Emerging Technologies Insights: Endpoint Virtualization Roundtable

Emerging Technologies Insights: Endpoint Virtualization Roundtable
Endpoint virtualization is one of the hottest emerging technologies for financial institutions, which are looking to maximize secure access to and management of key applications - while also controlling costs.

In this Emerging Technologies Insights panel, we hear from:

Matthew Speare of M&T Bank on how a banking institution leverages virtualization;
Tom Wills of Javelin Strategy & Research on current market trends;
Brian Duckering of Symantec on strategies and solutions being employed across industry.

In this 30-minute panel discussion, the panelists discuss successful virtualization strategies for banking institution, offering unique perspectives from the practitioner's vendor's and market researcher's points of view. They also tackle a series of questions on endpoint virtualization, including:

What is the economic imperative for financial institutions to explore virtualization?
What are the biggest security challenges and opportunities from virtualization technologies?
How do virtualization solutions address institutions' concerns about fraud and vendor management?
In what ways do virtualized solutions help institutions meet their objectives to contain costs and maximize security?

About the Participants:

Matt Speare is Senior Vice President of Information Technology, M & T Bank Corporation, the nation's 17th largest bank holding company, based in Buffalo, New York.
Tom Wills is Senior Analyst Risk, Security & Fraud, Javelin Strategy & Research, where he leads the firm's strategic risk management, security, fraud, and compliance advisory services.
Brian Duckering is Senior Product Marketing Manager, Endpoint Virtualization, at Symantec. He advocates use of the various virtualization technologies available today to promote higher productivity for end-users and better system manageability and cost reduction for IT.

TOM FIELD: Hi, this is Tom Field Editorial Director with Information Security Media Group. The topic today is emerging technologies. We are talking specifically about endpoint virtualization. Now, because we are talking about virtualization, we understand that it means many things to many people. That's why today I have gathered a diverse group of people to talk about virtualization. You are going to be hearing from Matt Speare of M&T Bank who is going to talk about virtualization from a financial institution perspective. You'll then be hearing from Tom Wills of Javelin Strategy and Research who will give us some market insights into virtualization. And finally we'll have Brian Duckering of Symantec who can really give us a view from the trenches as a service and solution provider.

Now the format of this podcast is all of these individuals are going to introduce themselves with some thoughts on their unique perspectives on virtualization, and then we're going to toss some questions around the group. So I would like to start out, Matt if you could introduce yourself and then talk about virtualization from your perspective.

MATT SPEARE: Thanks, Tom. Well, I'm Matt Speare from M&T Bank, and I'm in charge of technology infrastructure and our overall virtualization effort. And you know from a banking perspective, some of the greatest benefits for virtualization have been maximizing resources. When you look at your typical PP environment and endpoint, that it is greatly under-utilized for the resources that are available. Additionally, when you look at the issue of security around your endpoints, being able to virtualize that environment puts a greater level of control in your hands so that you have the ability to truly standardize on your endpoint, which is virtually impossible to do with different hardware combinations and then control where the date resides in your environment.

We found great benefit in the ability to provide virtual desktop infrastructures out to third parties that are doing work on our behalf, so that we can control their experience. They are working on our systems and our applications, and none of that data is leaving our environment, and we control it. So from that perspective, the virtualization of the endpoint has really shown to be very cost-effective for us.

I think that the next round of virtualization of the endpoint will really be around, how can you provide a consistent environment for standardization across user profile types? So at a typical retail bank, you'll have tele-work stations that are out there in your environment, and in Nirvana every one of those would be totally identical and you would be able to update in near real-time. The fact of the matter is by having PC's out at the tele-work stations today, the update process is very cumbersome as well as costly, and it is not timely. Usually their schedule of events that occur over a several-day period minimally, and so be able to provide that standard gold copy that you can then turn around and be able to update on the fly, and then it is a simple log-in, or log-out and log-in, and all of your tellers have the exact same replica of the gold copy.

