Risk
3/11/2014
07:57 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Services Cater To SMBs

Cloud and managed security services are headed down market with simpler interfaces masking their enterprise heritage

Small and midsized businesses will gain more choices in 2014 for securing their data and networks using cloud and managed services, rather than buying and installing products inside their perimeters.

A handful of security firms have announced simpler versions of their enterprise cloud security services, slimming down the signup process and removing complex configuration options to make the offerings more useful for smaller companies. In other cases, security vendors traditionally targeting larger firms have provided the infrastructure for managed security service providers to step in, set up and maintain digital defenses for smaller companies.

Cloud security firm Zscaler, for example, is beta-testing a slimmed-down version, dubbed SHIFT, of its enterprise security offering, limiting the dashboard to a single page and aiming to get companies "up and running in 5 minutes or less."

"If you are doing it right, security should be on or off," says Patrick Foxhoven, chief technology officer for emerging technologies at Zscaler. "They need the technology, but they don't need all the complexity."

SMBs are among the largest adopters of cloud services. In 2014, the average SMB will spend 14 percent of its information-technology budget on cloud, and another 11 percent on managed services, according to information-technology managers surveyed in the 2014 State of IT Budget Report (registration required) published by SMB information services firm Spiceworks. While many smaller businesses are hesitant to use cloud services, 94 percent of firms say that moving to the cloud had a positive impact on security, according to a June 2013 Microsoft survey.

Because many SMBs do not understand their security needs, they put themselves at risk, Stephen Cobb, a security evangelist for antivirus firm ESET told attendees at the RSA Conference in February. Cybercriminals are finding the combination of valuable assets and lack of security awareness in smaller businesses to be a sweet spot for attacks, he said.

[New study highlights uncertainty among small to midsize businesses on cyberattacks and threats. See SMBs Unsure And At Risk, Survey Finds.]

SMBs that want to harden their business against attacks should follow a process of ABCDEF, according to the company: Assess the business's assets, risks, and resources; build a policy; choose the security controls; deploy security measures; educate employees and vendors; and further assess the company's security.

Yet, many small and medium business want simple security measures that give them visibility into what risks may be affecting their networks, whether an attacker compromising computers or a rogue employee exfiltrating data. Getting rid of the complexity is important, says Wolfgang Kandek, chief technology officer at Qualys, a cloud security provider.

"From a philosophical point of view, I think the problem is that security is very complicated," he says. "So we have been trying to make it easier and make it very approachable."

When Qualys aimed for the small- and midsized business market, the company decided to strip out the more complex functionality from its service. Last year, the company announced its vulnerability management offering for smaller firms, QualysGuard Express Lite. At RSA in February, the company went even simpler, announcing--in conjunction with the SANS Institute and the Council on CyberSecurity--a service to scan for the Top-4 Critical Security Controls, which, historically, could have prevented 85 percent of breaches.

Many smaller companies do not have the expertise to assess whether their network is at risk or what policies might help them secure their data. For those companies, a managed security service provider can be the expert to offer advice and manage the security of the network, says Seth Geftic, associate director of RSA Security Analytics. A number of firms have targeted the SMB market, including Dell SecureWorks and Trustwave.

In February, security firm RSA announced it had partnered with Verizon Enterprise Solutions to make its enterprise-focused products available as a service to smaller companies as well. Those companies can benefit from an experienced security consultant, Geftic says.

"Partners can really help out by providing the skills," he says. "Not just be a service, but analyzing the data and telling the customer what they should be going after and what they should be doing."

Whether they choose a cloud service or a managed provider, SMBs looking to improve security will have a lot more options in 2014.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.