Symantec CIO vies with virtualization, device policy

David Thompson

"The back-office infrastructure has merged and right now I'm working on data center consolidation. That's typically the last thing you can get to," said Thompson. "We're shutting down some labs and consolidating data centers now through the end of the year."

Virtualization's unknowns

As part of that project, Thompson is beginning to invest in virtualization technology as a way to save money on servers and reduce energy consumption in the data centers, both of which are key concerns for Symantec CEO John Thompson. The rising cost of power in the last year or two has coincided with wider deployment of dual-core servers, which require more power and throw out more heat than traditional single-core machines.

This confluence of events has led to a dramatic increase in the amount of money required to run a typical data center. As a result, many enterprises have begun trimming costs by using virtual machines to reduce the number of physical servers needed in a data center.

Thompson sees virtualization as a key part of Symantec's infrastructure going forward.

"Virtualization hasn't been a part of it in the past, but we're doing that now," he said. "We're starting to invest now, preparing an architectural plan. It'll not only save us a ton of money, but also increase productivity and that's the kind of innovation we have to do in IT."

But along with the many advantages virtual machines can deliver, they also bring questions about their security. Some researchers have raised concerns about the safety of running multiple virtual machines on a given server, saying that it's difficult to monitor and understand the interactions among the virtual machines, largely because they are not tied directly to the hardware in the way that Windows or other operating systems are. Developer or testers can quickly bring up a virtual machine on a test box without notifying IT, leading to other potential security issues.

But Thompson said Symantec has developed a policy that requires all virtual machines to be of a standard configuration and to be deployed by IT.

"In our training environment for customers, in the past we had servers all over the country. We brought that back into the central environment and we use a certified configuration," Thompson said. "The image has been pen-tested so the environment is secure out of the box.

More on Symantec Symantec: Searching for a strategy? Symantec patches Veritas NetBackup PureDisk flaw Antivirus researcher Gullotto leaves Symantec for Microsoft Symantec, Yahoo partner on security

No leeway, even for execs

Like many other IT pros, Thompson also is struggling with the evolving problem of endpoint control. Symantec, like most large organizations, has employees all over the world, and bringing all of the various infrastructures from its many acquisitions in line with Symantec's corporate standards is a constant challenge.

Thompson has been keeping an eye on the various network access control (NAC) architectures out there, but for the time being is relying on strict policies and enforcement to keep mobile devices secure.

Foremost among those policies, he said, is that all devices – including mobile devices – must to belong to Symantec and must have its software in order to the corporate network. It's a stringent policy to which even the company's higher-ups are still adapting.

"We had one executive call and complain and I had to say 'Sorry.' Mobile devices are an opportunity for encryption on the device and that's something we're looking at," Thompson said. "It is somewhat of a challenge, hard to administer. But we still have issues like any other large corporation."

Thompson, who joined Symantec after several years as CIO at Oracle Corp. and PeopleSoft Inc., has been through a number of mergers and acquisitions in his career, which is one of the reasons he's now at Symantec. The Cupertino, Calif., security giant has been perhaps the most active shopper in the infosec industry's most recent round of consolidation, and Thompson's experience stitching together the disparate infrastructures of a number of organizations is coming in handy.

One of the key lessons he's learned is to keep in mind that security should help people do their jobs, not prevent them from getting work done.

"Clients would rather not have to interact with the support person if they don't have to. We have a great deal of opportunity to have better online interaction with clients, with more self-help and self-healing," Thompson said. "My techies want to do things directly and that's where we continue to need to beef up our capabilities. [Instant messaging] is an opportunity for us to help, with IM Logic. If we can secure the [IM communications] channel, that's a great opportunity.

"A lot of my peers have opted not to allow IM at all," he added. "That's an opportunity for us to help, to help CIOs open that boundary because sales and support want to be able to communicate."