Vulnerabilities / Threats
5/14/2012
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Why Some SMBs Still Fear The Cloud

Blind study commissioned by Microsoft shows disparity between those small to midsize businesses that have adopted cloud computing and security-as-a-service and those that have not

Around one-third of small to midsize businesses (SMBs) around the world that have moved their computing and security operations to the cloud worry less about attack threats and compliance, and say their businesses are more secure now than when they handled security in-house, according to new data gathered by Microsoft.

But that doesn't mean SMBs are widely embracing the cloud. Around 40 percent of SMBs that have held back from outsourcing their IT and security operations to cloud service providers have done so due to worries about security and lack of transparency by cloud providers on how they implement security, according to new data released today from a blind survey of U.S. SMBs conducted by comScore and commissioned by Microsoft. ComScore surveyed companies in the U.S., Singapore, Malaysia, India and Hong Kong, with 100 to 250 PCs.

Nearly 70 percent of SMBs that haven't gone to the cloud say cloud security standards would help allay their concerns about security in the cloud, and 38 percent want more transparency from cloud providers. Nearly 35 percent aren't going to the cloud because they're concerned it will be costly to make the move from in-house to the cloud.

Tim Rains, director of Microsoft's Trustworthy Computing program, says the shocker to him was how much SMBs who employ the cloud say they saved on security spending. "The thing that surprised me most was the money savings of SMBs who use the cloud. They are six times more likely to have decreased the total amount they spent on security: That's a large number," Rains says.

SMBs that have gone to the cloud spend an average of 32 percent less time on managing security, and 52 percent say the cloud allowed them to add new products or services more rapidly and securely. Some 35 percent of the cloud adopters say they are more secure now, and 32 percent say they now worry less about attack threats.

"The perception is that security is a barrier to cloud adoption. But when we talk to customers -- and this [new] research backs it up -- the companies that embraced the cloud are already finding the benefits outweighing the previous concerns," Rains says. "A lot of customers are still timid because they have security concerns top of mind."

[ A registry offered by the Cloud Security Alliance allows customers to compare the security measures of participating service providers. See Vetting The Security Of Cloud Service Providers. ]

Ryan Brock, vice president of worldwide SMB cloud and channels for Access Markets International Partners, says the cloud provides SMBs with the expertise and resources they don't and likely can't have. "This translates into cost and time savings and better protection against cyberthreats, which gives them the freedom to innovate and grow their business," he said.

One SMB that is also a Microsoft InTune security-as-a-service customer says his firm was an early adopter of cloud technology, starting first with its IT infrastructure. "We started right away moving everything to the cloud with this start-up -- our own products, infrastructure," etc., says Thomas Castleberry, executive vice president and chief operating officer for SkyWire Media. Security was becoming overwhelming, with multiple software updates, antivirus, and anti-spyware tools and operations to conduct, he says.

So SkyWire outsourced its security operations to Microsoft's InTune service. "It was a hub for us to do all those things in one place," Castleberry says. The company saved more than $90,000 in IT costs -- around $15,000 per month, he says.

"We gained those numbers by reducing expenses, retiring hardware, and not deploying disparate software systems and having per-server client licenses," he says.

While cloud was a no-brainer for Castleberry and his company, that's not the case for all SMBs. Castleberry says that, in some cases, it's a cultural thing. "Those with an IT background and those that have grown up through the [IT] ranks have a tendency to server-hub: They want to feel it and touch it and be the guy who makes sure the power's turned on," Castleberry says. "But life just doesn't have to be that complicated. You don't have to physically see a server to know there's a group out there than can manage uptime better than you."

But not all cloud offerings are created equal, notes Pedro Bustamante, senior research advisor in the office of the CTO at Panda Security. Bustamante says his firm agrees with the SMB survey conclusions, but he adds that the key is having security protection that includes behavioral analysis, blocking engines, and IDS, for example, in addition to antivirus. "While the cloud offerings bring new benefits to the table, the protection offered by the solution should not be overlooked," Bustamante says.

Perception versus experience The SMB survey data seems to reflect a discrepancy between some SMBs' perceptions of cloud security versus others' actual experiences with it, according to Microsoft's Rains.

"This [survey] clearly shows that SMBs that use cloud spend less time managing security, less money managing it, and achieve higher levels of security than SMBs that do not use the cloud. Anecdotally, a lot of people will read this and say that this makes a lot of sense: spending less time managing security because it's offloaded to cloud providers, so you save money," he says.

"Security concerns are holding some of them back, but then you see the benefits are real, and [some] change their former perceptions," Rains says.

The Microsoft SMB cloud survey summary is available here for download (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/25/2012 | 1:30:55 AM
re: Why Some SMBs Still Fear The Cloud
It's not that impressive that 35 percent of cloud adopters say they are more secure now. Neither is the figure about 32 percent saying they worry less about attacks.-
Brian Prince, InformationWeek/Dark Reading Comment Moderator
DanMcDonald
50%
50%
DanMcDonald,
User Rank: Apprentice
5/18/2012 | 8:20:51 PM
re: Why Some SMBs Still Fear The Cloud
The measurement of security in this article is apparently customer perception.- How about hard metrics?- If you are trying to persuade someone that security is better, don't just be anecdotal and say "the early adopters feel more secure".- That doesn't persuade me about anything other than the naivete of the early adopters.
lordgeep
50%
50%
lordgeep,
User Rank: Apprentice
5/15/2012 | 3:40:40 PM
re: Why Some SMBs Still Fear The Cloud
-Almost half of the cloud using respondents thought that their cloud
Security as a Service provider was completely responsible for security? - This says to me that a significant number of the
cloud users do not really understand their environment.- Yes, they have
significantly reduced security spending, but at the price of security!-

Also, the study doesn't say that Microsoft commissioned the study.- It
says they performed the study.- Am I missing something here?
TBELL000
50%
50%
TBELL000,
User Rank: Apprentice
5/15/2012 | 1:52:11 PM
re: Why Some SMBs Still Fear The Cloud
It is very possible the SMB's are reading the same information I am about companies that put their data in the cloud have had some type of data breach at least once.- In addition, the cloud has a long way to mature from a security perspective.- The cloud is great for non-compliance data (PCI, PII), low level functions in IT, and software testing.- Beyond that, why would a company want to share data with 50 other companies when all it takes is one bad system admin to breach 50 companies.- Let's say you have a good system admin, the admin can take down layers of security with-a few-clicks of a mouse going through a hurried provisioning process.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.