A growing majority of SMBs are turning to cloud computing for their IT infrastructure, but at the same time, IT and security professionals admit securing the cloud is difficult. This is a situation that could end up leading to bigger data breaches.
According to a Black Hat survey conducted by Tripwire, 84% of organizations find maintaining security configurations across cloud services difficult, and 75% think it’s easy to accidentally expose data publicly through the cloud. Why is this? Cloud infrastructure is becoming more complex, the respondents said, especially when managing a hybrid environment of private and public clouds with on-premises infrastructure. Another concern, according to the report, is that there continues to be uncertainty over who is responsible for securing data in the cloud—what is the service provider responsible for versus the customer. All of these issues lead to potentially leaky cloud situations.
“While cloud providers may take responsibility for securing their infrastructure, moving to the cloud doesn’t absolve you from the responsibility of protecting your own data. The cloud doesn’t magically protect the data and systems that you put in there,” said Tim Erlin, VP product management and strategy at Tripwire, in a formal statement.
SMBs Depend on the Cloud More Than Ever
The same day I saw the Tripwire survey results, a study conducted by Untangle that looked at SMB IT security also crossed my desk. It was in this study I noticed the high numbers for cloud adoption. The study reported that nearly three-quarters of SMBs have at least part of their IT infrastructure deployed in the cloud, but 60% don’t use a firewall in their public clouds.
I talked to Heather Paunet, vice president of product management at Untangle, about cloud adoption and security concerns. I figured that cloud applications benefit SMBs because of the lack of internal IT and security expertise (and the report confirms that thought), but I was surprised to find that many SMBs have multiple, geographically dispersed locations.
“SMBs are hiring the best employees for their company, even if this means that the employee is in a different city, state or country,” said Paunet. “Of those that Untangle recently surveyed, 40% of SMBs now have at least five employee locations, with 11% identifying more than 25 employee-based locations.”
Flexibility in employee-based locations is not the only benefit SMBs are finding as they transition to the cloud, she added. Transitioning to a cloud-based IT infrastructure allows SMBs to improve their processes, storage and networking resources, while the scalability of the cloud allows SMBs with limited resources to pay-as-they-go and transform their infrastructure as their business needs grow.
Security Concerns But No Idea How to Fix Them
According to the Untangle survey results, 8 in 10 SMBs admit to being concerned about their overall network security, yet the public cloud remains a serious vulnerability. That’s because SMBs are often overwhelmed by their lack of an in-house knowledge base or internal IT support staff—one of the issues that led to the cloud in the first place. This may explain why so few don’t deploy a firewall, even though the lack of that basic security tool leaves them open to a cyberattack.
Not sure how to approach cloud security for your SMB? Erlin from Tripwire has a sound piece of advice: With the cloud, you need the same levels of protection as you would for your on-premises infrastructure.
“Organizations should start with visibility, followed by secure configurations and then vulnerability management,” he said. “You need to know what you have so you can protect it, then you need to make sure that systems are configured securely and that they stay that way. It’s simple to state, but it can be difficult to implement.”
So what should SMBs be doing to make sure the data in the cloud remains secure?
“SMBs should always establish a multi-layered approach to data security using a complete network security framework to protect, filter, and manage their business,” said Paunet. Layering solutions, such as a firewall, can allow SMBs to:
- Block malware and phishing attempts.
- Monitor rogue applications or encrypted web requests.
- Create policies by the user that can be mirrored both on-premises and branch offices.
Pauent also recommended that SMBs also adopt a firewall-as-a-service (FWaaS) model. The FWaaS will deliver the much-needed firewall and other network security capabilities as a scalable unified threat management solution for cloud-based IT infrastructures. “By utilizing FWaaS, organizations no longer need to worry about maintaining hardware or applying patches and updates as this task falls on the FWaaS provider, ensuring the organization’s network is always secure,” Paunet added.
Your cloud service provider is not responsible for securing your data and your applications. “It’s incredibly important to understand that fact,” Erlin stressed.