Risk
3/11/2014
07:57 PM
50%
50%

Security Services Cater To SMBs

Cloud and managed security services are headed down market with simpler interfaces masking their enterprise heritage

Small and midsized businesses will gain more choices in 2014 for securing their data and networks using cloud and managed services, rather than buying and installing products inside their perimeters.

A handful of security firms have announced simpler versions of their enterprise cloud security services, slimming down the signup process and removing complex configuration options to make the offerings more useful for smaller companies. In other cases, security vendors traditionally targeting larger firms have provided the infrastructure for managed security service providers to step in, set up and maintain digital defenses for smaller companies.

Cloud security firm Zscaler, for example, is beta-testing a slimmed-down version, dubbed SHIFT, of its enterprise security offering, limiting the dashboard to a single page and aiming to get companies "up and running in 5 minutes or less."

"If you are doing it right, security should be on or off," says Patrick Foxhoven, chief technology officer for emerging technologies at Zscaler. "They need the technology, but they don't need all the complexity."

SMBs are among the largest adopters of cloud services. In 2014, the average SMB will spend 14 percent of its information-technology budget on cloud, and another 11 percent on managed services, according to information-technology managers surveyed in the 2014 State of IT Budget Report (registration required) published by SMB information services firm Spiceworks. While many smaller businesses are hesitant to use cloud services, 94 percent of firms say that moving to the cloud had a positive impact on security, according to a June 2013 Microsoft survey.

Because many SMBs do not understand their security needs, they put themselves at risk, Stephen Cobb, a security evangelist for antivirus firm ESET told attendees at the RSA Conference in February. Cybercriminals are finding the combination of valuable assets and lack of security awareness in smaller businesses to be a sweet spot for attacks, he said.

[New study highlights uncertainty among small to midsize businesses on cyberattacks and threats. See SMBs Unsure And At Risk, Survey Finds.]

SMBs that want to harden their business against attacks should follow a process of ABCDEF, according to the company: Assess the business's assets, risks, and resources; build a policy; choose the security controls; deploy security measures; educate employees and vendors; and further assess the company's security.

Yet, many small and medium business want simple security measures that give them visibility into what risks may be affecting their networks, whether an attacker compromising computers or a rogue employee exfiltrating data. Getting rid of the complexity is important, says Wolfgang Kandek, chief technology officer at Qualys, a cloud security provider.

"From a philosophical point of view, I think the problem is that security is very complicated," he says. "So we have been trying to make it easier and make it very approachable."

When Qualys aimed for the small- and midsized business market, the company decided to strip out the more complex functionality from its service. Last year, the company announced its vulnerability management offering for smaller firms, QualysGuard Express Lite. At RSA in February, the company went even simpler, announcing--in conjunction with the SANS Institute and the Council on CyberSecurity--a service to scan for the Top-4 Critical Security Controls, which, historically, could have prevented 85 percent of breaches.

Many smaller companies do not have the expertise to assess whether their network is at risk or what policies might help them secure their data. For those companies, a managed security service provider can be the expert to offer advice and manage the security of the network, says Seth Geftic, associate director of RSA Security Analytics. A number of firms have targeted the SMB market, including Dell SecureWorks and Trustwave.

In February, security firm RSA announced it had partnered with Verizon Enterprise Solutions to make its enterprise-focused products available as a service to smaller companies as well. Those companies can benefit from an experienced security consultant, Geftic says.

"Partners can really help out by providing the skills," he says. "Not just be a service, but analyzing the data and telling the customer what they should be going after and what they should be doing."

Whether they choose a cloud service or a managed provider, SMBs looking to improve security will have a lot more options in 2014.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.