Gartner on cloud security: 'Our nightmare scenario is here now'

At the Gartner Symposium IT/Expo this week, thousands of IT managers packed into sessions on the topic of virtualization of enterprise computers, along with the prospect of adopting public cloud-based services or building private ones. Some say the revolution is underway, and security managers are caught in the middle, losing their earlier controls.

 

Gartner analysts, including David Cearley and Gene Phifer, trotted out user case studies involving FedEx, Presidio Health, Johnson Diversey and others extolling the public or private cloud, while in a separate session Michael Lock, head of enterprise sales at Google, found himself looking like a budding rock star in front of an huge audience of high-tech execs eager to hear about Google Apps. With new ways of conducting enterprise computing and application development shaking up established IT practices, the darker mood about it all was mainly heard from Gartner's security analysts, recognizing the revolution underway is ripping away the security controls of today.

 

"Our nightmare scenario is here now," said Gartner analyst John Pescatore. Botnet-driven cybercrime is clearly accelerating as online predators involved in "cybercrime as a service" plunder corporate and consumer data for financial gain. In addition, corporate employees are now using handheld smartphones the company didn’t even issue and spending substantial time on networks not owned by the enterprise.

 

Now comes cloud computing as service offerings and "obviously attacks will come after this," Pescatore said. In many instances, the fact is the "IT organization is being driven to have less control over software and hardware."

 

The implication of this, Pescatore said, is they can sit and dream of something pleasant, like the return of the mainframe, or they will have to make a shift to using or developing "security as a service" to adapt to new threat scenarios in both public cloud computing and virtualization of their IT infrastructure.

 

With the cloud taking shape nebulously as many types of public, private and hybrid services, an important technology to turn to will likely be encryption services. "In the next few years, you'll see encryption services out there," Pescatore said.

 

Gartner analyst Neil MacDonald also minced no words in describing the implications for security in the virtualization and cloud-computing revolution.

 

"We're at a critical point," MacDonald said. Adoption of consumer technologies and the transformation of the technical infrastructure in the enterprise means that there's "frustration of the business units with us," MacDonald said.

 

With virtualization, the key concept of "locking down a physical device" is disappearing in favor of virtual machine-oriented security, such as virtual security appliances as software instead of physical appliances, he said. In addition, the enabling of quick deployment of virtualized applications and databases to facilitate business partnerships will need to be done, though "security becomes very difficult in this environment."

 

Cloud computing and virtualization "break one of the foundational principles of security architecture: Us and them," MacDonald said.

 

Known technologies such as signature-based antivirus are now insufficient, increasingly useless and he added, way overpriced. Antivirus must be buttressed with whitelisting to control application use, and the newer software-based virtual appliances for security have to be examined for use in a virtual-machine environment.