Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:25 PM

Four Ways SMBs Can Improve Security Through Cloud

Small and midsize firms are voracious users of cloud services; a few precautions can make their businesses even more secure

Small and midsize businesses (SMBs) have major problems dealing with their information technology: Rarely does a small business have an employee dedicated to IT and, when it does, the person has little time to pay attention to security.

Yet the security of SMBs has become a mounting concern. While attackers are increasingly focusing on small businesses, only 10 percent of businesses with 250 employees or less have a full-time IT administrator, according to a 2012 study conducted by Symantec and the National Cyber Security Alliance. The study found that nearly 70 percent of companies did not even have an informal Internet security policy or provided their employees with security training.

Managing 100 or 1,000 desktops and a handful of servers, information-technology managers at smaller firms find themselves drawn to cloud services for their ease of use, but are frequently uncertain at how to protect their systems or data, says John Howie, chief operating officer for the Cloud Security Alliance. "The average small or [midsize] business cares that their system is secure, but they don't have the time or the resources to ensure that they are secure," he says.

For that reason, the CSA announced in April the formation of the SMB Working Group, which will focus on providing advice and information on the secure use of cloud services. While the working group will not publish a report before November, cloud providers gave four suggestions for SMB executives and managers to keep their businesses safe today.

1. Rely on cloud for expertise
While some midsize businesses have enough security expertise to move their systems to the cloud as part of a more hands-on infrastructure-as-a-service option, for most SMBs software-as-a-service works best, says Carson Sweet, co-founder and CEO of CloudPassage, a cloud security provider.

"It's a great option because, if they don't need the flexibility, it takes a huge amount of responsibility off of their plate," Sweet says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

For the most part, software-as-a-service providers will help SMBs offer their employees the business services they need while taking care of most security concerns. In most cases, SMBs should not be running e-mail, file, or Web servers unless the service is a differentiator for their firms, the CSA's Howie says. Instead, companies should benefit from the security expertise of cloud services.

"Don't try to run that stuff in-house because chances are that you will expose yourself to data theft or data loss," he says. "Outsource all that headache to the cloud and the cloud provider, and they will do a better job."

2. Interrogate your cloud provider
In that vein, SMBs have already taken to cloud services, whether by choice or because employees have jumped on the bandwagon without consulting management. About six out of every 10 SMBs uses cloud services, with the average spending reaching 12 percent of the information-technology budget, according to IT tools maker and community hub Spiceworks.

Yet, before signing on with a cloud provider, prospective customers should do their due diligence, says Joel Smith, chief technology officer and co-founder of AppRiver, a provider of cloud services for SMBs.

"It would be very simple for any size company to do a due-diligence check list," he says. "The questions can be asked in a way that you can tell if the provider knows what they are doing, and you can tell if they have thought these [security] things through."

A good start is the Shared Assessments program, which standardizes the process for vendor assessments and has a free manual (PDF) available for assessing cloud providers.

3. E-mail and Web security: No brainers
A group of basic business services should be considered a no-brainer for most SMBs: e-mail, Web hosting, and file-sharing services, say cloud providers.

"Given that cloud providers are very good at running very secure infrastructure, you are probably better off going to the cloud for simple workloads, such as e-mail, document collaboration, unified communication, telepresence, and CRM," Howie says. "If I were starting up a small business, there is no way I would consider having on-premise IT anymore for e-mail or document collaboration."

Cloud providers are able to provide e-mail infrastructure with antivirus and anti-spam filtering for about half the cost of having an in-house server, according to AppRiver's Smith. And Web security, by using a cloud proxy service, can stop employees before they get infected by going to a malicious Web site.

"Do a quick, broad check of your traffic to make sure that your users don't go to compromised Web sites in the first place," Smith says. "We have plenty of scenarios where a customer signs up and they find that they are compromised and they didn't know."

Finally, companies should look at augmenting the security of business services with additional cloud security. Vulnerability-management providers that frequently scan Web sites for flaws and Web application firewall services that block attacks on companies' Web sites are examples of services that can help a company defend its borders.

4. Access management, backups: depends
Two businesses services that can work in the cloud but may not be a slam-dunk for smaller firms are access management and automated backups.

External access-management services -- such as Windows Azure Active Directory -- are generally not designed for internal devices but for managing external access to cloud resources. For that reason, keeping Active Directory in-house is easiest.

Storing backups in the cloud benefits from all the other advantages of cloud services, such as the expertise concentrated at the cloud provider and the fact such backups are automatically taken off-premise -- a key security requirement of a good backup strategy. However, even small companies can create massive amounts of data, which can make cloud backups slow and data restoration even slower.

Yet that depends on the service provider, argues Piyum Samaraweera, director of product management for online backup provider Carbonite. The company has come up with its own strategy to get around bandwidth limitations: The company restores data needed most by the client first and then completes the process as quickly as possible. If the company needs all the data as soon as possible, Carbonite will overnight the information on physical media.

A large part of the process is giving the best support, Samaraweera says.

"If they have a catastrophic event that deletes critical data, we advise the client on the quickest way for them to get back the data," he says. "We walk them through the process of bringing the data back to the computer."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create information about internal and external RFC user in consistent and distinguished format, which could lead to improper authentication and may be exploited by malicious u...
PUBLISHED: 2021-06-16
Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version.
PUBLISHED: 2021-06-16
TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations.
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway 13.0 before 13.0-76.29, 12.1-61.18, 11.1-65.20, Citrix ADC 12.1-FIPS before 12.1-55.238, and Citrix SD-WAN WANOP Edition before 11.4.0, 11.3.2, 11.3.1a, 11.2.3a, 11.1.2c, 10.2.9a suffers from uncontrolled resource consumption by way of a network-based denial-o...
PUBLISHED: 2021-06-16
Citrix ADC and Citrix/NetScaler Gateway before 13.0-82.41, 12.1-62.23, 11.1-65.20 and Citrix ADC 12.1-FIPS before 12.1-55.238 suffer from improper access control allowing SAML authentication hijack through a phishing attack to steal a valid user session. Note that Citrix ADC or Citrix Gateway must b...