What VMware Learned from the VMUG Member Security Survey

    By: Addie Drillock on Feb 14, 2013

    Voice

    What VMware Learned from the VMUG Member Security Survey

    In January 2013, VMware conducted a survey of VMUG members to gather input and learn more about customers’ security policies and requirements as it considers changes to its security patch release process. VMware received a fantastic response, with more than 1,700 VMUG members providing insightful information that is being carefully analyzed and used to help shape security processes.

    VMware thanks everyone who provided feedback. Three names were randomly selected from the responses – Rodney Hoy, Scott Kuntzelman and Robert Moore – and each received an Apple iPad Mini! Congratulations!

    Read on to learn more about the feedback received and some actions VMware is considering as a result.

    Of the surveys submitted, we received almost an even 50-50 split between small companies and mid- to large-size organizations responding, and we received input from a broad distribution of geographies worldwide. Nearly 100% of the respondents are using our VMware vSphere product, more than 20% are using our vCenter Operations product and another 10+% are using vCloud Director.

    Here’s what we learned from the responses:

    Maintenance Policies, Schedules and Currency on Patches

    Two thirds of respondents:
    •    Have established maintenance policies, schedules and are generally up to date with security patches (no more than 4 patches behind)
    •    One third follow a monthly maintenance schedule
    •    One third mostly have a quarterly maintenance cycle

    One third of respondents:
    •    Have no formal maintenance schedule
    •    Are well behind on security updates (23%) or never apply them (10%)

    Our Response:
    While we are encouraged that two thirds of respondents are keeping up with security updates, we would like to increase that amount. We are considering some initiatives to increase awareness of security updates, as well as the potential for product improvements to reduce the burden of keeping up to date on security.

    Workarounds, Mitigations and Risk Assessments

    •    Two thirds of respondents actively consider any workarounds supplied by vendors as a temporary or permanent alternative to patching.
    •    A large number of commenters requested more detailed information in Security Advisories to help with risk assessments.

    Our Response:
    We agree that we need to provide more detail in our VMware Security Advisories (VMSAs). Your insightful feedback will help the VMware Security Response Center (VSRC) focus on the most important areas in which to improve our VMSAs in 2013.

    Scheduled Patch Releases Versus Releasing When Patches Are Ready

    •    There was an almost even split between those in favor of a schedule vs. those wanting patches released immediately as they are available.

    Our Response:
    We are planning to conduct some follow-up calls to gather more data to see whether it makes sense for us to stay with our current process or whether we should further evaluate moving to a regular schedule. Thanks in advance to those of you who offered to participate in a follow-up discussion -- we will be reaching out to you soon.

    Protection of the vSphere Management Network

    •    Two thirds of respondents protect their vSphere management networks, primarily using VLANs, though many share this network with other infrastructure services.

    Our Response:
    While two thirds is good, we’d like this protection to be higher; therefore, we will investigate ways to make this best practice guidance more visible in product documentation.

    Additional Comments

    We received some informative comments (about 10% of respondents provided additional comments) that broadly fall into three primary areas:

    •    Feedback on update schedules
    •    Experiences of deploying updates
    •    Quality of updates

    We are sharing this feedback with teams across the VMware organization as input into their planning processes.

    Once again, a sincere thank you goes to those who responded to the survey. We value your input, and you will start to see the actions taken to improve our security patch release process.

    Released: February 14, 2013, 10:29 am | Updated: February 15, 2013, 2:48 pm


     

     

     

    About this Blog

    VMUG Voice

    VMUG Voice is the monthly electronic newsletter distributed exclusively to VMUG members. The newsletter is a premier educational resource for VMware users worldwide.
    Contact Us

    VMUG Headquarters
    330 N. Wabash Ave.
    Chicago, IL 60611

    Phone: 312.321.6886
    Email: info@vmug.com

    Connect With VMUG

    Copyright © 2014 
    VMware User Group. 
    All Rights Reserved

    > Terms of Service
    > Privacy Policy
    > Bylaws