FIELD: Very good, Matt, thank you. Tom, I would like to get some perspective from you from what you see at Javelin Strategy and Research.

TOM WILLS: Absolutely, Tom. So, at Javelin I cover the fraud and security space. I look very closely at that. And thinking with my security hat on with the security benefits that Matt talked about with respect to virtualization, especially that control element. With that said, I don't believe the security itself is a key driver for an adoption of virtualization. I believe that is mainly a cost reduction plank, although there are those security elements to it. So with the extremely tough economic environment that the industry is struggling with today, you can expect that we will see an imperative for banks to reduce IT costs. Virtualization cuts floor space. It costs power costs. It cut maintenance cost and so on, and I see that as growth industry throughout 2009 and beyond, moving toward the situation where we have 100% virtual data center bit by bit. I don't think we're there yet or will get there this year, but you know with that said there are, because of security concerns, banks will likely dip their toes in the water a little bit before they swim. So they'll start with more non-core applications, things like marketing databases, databases of branch and ATM locations and so on, and probably hold off on virtualizing their core ERP applications until they are confident that it is secure in terms of confidentiality, availability and integrity of the sensitive data.

FIELD: That makes sense. Brian, last but certainly not least, why don't you give us some of your perspective. You've got the benefit of seeing multiple financial institutions and seeing what drives them. What is your perspective that you would like to share?

b>BRIAN DUCKERING: Well, certainly, we work across all industries, banking being a significant one. As Tom mentioned, although I'm speaking from the Symantec perspective and we certainly have many products that help with security, the endpoint virtualization group, we're focusing on the virtualization technology and the manageability across technologies to help better management, reduce costs and improve end user productivity. The other thing we say here at Symantec, you know you can only truly secure an endpoint if it is well-managed. So a lot of what we contribute is that manageability aspect. All right, so this manifests itself in a number of different ways:

Primarily, you recognize the different aspects within finance, whether it's call centers or floor traders, or there are a variety of computing needs, and we need to be able to address all of them, even if they are very different competing models. We even support partners. For example, a mortgage loan origination customer that you know has their own financial software that their tens of thousands of partners around the country need to use. They used to ship out CDs and eventually they were using Citrix, and ultimately it made a lot more sense to them and it was a lot more cost-effective to use streaming. That way when they have their almost weekly or twice weekly updates to the software, they could simply change that in one location ... So there are a lot of things that we can do to automate and reduce costs, while at the same time improving the end-user productivity through these methods.

FIELD: Good points. I've got a series of questions here and I would like to throw them out to you. I think what I'm going to do is, I'll target a question and let an individual respond, and then the other two can chime in with some perspectives as well. The first one I have here, Matt, I would like to toss it to you. In today's current economic climate, why would a banking executive care about virtualizing employee work spaces?

SPEARE: Well ,Tom if you go back to Tom's comment, obviously, we are all under pressure to reduce expenses, and virtualization is probably one of the best methods to take back on this distributing computing sprawl that has occurred over the years.

You look at your average server, and you know it's going to be running between 15 and 20 percent of its resources throughout the lifecycle of a day. And the rest of the time it is going to be pretty close to zero. So by being able to maximize those hardware resources, you can drive down the number of physical servers that you have in place. The heating, power and cooling that is required to keep those datacenters under control and maximize the lifetime of that hardware, as well of the things that people don't talk about -- virtualizing makes the hardware become agnostic because it puts that layer in between the servers of the applications and the underlying hardware. So it becomes hardware agnostic, and you can take and convert some of your legacy applications that may have been running on Windows NT and certain hardware configurations and be able to put those on to a new faster resource, and then maximize the use of those.

DUCKERING: You know I'll go ahead and max it out a little bit, you know you talk about the layering. There are really three things. There are reasons that people are looking at this. Stability of the systems, which reduces support; access to the right applications by the right people; and as you said, cost cutting. The stability is certainly enhanced by the virtualization aspect because you are separating the applications and layers from the underlining systems, so there is less dependency and there is less conflict.

