Securing mixed environments - not everybody will be virtualized

There will be a lot of attention paid to virtual desktops and virtual workspaces throughout 2010 and beyond. From a security standpoint, the attraction of IT managing endpoint configurations and keeping regulated data in the data center is compelling. However not all applications, users, or geographies work best in a VDI environment. There will be users and applications that require local processing on the endpoint, while others will be quite satisfied with desktop applications transparently executing in the data center.  Security teams need to be evaluating security vendors that allow them to effectively bridge multiple application architectures - especially those featuring virtualization.

• Team with IT to assess user workspace requirements. Most organizations boil down endpoint configurations to 3 or 4 basic application architecture profiles. For instance, road warriors may need locally installed security software but task workers in the office may need virtual desktops secured. Similarly, organizations planning Windows 7 upgrades may find that personalization settings, printer behavior, sensitive folder locations, and privilege management have evolved which could leave security holes in mixed environments. Work with IT as a strategic advisor on security as the infrastructure adopts elements of virtualization and cloud computing.
• Give priority to security vendors that are designed for virtual environments, not just deployed the same old technology as a VM. Virtualization fundamentally tilts infrastructure economics towards application and desktop density per server, reduced power consumption, and centralized IT operations (The cloud even further shifts focus from capital expenses to operating expenses). Prioritize security vendors on capitalizing on the performance and operating benefits of virtualization - not just those that have ported physical products into virtual appliances. For example, in a VDI environment it does not necessarily make sense to bundle a copy of AV into every single VM when a single AV program attached to the hypervisor can deliver anti-malware services to the entire server without consuming extra resources. Same idea with firewalls - the relationships between virtual infrastructures and physical infrastructures are better secured with technology that is designed specifically for virtualized data centers.
• Recognize security vendors that can bridge physical, virtual, and cloud worlds. Security teams will have to manage traditional configurations (old business), infrastructure upgrades (especially Windows 7), new application environments (new business), and social requirements from users (social networks, smart devices, green IT) all while controlling operating costs. Vendor support of the different application environments may vary greatly. Since very few organizations are going to be 100% virtual, 100% physical, or 100% cloud, look for security vendors that can bridge the worlds, or have compelling technology that the organization can evolve to.

Security is on the verge of a special evolution into a new way of delivering and securing IT services to users. It will not happen all at once. Plan for mixed environments, but give an edge to new technologies that can efficiently secure virtualized and cloud approaches while re-aligning security and IT teams. These thoughts were put together from recent briefings by Altor Networks, Citrix, GlassHouse, IBM security, Microsoft, RES Software, Trend Micro, and others.