in physical ones.
Take the task of tracking an inventory of IT assets in a data center, for instance. Catbird, a security and compliance technology vendor, has just introduced Version 5.0 of its vSecurity suite of tools for securing virtual, cloud and physical networks. One feature of the product is Automated Asset Inventory: Every time a new device is attached to the network--a server, a router or a printer, for example--the inventory feature sees it and applies the appropriate security rules to it.
This is an example of something you can't do in the physical world, says the company. You can never have a perfect inventory. Invariably, someone plugs in a printer without telling anyone or buys his or her own Wi-Fi router at BestBuy.
"These are the kinds of things that drive IT people crazy but are a huge security problem," says Catbird's Tamar Newberger. "If you can't monitor something, you can't detect if there is a problem with it."
According to new data from InformationWeek Research, cloud progress is slowing down. At the start of 2011, the cloud survey found 60% more IT organizations reporting using cloud services: 31% vs. 18% the previous year. This year, there was a measly two-point gain, with 33% of respondents saying that they're using cloud services. The easy stuff has been done. Integration challenges and security concerns are as real as they ever were.
Catbird's vSecurity suite also delivers intrusion detection and prevention, network access control, vulnerability monitoring, compliance enforcement, policy management and configuration management. While that array of functions is comprehensive, the company says customers can use similar tools from other vendors and vSecurity 5.0 will integrate with them.
Security and compliance in virtual environments is a mixed bag, Newberger adds, because auditors don't all agree on how or whether to certify those systems. Some auditors will certify a virtual environment but others won't. Only last year did the PCI Security Standards Council issue a set of new guidelines for passing PCI audits for virtualized environments. PCI is the Payment Card Industry standard for the security of networks that process debit or credit card payments.