Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/31/2013
10:25 PM
50%
50%

Four Ways SMBs Can Improve Security Through Cloud

Small and midsize firms are voracious users of cloud services; a few precautions can make their businesses even more secure

Small and midsize businesses (SMBs) have major problems dealing with their information technology: Rarely does a small business have an employee dedicated to IT and, when it does, the person has little time to pay attention to security.

Yet the security of SMBs has become a mounting concern. While attackers are increasingly focusing on small businesses, only 10 percent of businesses with 250 employees or less have a full-time IT administrator, according to a 2012 study conducted by Symantec and the National Cyber Security Alliance. The study found that nearly 70 percent of companies did not even have an informal Internet security policy or provided their employees with security training.

Managing 100 or 1,000 desktops and a handful of servers, information-technology managers at smaller firms find themselves drawn to cloud services for their ease of use, but are frequently uncertain at how to protect their systems or data, says John Howie, chief operating officer for the Cloud Security Alliance. "The average small or [midsize] business cares that their system is secure, but they don't have the time or the resources to ensure that they are secure," he says.

For that reason, the CSA announced in April the formation of the SMB Working Group, which will focus on providing advice and information on the secure use of cloud services. While the working group will not publish a report before November, cloud providers gave four suggestions for SMB executives and managers to keep their businesses safe today.

1. Rely on cloud for expertise
While some midsize businesses have enough security expertise to move their systems to the cloud as part of a more hands-on infrastructure-as-a-service option, for most SMBs software-as-a-service works best, says Carson Sweet, co-founder and CEO of CloudPassage, a cloud security provider.

"It's a great option because, if they don't need the flexibility, it takes a huge amount of responsibility off of their plate," Sweet says.

[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]

For the most part, software-as-a-service providers will help SMBs offer their employees the business services they need while taking care of most security concerns. In most cases, SMBs should not be running e-mail, file, or Web servers unless the service is a differentiator for their firms, the CSA's Howie says. Instead, companies should benefit from the security expertise of cloud services.

"Don't try to run that stuff in-house because chances are that you will expose yourself to data theft or data loss," he says. "Outsource all that headache to the cloud and the cloud provider, and they will do a better job."

2. Interrogate your cloud provider
In that vein, SMBs have already taken to cloud services, whether by choice or because employees have jumped on the bandwagon without consulting management. About six out of every 10 SMBs uses cloud services, with the average spending reaching 12 percent of the information-technology budget, according to IT tools maker and community hub Spiceworks.

Yet, before signing on with a cloud provider, prospective customers should do their due diligence, says Joel Smith, chief technology officer and co-founder of AppRiver, a provider of cloud services for SMBs.

"It would be very simple for any size company to do a due-diligence check list," he says. "The questions can be asked in a way that you can tell if the provider knows what they are doing, and you can tell if they have thought these [security] things through."

A good start is the Shared Assessments program, which standardizes the process for vendor assessments and has a free manual (PDF) available for assessing cloud providers.

3. E-mail and Web security: No brainers
A group of basic business services should be considered a no-brainer for most SMBs: e-mail, Web hosting, and file-sharing services, say cloud providers.

"Given that cloud providers are very good at running very secure infrastructure, you are probably better off going to the cloud for simple workloads, such as e-mail, document collaboration, unified communication, telepresence, and CRM," Howie says. "If I were starting up a small business, there is no way I would consider having on-premise IT anymore for e-mail or document collaboration."

Cloud providers are able to provide e-mail infrastructure with antivirus and anti-spam filtering for about half the cost of having an in-house server, according to AppRiver's Smith. And Web security, by using a cloud proxy service, can stop employees before they get infected by going to a malicious Web site.

"Do a quick, broad check of your traffic to make sure that your users don't go to compromised Web sites in the first place," Smith says. "We have plenty of scenarios where a customer signs up and they find that they are compromised and they didn't know."

Finally, companies should look at augmenting the security of business services with additional cloud security. Vulnerability-management providers that frequently scan Web sites for flaws and Web application firewall services that block attacks on companies' Web sites are examples of services that can help a company defend its borders.

4. Access management, backups: depends
Two businesses services that can work in the cloud but may not be a slam-dunk for smaller firms are access management and automated backups.

External access-management services -- such as Windows Azure Active Directory -- are generally not designed for internal devices but for managing external access to cloud resources. For that reason, keeping Active Directory in-house is easiest.

Storing backups in the cloud benefits from all the other advantages of cloud services, such as the expertise concentrated at the cloud provider and the fact such backups are automatically taken off-premise -- a key security requirement of a good backup strategy. However, even small companies can create massive amounts of data, which can make cloud backups slow and data restoration even slower.

Yet that depends on the service provider, argues Piyum Samaraweera, director of product management for online backup provider Carbonite. The company has come up with its own strategy to get around bandwidth limitations: The company restores data needed most by the client first and then completes the process as quickly as possible. If the company needs all the data as soon as possible, Carbonite will overnight the information on physical media.

A large part of the process is giving the best support, Samaraweera says.

"If they have a catastrophic event that deletes critical data, we advise the client on the quickest way for them to get back the data," he says. "We walk them through the process of bringing the data back to the computer."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...