Part of the problem with IT security has been human nature, VMware networking and security business unit senior vice-president and general manager Jeff Jennings (pictured) suggested. People working in IT have a lot to do, and solving other problems tends to be easier and more fun than taking care of security issues. Vendors such as VMware can provide the tools, but the culture within an organisation has to change for them to be used to their fullest extent.
"Wannacry raised the level of awareness," VMware ANZ networking and security director Raymond Maisano told iTWire, noting the way one local health organisation's board made sure the IT department was on top of the issue.
On the other hand, Centre for Internet Safety managing director Nigel Phair (who, with Jennings, spoke at VMware's Evolve 2017 event in Melbourne yesterday) believes Wannacry only had a short-term impact on thinking, which returned to normal after a week. That said, such events probably have cumulative effects, he suggested.
Jennings, who lives in California where where breach reporting is already mandatory, told iTWire the number of notifications he receives has fallen since it was first introduced, and is now just a trickle. That suggests mandatory reporting does lead to a greater emphasis on security.
So what needs to be done in practical terms?
A still common mistake is to assume that perimeter protection is enough, said Maisano. Factors such as device proliferation, the disaggregation of services, and worker mobility mean that is no longer true (inasmuch as it ever was). It is still necessary, but not sufficient.
Microsegmentation is an important part of the security picture because it provides a way to control which other systems a particular virtual machine can communicate with, Jennings told iTWire. This is rarely possible when relying on physical firewalls, he said.
VMware's NSX puts this capability into the hypervisor, and assigned security policies are automatically applied wherever the workload is running.
Another issue is that around 60% of organisations don't have dedicated security teams. The relatively small size of the average Australian company has some effect on that, with many smaller organisations turning to managed security service providers to look after things. But Maisano said he is aware of a substantial and well-known local brand that is only now setting up a security team.
And some aren't on top of basic security hygiene factors such as encrypting data at rest and enforcing the use of complex passwords, warned Jennings, noting that layered defences help provide good security.
Jennings also pointed out that much of the initial use of public cloud happened in an informal way, for example when developers felt constrained by IT operations' lack of responsiveness. It was unrealistic to expect everything to be done securely in such a situation.
As the use of cloud became more widespread, organisations started to develop architectures with security in mind, in some cases going to the extent of building custom management planes.
"It's not impossible to secure things, (but) it's difficult to do it in a way that's consistent and comfortable for the enterprise," said Jennings.
So VMware is working to better support customers running hybrid infrastructure. Many organisations need a cross-cloud architecture, so the VMware stack is already available on a variety of public clouds, including AWS, SoftLayer, and those operated by the company's vCloud Air partners.
This allows organisations to operate using the same controls in the cloud as they apply to their own infrastructure, and takes advantage of existing skills.
But some also want to use native public cloud capabilities, for example to deploy microservices on AWS, so VMware is developing such capabilities.
Great security requires consistency, and automation can help provide consistency, he said. "When people rush, they make mistakes," but automation means tasks are performed correctly and quickly.
VMware's presumption is that such consistency is going to be more cost-effective, even if it means that some systems are overprotected. There's always a trade-off between security and cost, but organisations don't want to have to figure out everything separately on each platform.
Whether or not that presumption is correct will be revealed as VMware releases successive products in this area and customers put them to work, said Jennings.