ESG Survey of IT Security Professionals Provides Insight to Data Center Security Issues

Yesterday, I reported on Cisco’s new ACI security announcements and an overview of our secure data center strategy. Today, I wanted to share some interesting market insights that we pulled from a survey conducted by Enterprise Strategy Group (ESG) that Cisco commissioned, and that validates some key data center security trends and requirements that support our product strategy. Some of the key conclusions and data collected were shared in press coverage of the product announcement. The full survey results are here, and below are some summary graphics we prepared for our launch event.

Project Overview

Cisco commissioned the survey (conducted by ESG) to learn more about the challenges and issues IT professionals face when planning and implementing data center security.

Demographics

• The survey sampled 154 IT security professionals in North America responsible for network security requirements and operations. All respondent organizations had to be using physical firewalls (or virtual firewalls) and access control lists (ACLs).
• Most respondents represented large midmarket organizations (defined as organizations with 500 to 999 employees) and enterprise organizations (organizations with 1,000 up to 10,000 employees). 71 percent operated from three up to 20 data centers worldwide.
• The study included broad representation from industry verticals: financial, manufacturing, health care, government, retail and business services.
• The survey was conducted in April 2015.

Top Survey Findings

The people problem:  Implementing network security controls is tedious and time-consuming.

• 69 percent of organizations reported it takes from one man-hour up to four man-hours on average to convert a single new application network requirement into a network device or firewall configuration (before they even implement the new configuration, test it, etc.)
• 74 percent say that it takes days or weeks to implement security device updates from request all the way through to production implementation. (See InstaGraphic below)

Solution: Just like SDN revolutionized the data center by automating network configuration changes, ACI is accelerating security changes by automating device updates and configuring how security services are inserted into application networks, helping to ensure greater accuracy and allowing IT to keep up with business requirements.

 Network security operational issues leads to human error and configuration problems.

• 57 percent of organizations experienced a security incident that resulted in the compromise of one or more data center services in the past 2 years
• 43 percent of respondents reported a configuration error over the last 12 months that led to a security vulnerability, performance problem, or service interruption
  • Of those, 87 percent reported multiple service outages over the last 12 months due to technical error with changing or configuring networks. (See InstaGraphic below)

Solution: Manual tasks eventually lead to human errors which result in security breaches and service outages. Automating many of these tasks can ensure accuracy and reduce risk.

It’s difficult to make changes to security controls once they are implemented.

• 75 percent of respondents report they have a method for removing expired and/or out-of-date ACLs or firewall rules.
• 68 percent report that it is somewhat or extremely difficult to remove expired and/or out-of-date ACLs or firewall rules because it is so time-consuming and entails many manual processes. (See InstaGraphic below)
• Over a third (35%) of security teams can only “somewhat” look at data center ACLs and understand the applications and services to which it refers.

Solution: A prime example of what ACI can automate and accelerate from a security perspective is the removal of outdated ACL or firewall rules. Most organizations report this is a really tedious and time consuming task, and at least 20% of organizations reported that’s it not even worth the effort. But this can lead to vulnerabilities, inconsistency and compliance challenges.

IT security pros say that more granular network segmentation could help, but few are implementing this yet.

• 47 percent (almost half) responded that an attack was able to move laterally within the data center from one server to another.
• 77 percent of organizations report that further network segmentation would definitely or probably have helped in their situation.
• Only 38 percent are extensively using security zones or segments today in that regard.

Solution: Cisco ACI’s implementation of more granular security policies between individual tenants, applications and workloads can definitely help confine attacks that otherwise could spread laterally between hosts. Too few organizations implement this today, and most agree that such segmentation would have helped against earlier attacks.

IT security professionals would like to move toward more automation and orchestration.

• 59 percent only have partial visibility into network configurations and security controls in the flow of network traffic from one application to another in the data center.
• While 99 percent of respondents want to use automation and orchestration to accelerate application deployment, 70 percent have little to no ability to do so today.
• 61 percent have little to no ability to provision security and network services based on policy.

Solution: More security is great, but automating security operations and accelerating network security changes with greater accuracy is also key to halting attacks. ACI can greatly help with the automation that organizations need. We didn’t create a snappy Instagraphic that summarizes this market data, but I’ll pull the following quote from Forrester that I used yesterday on automation of security tasks being a key initiative for most organizations to improve their threat response.

Over the previous 10 years, “attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade.” If CISOs want to ever improve their abilities to detect and respond to adversaries, they must move from reactive to proactive operations through automation. Every bit of operational friction that S&R pros can reduce using automation will result in a more-agile security posture that makes detecting and responding to adversaries more productive. CISOs can expect automation to become one of the next great security buzzwords. – Forrester Research, “12 Recommendations for your Security Program in 2015”

Drop us a note in the comments section of your opinion of these ESG findings and market data. Is this what you are seeing in your experience? If you didn’t get a chance to see us this week at Interop, including our new security demos with Cisco FirePOWER, I hope you are coming to Cisco Live San Diego in June and can hopefully check us out there.