The cost cutting issue is interesting because we would talk to banks, you know, a couple years ago and they would not be -- they would be interested in a lot of things. One of the things that weren't very interested in was cutting costs for their application licenses, because they would just -- you know, there was apparently plenty of money for that part of the business, and they would just buy licenses as they need it. In today's economy, they seem to be coming back to us and willing to revisit that issue because if they can save a half of million dollars here or there on license costs simply by automating the compliance and pro-actively managing those licenses according to the agreements that they have ... there is an awful a lot of money that can be saved there.

FIELD: Tom, anything you want to add to that?

WILLS: Yes, simply because of the cost efficiencies that they realize, Tom, I think the pressure for the banks to increase their IT cuts in the current economic environment -- there is going to be a lot of pressure to look seriously at virtualization and begin to implement it. Again, I believe it is largely a cost-driven initiative.

FIELD: Tom, there is a question I would like to toss to you and then get Brian and Matt to weight in as well. From your perceptive, what are the biggest security challenges, and then on the flipside the opportunities when it comes to virtualization technologies?

WILLS: Well, Tom, I think I'll start with the opportunity side, because that part is relatively simple and Matt said it pretty well earlier. It is that level of centralized control that you get with respect to your user environment. What applications are running, making sure that access controls are consistent, making sure they will patch consistently against the latest [bug] and so on. So, that is certainly strength.

On the flip side, to be totally honest; the security threats associated with virtualization are not really understood well yet. They are largely theoretical and that is because it is such a new space. There hasn't been enough climate of virtualized systems, especially mission critical types of environments, for a long enough time to give the black-hats time to find all the vulnerabilities and exploit them. I think that is going to change, and in the meantime security practitioners have the problem of trying to anticipate what the threats will be. That in itself is a challenge because there are physical mentalities that "if it ain't broke, don't fix it."

As far as the biggest actual concern I've heard discussed, that is about leakage of confidential information across two or more virtual environments that might be running in one physical environment, and now we're jumping across it as well. So how do you keep that Chinese wall in place and, in addition, you are going to have the same threats that you do with several multiple servers and applications running separately. Except now that you put them together in one place, there is a single point of compromise, and you have to secure that really well.

And the other thing is that I think there is a large challenge organizationally. You've got collapsing work, networking, servers, administration functions, applications, operating systems and security all in one single instance. And there are a lot of questions about who owns that, who is responsible for that piece? What data center is it in ...? And these questions have really stirred up the pot with respect to security.

SPEARE: I think from my perspective what we see really changing in the security landscape is that there is so much more mobility and people going offline. There are all these statistics. I don't have any off the top of my head, but you know about people leaving laptops at airports and loosing USB keys and things like that. So you know virtualization, going back to what Tom was saying, really, really can help with the access and if you are going to virtualize the whole desk top, for example, so that everything is centralized. It certainly makes it easier to make sure that the right people and only the right people are accessing the applications and systems that you are trying to protect.

DUCKERING: Yes, Tom, and from my standpoint I think it comes down to there is a change in management mindset. We are so used to dealing with several operating systems, that security professionals haven't thought about, "What are going to be those vulnerabilities [at the] virtualization layer, and how am I going to have to change the way in which I can figure my traditional IDS, IPS's to be able to detect attacks that are trying to cross those virtualization environments?"

WILLS: Absolutely, so it is really just a force-through thinking of the organization and then to who owns what.

FIELD: Brian, I want to toss a question your way. The Heartland Payment Systems case has been in the news for most of the year, and underscores that fraud and vendor management are huge concerns for financial institutions. So given that as a backdrop, how do virtualization solutions address the security and compliance challenges that are inherent in these growing and increasing complex vendor ecosystems?

