Gabriel Consulting Group (GCG), an independent analyst firm, today released key findings of its 2011 Data Center Security Survey, a report focused on security issues and solutions among 147 enterprise data center managers responsible for data centers of all sizes. The results were startling, as is often the case with surveys, and so we thought it would be ideal to interview Dan Olds, Principal Analyst at GCG, to get further perspective.
Q. What were the most surprising or unexpected findings from this survey?
Dan Olds: There are a few things that jumped out at me. The first was that an astounding 60% said that management believes their data center is more secure than it really is – meaning that management is ripe to be blindsided by a security breach. I was also surprised to see that 40% of the data centers we surveyed said that their day-to-day operations don’t conform to the security standards required by their policies. That’s another troubling sign…
Q. Why do you think that customers with centralized security functions don’t necessarily report better security guidance?
Dan Olds: I expected to see the organizations with centralized security report that they had better overall security and more confidence in their security infrastructure – but that wasn’t the case. Judging from the qualitative remarks, I think that just centralizing security responsibilities and authority isn’t enough. There has to also be a real effort to implement strong ‘defense in depth’ security that defends against both inside and outside threats, but is also flexible enough so that it’s not an impediment to users performing their jobs.
Q. Are today’s customer’s a little blasé about security in their data center – or do you think that security is viewed only as a necessary evil to which they treat in that manner?
Dan Olds: I didn’t get the sense that data center management is blasé about security – they see the threats every day and know the stakes. But several times, respondents said that their management saw security as an expense item that doesn’t provide a financial return. As one respondent put it, “Security is only an issue to management when there is a problem – otherwise, it’s still a ‘why are we spending all this money’ question in budget meetings.”
Q: I found it interesting that customers often use as many as 7 vendors for their security in the data center. As organizations look to consolidate data centers could you discern any trends in customers also looking to consolidate security vendors?
Dan Olds: I expect to see customers reduce the number of security vendors they work with over time. Like everything else in IT, security is highly complex and only becoming more complex. At the same time, customers aren’t in a position to add more and more headcount to handle security needs. These two trends mean that customers will be looking for security solutions that solve multiple problems, are easily integrated, and reduce IT management and maintenance labor. To me, this argues against customers having a slate of different point products, all of which have to be configured to work together, all of which have different tools and consoles, all of which have varying levels of customer support. In this environment, customers will be more likely to look for multi-function solutions that provide great protection, but also reduce complexity and management.
Q. Did any of your respondents indicate who would take responsibility for gaps in security coverage or poor security posture in the event of a data breach?
Dan Olds: For the most part, it seems like IT is the one bearing the brunt of the blame for breaches, regardless of whether the breach was due to technical problems or bad actions on the part of users.
Q. Did the survey responses shed an indication on what the cost of a data breach was to their organization or the cost of remediation for a data breach?
Dan Olds: We did get some data on the cost of security breaches. The biggest cost to the business side was additional money they had to spend for compliance and legal costs. On the IT side of the ledger, the biggest cost to the data center was lost productivity – with many breaches taking four weeks or more to remediate and almost half of the breaches using 50% or more of their IT resources (labor and time).
Q. A not so surprising result was that security is an inhibitor in moving to public cloud. As tools to manage security across an on-premise data center and a public cloud become more readily available, do you see that changing?
Dan Olds: There’s definitely a place for both public and private clouds – a hybrid cloud model is what will evolve over time for most, if not virtually all, organizations. So customers need the flexibility to move workloads from their own clouds to the public cloud and back again. But there are some workloads that should never go to the public cloud, primarily because of sensitivity or availability concerns. But how do you prevent users from putting these apps or data on public clouds? Customers need mechanisms in place to ensure that considerations like security are automatically factored into the public vs. private cloud location of an app or data. In other words, each application or data set needs to have a piece of metadata attached to it that says, ‘Sure, this can run in a public cloud’ or ‘No, this app or data can never get outside our firewall’. A reliable and highly secure tool that does this will go a long way toward giving customers the confidence they need to embrace public clouds to a greater extent.
Q. What advice would you offer security teams on how to get security better integrated into the design phase of a data center project?
Dan Olds: Having a clear concept of the security concerns surrounding the new application at inception is a great first step. This doesn’t mean just thinking about it, rather it means documenting the security needs to ensure that they actually make it into the plan. I think that IT rushes projects forward very fast in order to get a better time-to-benefit, but they give security short shrift in the rush to get new apps up and running.