Symantec CIO vies with virtualization, device policy

Symantec CIO David Thompson says virtualization is a big part of the security giant's future and it has developed a policy to mitigate virtualization security risks.

As the CIO of a Fortune 1000 company, David Thompson has more resources than most technology managers. And given that the company Thompson works for is Symantec Corp., the security and data protection expertise at his fingertips is the envy of most of his peers.

David Thompson
David Thompson
But for all of his advantages, Thompson still faces many of the same everyday challenges and concerns that other CIOs and CSOs grapple with. In an interview over lunch recently, Thompson said that he has spent much of his time since joining the company in February on finishing the technology integration with the former Veritas Software Corp., which Symantec acquired in late 2004. But, with that project nearly complete, he has a number of large initiatives looming on the horizon.

"The back-office infrastructure has merged and right now I'm working on data center consolidation. That's typically the last thing you can get to," said Thompson. "We're shutting down some labs and consolidating data centers now through the end of the year."

Virtualization's unknowns

As part of that project, Thompson is beginning to invest in virtualization technology as a way to save money on servers and reduce energy consumption in the data centers, both of which are key concerns for Symantec CEO John Thompson. The rising cost of power in the last year or two has coincided with wider deployment of dual-core servers, which require more power and throw out more heat than traditional single-core machines.

This confluence of events has led to a dramatic increase in the amount of money required to run a typical data center. As a result, many enterprises have begun trimming costs by using virtual machines to reduce the number of physical servers needed in a data center.

Thompson sees virtualization as a key part of Symantec's infrastructure going forward.

"Virtualization hasn't been a part of it in the past, but we're doing that now," he said. "We're starting to invest now, preparing an architectural plan. It'll not only save us a ton of money, but also increase productivity and that's the kind of innovation we have to do in IT."

But along with the many advantages virtual machines can deliver, they also bring questions about their security. Some researchers have raised concerns about the safety of running multiple virtual machines on a given server, saying that it's difficult to monitor and understand the interactions among the virtual machines, largely because they are not tied directly to the hardware in the way that Windows or other operating systems are. Developer or testers can quickly bring up a virtual machine on a test box without notifying IT, leading to other potential security issues.

But Thompson said Symantec has developed a policy that requires all virtual machines to be of a standard configuration and to be deployed by IT.

"In our training environment for customers, in the past we had servers all over the country. We brought that back into the central environment and we use a certified configuration," Thompson said. "The image has been pen-tested so the environment is secure out of the box.

More on Symantec

Symantec: Searching for a strategy?

Symantec patches Veritas NetBackup PureDisk flaw

Antivirus researcher Gullotto leaves Symantec for Microsoft

Symantec, Yahoo partner on security
"If you don't start with the right image that has all of the patches, et cetera, it's a problem," he added. "All the standard security practices around the infrastructure apply to the boxes that host virtual machines. The team is focused on that master image."

No leeway, even for execs

Like many other IT pros, Thompson also is struggling with the evolving problem of endpoint control. Symantec, like most large organizations, has employees all over the world, and bringing all of the various infrastructures from its many acquisitions in line with Symantec's corporate standards is a constant challenge.

Thompson has been keeping an eye on the various network access control (NAC) architectures out there, but for the time being is relying on strict policies and enforcement to keep mobile devices secure.

Foremost among those policies, he said, is that all devices – including mobile devices – must to belong to Symantec and must have its software in order to the corporate network. It's a stringent policy to which even the company's higher-ups are still adapting.

"We had one executive call and complain and I had to say 'Sorry.' Mobile devices are an opportunity for encryption on the device and that's something we're looking at," Thompson said. "It is somewhat of a challenge, hard to administer. But we still have issues like any other large corporation."

Thompson, who joined Symantec after several years as CIO at Oracle Corp. and PeopleSoft Inc., has been through a number of mergers and acquisitions in his career, which is one of the reasons he's now at Symantec. The Cupertino, Calif., security giant has been perhaps the most active shopper in the infosec industry's most recent round of consolidation, and Thompson's experience stitching together the disparate infrastructures of a number of organizations is coming in handy.

One of the key lessons he's learned is to keep in mind that security should help people do their jobs, not prevent them from getting work done.

"Clients would rather not have to interact with the support person if they don't have to. We have a great deal of opportunity to have better online interaction with clients, with more self-help and self-healing," Thompson said. "My techies want to do things directly and that's where we continue to need to beef up our capabilities. [Instant messaging] is an opportunity for us to help, with IM Logic. If we can secure the [IM communications] channel, that's a great opportunity.

"A lot of my peers have opted not to allow IM at all," he added. "That's an opportunity for us to help, to help CIOs open that boundary because sales and support want to be able to communicate."

Read more on IT risk management