Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:25 PM

Four Ways SMBs Can Improve Security Through Cloud

Small and midsize firms are voracious users of cloud services; a few precautions can make their businesses even more secure

Small and midsize businesses (SMBs) have major problems dealing with their information technology: Rarely does a small business have an employee dedicated to IT and, when it does, the person has little time to pay attention to security.

Yet the security of SMBs has become a mounting concern. While attackers are increasingly focusing on small businesses, only 10 percent of businesses with 250 employees or less have a full-time IT administrator, according to a 2012 study conducted by Symantec and the National Cyber Security Alliance. The study found that nearly 70 percent of companies did not even have an informal Internet security policy or provided their employees with security training.

Managing 100 or 1,000 desktops and a handful of servers, information-technology managers at smaller firms find themselves drawn to cloud services for their ease of use, but are frequently uncertain at how to protect their systems or data, says John Howie, chief operating officer for the Cloud Security Alliance. "The average small or [midsize] business cares that their system is secure, but they don't have the time or the resources to ensure that they are secure," he says.

For that reason, the CSA announced in April the formation of the SMB Working Group, which will focus on providing advice and information on the secure use of cloud services. While the working group will not publish a report before November, cloud providers gave four suggestions for SMB executives and managers to keep their businesses safe today.

1. Rely on cloud for expertise
While some midsize businesses have enough security expertise to move their systems to the cloud as part of a more hands-on infrastructure-as-a-service option, for most SMBs software-as-a-service works best, says Carson Sweet, co-founder and CEO of CloudPassage, a cloud security provider.

"It's a great option because, if they don't need the flexibility, it takes a huge amount of responsibility off of their plate," Sweet says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

For the most part, software-as-a-service providers will help SMBs offer their employees the business services they need while taking care of most security concerns. In most cases, SMBs should not be running e-mail, file, or Web servers unless the service is a differentiator for their firms, the CSA's Howie says. Instead, companies should benefit from the security expertise of cloud services.

"Don't try to run that stuff in-house because chances are that you will expose yourself to data theft or data loss," he says. "Outsource all that headache to the cloud and the cloud provider, and they will do a better job."

2. Interrogate your cloud provider
In that vein, SMBs have already taken to cloud services, whether by choice or because employees have jumped on the bandwagon without consulting management. About six out of every 10 SMBs uses cloud services, with the average spending reaching 12 percent of the information-technology budget, according to IT tools maker and community hub Spiceworks.

Yet, before signing on with a cloud provider, prospective customers should do their due diligence, says Joel Smith, chief technology officer and co-founder of AppRiver, a provider of cloud services for SMBs.

"It would be very simple for any size company to do a due-diligence check list," he says. "The questions can be asked in a way that you can tell if the provider knows what they are doing, and you can tell if they have thought these [security] things through."

A good start is the Shared Assessments program, which standardizes the process for vendor assessments and has a free manual (PDF) available for assessing cloud providers.

3. E-mail and Web security: No brainers
A group of basic business services should be considered a no-brainer for most SMBs: e-mail, Web hosting, and file-sharing services, say cloud providers.

"Given that cloud providers are very good at running very secure infrastructure, you are probably better off going to the cloud for simple workloads, such as e-mail, document collaboration, unified communication, telepresence, and CRM," Howie says. "If I were starting up a small business, there is no way I would consider having on-premise IT anymore for e-mail or document collaboration."

Cloud providers are able to provide e-mail infrastructure with antivirus and anti-spam filtering for about half the cost of having an in-house server, according to AppRiver's Smith. And Web security, by using a cloud proxy service, can stop employees before they get infected by going to a malicious Web site.

"Do a quick, broad check of your traffic to make sure that your users don't go to compromised Web sites in the first place," Smith says. "We have plenty of scenarios where a customer signs up and they find that they are compromised and they didn't know."

Finally, companies should look at augmenting the security of business services with additional cloud security. Vulnerability-management providers that frequently scan Web sites for flaws and Web application firewall services that block attacks on companies' Web sites are examples of services that can help a company defend its borders.

4. Access management, backups: depends
Two businesses services that can work in the cloud but may not be a slam-dunk for smaller firms are access management and automated backups.

External access-management services -- such as Windows Azure Active Directory -- are generally not designed for internal devices but for managing external access to cloud resources. For that reason, keeping Active Directory in-house is easiest.

Storing backups in the cloud benefits from all the other advantages of cloud services, such as the expertise concentrated at the cloud provider and the fact such backups are automatically taken off-premise -- a key security requirement of a good backup strategy. However, even small companies can create massive amounts of data, which can make cloud backups slow and data restoration even slower.

Yet that depends on the service provider, argues Piyum Samaraweera, director of product management for online backup provider Carbonite. The company has come up with its own strategy to get around bandwidth limitations: The company restores data needed most by the client first and then completes the process as quickly as possible. If the company needs all the data as soon as possible, Carbonite will overnight the information on physical media.

A large part of the process is giving the best support, Samaraweera says.

"If they have a catastrophic event that deletes critical data, we advise the client on the quickest way for them to get back the data," he says. "We walk them through the process of bringing the data back to the computer."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.