Small and medium-sized enterprises (SMEs) are as vulnerable to security threats as their larger counterparts. Everyone uses the same internet, much of the same software and has the same vulnerabilities from employee mishap or attacks on valuable data. Yet the SMEs does not normally have the luxury of a full-time IT security specialist, let alone the budget for bullet-proof specialist security systems.
One answer is to send in the cloud, where security as a service is on offer from an ever-increasing array of suppliers.
Locus of responsibility
The cloud is rightly named. It can seem impenetrable, with all the details of how it works as hidden from view as a Welsh mountain-top in February. That is especially worrying with security – at least if you run your own security, you might feel you have a chance of knowing what is going on.
But that may not be true. Cloud providers do nothing except cloud and know their business model is totally dependent on top quality security. You have the responsibility to satisfy yourself they are doing it correctly and they then have the responsibility to make it work.
There are a number of services any SME should consider as possibly more secure in the cloud than at home. Anything you use in much the same way as any other company – email, web hosting, file storage, customer relationship management (CRM) – should be more secure in the cloud than in the office.
Read more about network security
Companies such as AppRiver and Barracuda offer specialist enterprise in-cloud email services that most SMEs would be hard-pressed to emulate, and will be more responsive to support requests than behemoths like Google and Microsoft – timely support is essential to workable security.
Range of services
SMEs are more reluctant to move to online storage providers, of which there are many - see Computer Weekly’s guide to cloud storage and backup services. But fears about security here may be counter-productive.
These can be the first services workers adopt for themselves if a company’s provision is less than stellar. However, if your organisation generates large amounts of data, then cloud storage needs more careful consideration – both for costs and the ability to recover from a disaster, where internet bandwidth can be a factor in how fast you recover all your data. On the plus side, keeping your data in a cloud service automatically fulfills the off-site requirement for disaster recovery - enhancing data security.
There are services which offer explicit security support, taking over most – if not all – of your own cloud access security management. Here, you combine all your enterprise internet access into one or more virtual private networks (VPNs) that connect to the private cloud of the supplier through an encrypted link.
Reducing exposure reduces risk
The supplier then applies high quality security checks - firewalling, packet inspection, denial-of-service detection and other attack vector monitoring, such as connecting to known compromised sites – before breaking your traffic out into the cloud proper. Done well, this reduces your exposure to in-cloud interception attacks, as the amount of time your traffic spends in the open, without good encryption before emerging at its end points, is vastly reduced.
Often, the service includes high-speed, low-latency transport across the supplier’s private cloud, directly to major third-party cloud providers, such as Amazon, Google and Microsoft. This adds traffic management and quality of service provision to the menu of options. Some also include mobile options for laptops, tablets and smartphones in the field.
One advantage of this approach is that it works well with bring your own device (BYOD); when workers use their own portable devices on the work Wi-Fi, their connections will be managed automatically, even if they do not have explicit VPN connectivity set up. Aryaka and Pertino are two companies in the larger network as a service field with an emphasis on delivering cloud security services to the SME.
Creating a questionnaire for suppliers will ensure you understand the right questions to ask – as well as how to evaluate the answers
Two essential components of using the cloud securely are understanding your own existing security and assessing the cloud service provider’s own abilities. The first – which most agree is a good idea anyway – is easy to let slip in the noise of actually running a business. No-one else can make sure the right workers have the right combination of access rights and sensible password policies. Moving services to the cloud will not remove this responsibility.
You should find out what cloud services your employees are already using off their own bat. Your security in the cloud depends on understanding those and, if you’re not satisfied, provide effective alternatives that come up to the mark.
This prompts the question at the heart of ensuring cloud security - how do you tell whether or not a supplier is good at meeting its promises? Assessing the cloud provider is essential and you should have a standard questionnaire you ask all providers to complete. This not only assures you that the guarantees your providers make are backed up by real capabilities, but in creating the questionnaire you will be sure you too understand the right questions to ask – as well as how to evaluate the answers.
Areas of concern should include:
- Where your data will be kept;
- How many people at the provider will have access to it;
- What levels of encryption are used, and across what parts of their service;
- What suppliers the service provider themselves use to provide their services;
- How many people are exclusively concerned with security;
- Track records on availability and responsiveness;
- What the firewall architecture is like on the service provider’s own egress points;
- And what their policy is on patching their systems when a vulnerability is made known.
Read more about cloud computing
Ask about support - the number of people capable of solving security issues, and how accessible they are. Include specific questions for the supplier’s specialties - ask an online storage company how disaster recovery would work in practice, for example.
It is worth spending some time on getting this interrogation right, as it will start to repay that work immediately and continue to be valuable throughout your cloud adoption strategy. By all means, re-issue the questionnaire regularly to your existing service providers: If they’re any good, they’ll be constantly upgrading and redesigning their systems to cope with the ever-changing threat environment, and you have the right to know.
Imagine how you’d set up your own security if you had infinite resources and expertise, then see how close your providers can come - make them work for your business.
Industry associations and resources
You should also keep a close eye on industry associations engaged in monitoring cloud security from an enterprise point of view. The Cloud Security Alliance has just started its Small Business Working Group, which is expected to start reporting on policy and findings before the end of the year; while Shared Assessments – although primarily focused on the needs of larger financial groups and large enterprises – offers excellent guides from which good ideas can be extracted.
Another good source of on-the-ground cloud security analysis and experience is Spiceworks. This is a community of some four million IT workers who have a great deal of experience, with just about every supplier out there, and who share the good and the bad.
In general, the cloud is a secure and reliable place to do business, provided you do the groundwork in understanding what is being offered and how it will work in practice. The major advantage to SME security with cloud services is that you do not then have to do all the hard work yourself.
Read more on Network security strategy
IR35 reforms: Contractors report widespread blanket bans and project disruption in impacts survey
Network Rail U-turns on blanket inside IR35 contractor determinations
IR35 reforms: Blanket-banning firms risk losing contractors and suffering reputational damage
IR35 private sector reforms: IT contractors ‘growing reluctant’ to work for ‘blanket banning’ firms