Data centre managers are often unaware of security measures in place at their own facilities, says McAfee
Senior corporate executives are largely unaware of how secure their data centres are, according to a recent McAfee report.
Only 22 percent of data centre managers surveyed in a report felt senior management is aware of the company’s security preparedness, according to a data centre study from McAfee released on 3 October. There is a “serious disconnect” between what managers think about the security measures in place and what is actually implemented, the survey found.
Management in the dark
“It is astounding that almost two-thirds of our respondents say that their management is in the dark about their true security status,” said Dan Olds, principal analyst at Gabriel Consulting Group, who conducted the study on behalf of McAfee.
Management “needs to seek out the truth”, and data centre managers need to be “frank and honest” when discussing strengths and weaknesses of their security mechanisms, Olds said, noting that it is better to discuss potential issues before a security breach. The survey shows that management is “ripe to be blindsided” in the event of a security breach, according to Olds.
The results of the study are strikingly similar to the conclusions reached by PwC in its annual Global Information Security Survey, released mid-September. In the PwC report, 43 percent of those surveyed believe their organisations qualify as “leaders” in how they’d implemented security. In actuality, less than 5 percent of the organisations actually qualify as “leaders”.
Most of the executives in the study have a “false sense of security”, said Mark Lobel, a principal in the advisory services division of PwC.
Management often views data centre security as an expense item that doesn’t provide a financial return, said Gabriel Consulting’s Olds. “Security is only an issue to management where there is a problem – otherwise, it’s still a ‘why are we spending all this money’ question in budget meetings,” a respondent told Olds.
In the McAfee study, more than 40 percent of survey participants feel their organisation is not keeping up with the latest threats. Even more disconcerting, 40 percent said that their organisation’s day-to-day security does not meet the standards set by official policies that are in place. Nearly half of the information managers said they are “constantly” finding security holes within the data centre.
Organisations with centralised security did not fare better than others, the study found. Just centralising security responsibilities and authority isn’t enough, according to Olds. A “real effort” to implement strong “defense in depth” security to defend against inside and outside threats, but flexible enough to allow users to do their jobs is required, Olds said.
The report also found that organisations used as many as seven security vendors to secure the data centre. More vendors introduce complexity as the products all have different tools and consoles, but still need to be configured to work together. Olds said he expects enterprises to reduce the number of vendors they work with over time, as they invest in more integrated products that solve multiple problems.
There were other red flags in the report. Despite the fact that half of the respondents in the study believe that virtualisation and private cloud require unique security measures, most respondents reported using the same tools to secure both physical and virtual infrastructure. Approximately 70 percent of respondents were sceptical of public cloud security, the survey found.
The 2011 Data Centre Security Survey focused on security issues faced by 147 enterprise data managers.