DUCKERING: Well, we'll go back to the access issues. So what we are talking about is really the extended enterprise. So when you are talking about the vendors and needing to be able to extend your enterprise and your data and applications in some cases, outside of what you normally manage ... it does become difficult. But to a certain extent, it's really from a virtualization standpoint and the approaches that we've taken for a number of years when we are talking about things like streaming, virtualization, virtualization desktops. We can really take a very similar approach to when we have someone that is normally part of our organization, but has to travel -- you know, your mobile and remote folks.

So when we are working with vendors, as I mentioned in the question or in the comment earlier, we have specific customer examples of where we needed to make data and applications available, and we can -- there are a couple of aspects. One, we need to make sure that the right versions of those applications are available. And if we have to rely on shipping out the new versions of the CDs, then it's just not going to work because you've got the delay. You've got the extra expense, and you really have no control over that vendor updating or using the right system. So we want to try and combine essentially the best of both worlds. We want to maintain centralized control even though these people are completely outside of our control, all right? So this falls in the same category as we deal with a lot in other industries called consumerization, where people are bringing their own laptops, their own systems in, and virtualization allows us to extend the access, but in a very controlled manner. So we can actually again, with the virtualization layer, separate their experience in the environment that we need to give them access to. We can open up a little hole and say 'Here's your compartmentalized area where you can operate, and you can get the information you need,' and we can still draw the line between that and the system that may be within that partner organization.

So again, I think it has a lot to do with maintaining versions and access.

FIELD: Good Brian. Tom and Matt, I want to give you a chance to jump in on this as well. You've got experience from different sides of this. How does virtualization address the fraud and vendor management concerns that institutions have?

SPEARE: Well, to build on what Brian said, because he's absolutely correct ...whenever you need to provide access to an external party, you run risks of one taking data or having residuals of data in their environment that you don't want them to have. So being able to control that experience, be able to provide them with the application version that you need them to work with are just absolutely critical to driving down the potential for fraud or just plain misuse of your customers' personal information. And so that ability to present them a standardized environment that is entirely underneath your control so you can monitor what they are doing, and being able to control what they have the ability to do and see, really provides a level of securitization around your information and applications that you would not be able to do without virtualization.

WILLS: I have to agree, and also I think that one of the biggest problems banks have in the customer facing environment with web banking and mobile banking is keeping control, or trying to get control, of user computers and mobile devices and the software that is running on them. So I believe that virtualization has a lot of potential in that space to reduce online fraud and hacking attacks that take place in the customer facing area.

FIELD: One more question. I want to go back to something Brian started talking about earlier when he was introducing himself, which is about containing costs and being able to maximize security. Matt, I want to throw this to your first, and Tom and Brian please jump in. How can financial institutions contain cost and still maximize security in scale through virtualization technologies?

SPEARE: Well, Tom, my perspective on this is that virtualization is the true green initiative. By being able to maximize the resources that you have in place and be able to combine applications and the resourcing power that needs to require, you can drive down a lot of the costs that you typically don't see as an executive. Because if you are working in technology and have an understanding of what it costs to run a server, as an example, on an annual basis what that total cost of ownership is for you ... if you can limit your footprint overall, then you have the ability to drive down your overall [costs] for running those data centers. And additionally, from a security standpoint and being able to maximize that capacity, having that centralized control and being able to control who has access to what and in what context does more to be able to drive down your potential losses then almost anything else that you can do.

WILLS: I would say as long as banks and vendors can stay on top of the current security crest because again the very early days for virtualization. Not all of them have anticipated yet, but if the banks and vendors can stay on top of those and keep tracking them and put fixes in the product that they go along so that unanticipated attacks don't derail the whole thing ... there is very, very compelling cost reduction business case for virtualization.

