Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:25 PM

Four Ways SMBs Can Improve Security Through Cloud

Small and midsize firms are voracious users of cloud services; a few precautions can make their businesses even more secure

Small and midsize businesses (SMBs) have major problems dealing with their information technology: Rarely does a small business have an employee dedicated to IT and, when it does, the person has little time to pay attention to security.

Yet the security of SMBs has become a mounting concern. While attackers are increasingly focusing on small businesses, only 10 percent of businesses with 250 employees or less have a full-time IT administrator, according to a 2012 study conducted by Symantec and the National Cyber Security Alliance. The study found that nearly 70 percent of companies did not even have an informal Internet security policy or provided their employees with security training.

Managing 100 or 1,000 desktops and a handful of servers, information-technology managers at smaller firms find themselves drawn to cloud services for their ease of use, but are frequently uncertain at how to protect their systems or data, says John Howie, chief operating officer for the Cloud Security Alliance. "The average small or [midsize] business cares that their system is secure, but they don't have the time or the resources to ensure that they are secure," he says.

For that reason, the CSA announced in April the formation of the SMB Working Group, which will focus on providing advice and information on the secure use of cloud services. While the working group will not publish a report before November, cloud providers gave four suggestions for SMB executives and managers to keep their businesses safe today.

1. Rely on cloud for expertise
While some midsize businesses have enough security expertise to move their systems to the cloud as part of a more hands-on infrastructure-as-a-service option, for most SMBs software-as-a-service works best, says Carson Sweet, co-founder and CEO of CloudPassage, a cloud security provider.

"It's a great option because, if they don't need the flexibility, it takes a huge amount of responsibility off of their plate," Sweet says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

For the most part, software-as-a-service providers will help SMBs offer their employees the business services they need while taking care of most security concerns. In most cases, SMBs should not be running e-mail, file, or Web servers unless the service is a differentiator for their firms, the CSA's Howie says. Instead, companies should benefit from the security expertise of cloud services.

"Don't try to run that stuff in-house because chances are that you will expose yourself to data theft or data loss," he says. "Outsource all that headache to the cloud and the cloud provider, and they will do a better job."

2. Interrogate your cloud provider
In that vein, SMBs have already taken to cloud services, whether by choice or because employees have jumped on the bandwagon without consulting management. About six out of every 10 SMBs uses cloud services, with the average spending reaching 12 percent of the information-technology budget, according to IT tools maker and community hub Spiceworks.

Yet, before signing on with a cloud provider, prospective customers should do their due diligence, says Joel Smith, chief technology officer and co-founder of AppRiver, a provider of cloud services for SMBs.

"It would be very simple for any size company to do a due-diligence check list," he says. "The questions can be asked in a way that you can tell if the provider knows what they are doing, and you can tell if they have thought these [security] things through."

A good start is the Shared Assessments program, which standardizes the process for vendor assessments and has a free manual (PDF) available for assessing cloud providers.

3. E-mail and Web security: No brainers
A group of basic business services should be considered a no-brainer for most SMBs: e-mail, Web hosting, and file-sharing services, say cloud providers.

"Given that cloud providers are very good at running very secure infrastructure, you are probably better off going to the cloud for simple workloads, such as e-mail, document collaboration, unified communication, telepresence, and CRM," Howie says. "If I were starting up a small business, there is no way I would consider having on-premise IT anymore for e-mail or document collaboration."

Cloud providers are able to provide e-mail infrastructure with antivirus and anti-spam filtering for about half the cost of having an in-house server, according to AppRiver's Smith. And Web security, by using a cloud proxy service, can stop employees before they get infected by going to a malicious Web site.

"Do a quick, broad check of your traffic to make sure that your users don't go to compromised Web sites in the first place," Smith says. "We have plenty of scenarios where a customer signs up and they find that they are compromised and they didn't know."

Finally, companies should look at augmenting the security of business services with additional cloud security. Vulnerability-management providers that frequently scan Web sites for flaws and Web application firewall services that block attacks on companies' Web sites are examples of services that can help a company defend its borders.

4. Access management, backups: depends
Two businesses services that can work in the cloud but may not be a slam-dunk for smaller firms are access management and automated backups.

External access-management services -- such as Windows Azure Active Directory -- are generally not designed for internal devices but for managing external access to cloud resources. For that reason, keeping Active Directory in-house is easiest.

Storing backups in the cloud benefits from all the other advantages of cloud services, such as the expertise concentrated at the cloud provider and the fact such backups are automatically taken off-premise -- a key security requirement of a good backup strategy. However, even small companies can create massive amounts of data, which can make cloud backups slow and data restoration even slower.

Yet that depends on the service provider, argues Piyum Samaraweera, director of product management for online backup provider Carbonite. The company has come up with its own strategy to get around bandwidth limitations: The company restores data needed most by the client first and then completes the process as quickly as possible. If the company needs all the data as soon as possible, Carbonite will overnight the information on physical media.

A large part of the process is giving the best support, Samaraweera says.

"If they have a catastrophic event that deletes critical data, we advise the client on the quickest way for them to get back the data," he says. "We walk them through the process of bringing the data back to the computer."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-31
Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x versions prior to 1.12.4 and 1.13.x prior to 1.13.1 are vulnerable to user impersonation attack.If two users are logged in to the SSO operator dashboard at the same time, with the same username, from two different identity provider...
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.