DUCKERING: I would say there is cost to be cut really in every corner. If I focus on just a couple, obviously, server and client side. I can expand a little bit on the green initiative that Matt was talking about. I think there is a fallacy out there that for IT everything is simpler and less expensive if we just centralize everything. And basically what you are doing in many cases, you are taking a system that generates heat and uses power from an area where it isn't a problem back into the data center, where it is a problem. I think we need to be smart about which systems and users are being supported out of the data center, not try to do all of them, but only the ones that really make sense. Call center employees -- certainly that makes sense. But if you switch over and you look at someone - let's just take the other end of the spectrum, people on the trader floor. I've heard numbers like one IT support person for every two traders because the money involved in keeping those guys up and running is just huge, and they just can't afford to be down, right? So if there is that much money being spent on them, there is certainly that much money can be lost or saved.

So, if you can virtualize the application, stream and make them instantly accessible and at the same time make sure the addition and the movement of those applications and the access doesn't destabilize the system and bring that system down, you can maybe change those ratios a little bit. So maybe one IT person is supporting five or 10 or 20, because we have systems in place where if an application breaks you don't have to troubleshoot or remediate; you just hit reset and it's fixed without even having to reset it. One of the beauties of virtualization. So again, there is cost to be saved in really every corner.

FIELD: Well said. Gentlemen, let me ask you each for a final statement, and then we'll wrap up our conversation. Let's start with you, Matt. Where are you going to explore virtualization going forward in your own institution?

SPEARE: I think one of the intriguing propositions of virtualization is the ability to extend out to the retail customer an experience for them that is more based upon an operating system than a web browser. So you think about retail web banking and the ability to provide them with a virtualized environment. One, I think the higher level of confidence in the security aspect of that so then you control the experience and our able to provide them a more robust environment in which to interact with your organization. So I think it is both from a customer and user experience, as well as having control of that environment. I think it is pretty intriguing and we're interested in taking a look at that.

FIELD: Very good. Tom, to put out the crystal ball here and give us a sense, what trends do you foresee throughout the rest of this year and going into next?

WILLS: Well, Tom, definitely a steady adoption of virtualization in the banking industry driven by the imperatives to reduce costs, and as I alluded to before first with non-critical application and then demonstrated to work well with the more mission critical apps. And then moving bit by bit towards a fully virtual data center environment. We won't see it this year, but we will see in subsequent years. And as the market gains more critical mass, expect to see more effort in the black-hat world to break it open, but banks and vendors do need to pay close attention to the security aspects on a day by day basis and anticipate as many of the obvious threats as possible and then be ready to fix them as the major ones start to emerge. But I expect to see a reactive approach to security from inside the financial institutions, along with steady adoption of the technology.

FIELD: Very good. Brian, final words from you. You've heard from both Matt and from Tom; how do these statements jibe with what you see and what you hear from your own customers?

DUCKERING: I totally concur. I think one of the big opportunities for virtualization -- and we're seeing this already -- is the ability to adopt it incrementally. Many technologies over the last 15 years or so have been kind of rip and replace solutions, and with virtualization, endpoint virtualizations, there are a number of technologies that solve specific problems from virtualizing the applications to streaming the applications to virtualizing the desktop that they can really be added on top of the systems that are already in place, so the cost of adoption [is low], and the ability to target specific problems that are really the high return situations where we can really save a lot of money. We can get a high return on our investment ... Again, we are seeing a little bit of this ... but the opportunity really is in recognizing that we have a difference between infrastructure components and the end user work space, and virtualization allows us to separate those so that they can be managed better. Because within the organization, you are going to have terminal server environments, you are going to belayed environments and then you are always going to have your right client environments that are either local, remote or mobile and the common element of those is the workspace. And if we can be responsive to the users and take the user or role based approach then it really won't matter what device they're on. You know ultimately, they could be on their phone for all that matters. Today it's, any location, any PC -- they can get the right environment and they can be productive, and at the same time secure access, controlled access etc. ... all the stuff we've been talking about.

FIELD: Very good. Brian, Tom, Matt, I want to thank all three of you for taking time to share your insights and your experiences.

DUCKERING: Thank you, Tom.

WILLS: You are very welcome.

FIELD: The topic has been endpoint virtualization. This has been an emerging technology's insights podcast. For Information Security Media Group, I'm Tom Field. Thank you very much.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.