A silver lining
by Kay Ewbank
Can you rely on the Cloud to handle your security needs? Kay Ewbank checks out your options.
HardCopy Issue: 55 | Published: February 1, 2012
I’m writing this article sitting at an airport. My travelling companion has just finished checking his emails on his smartphone and is now downloading a presentation to his laptop from his corporate network. He does have an official office, but spends much of his working life in other company offices across the UK and Europe.
This snapshot of working life in 2012 explains one reason why many companies are moving their security measures into the Cloud: because it fits the way their business users work so much better. Locally based security for emails and Web sites was fine in the days when workers went to work reading the newspaper on the train, sat at their desk and turned on a connected PC. As services, data and the people who access them move outside the corporate firewall, it makes sense to move security to the Cloud too.
There are other advantages, of course. From the viewpoint of the IT manager, moving to the Cloud means simpler security. Cloud-based security means you don’t have to set up the hardware needed to run the software, and you don’t have to install and configure the software. Getting the server working is someone else’s problem, and the up-front costs can be avoided.
Once up and running, there’s no local security server to manage, and you can pass all the appropriate data through the security so that no matter where your users are working, or what device they’re using to access the data, they’re still protected. This minimises the need for training and help desk support, and users don’t have to get used to different security options when they change devices.
Another advantage is the reduced need for bandwidth. The likelihood is that nearly all the emails sent to your company are spam of some form or another, so if these are blocked before they ever reach your network perimeter, email traffic is massively reduced.
Looked at from a user’s viewpoint, what you want is transparency. What you don’t want is security that is intrusive, because users will be frustrated and either complain or try to circumvent the safeguards. For example, we all applaud the idea of checking the security of Web sites, but most of us curse when those checks mean the site takes longer to load, or worse still is blocked because of an apparent problem.
Pay as you go
One benefit of Cloud-based computing is its more manageable price. If you opt to have local security systems then you need to buy your software licences in order to get started, along with the servers to run the software on, so the cost is weighted towards a high initial outlay. You also need in-house staff with the expertise to manage and maintain both the hardware and the software. By contrast, a Cloud-based system means paying for what you use, while keeping the systems running becomes someone else’s problem.
Against this is the fact that you will probably be paying more each month for the software, so taken over a number of years the Cloud-based system will in all probability end up costing you more. You also need to consider just what your money gets you in terms of service level agreements. How many days of the month could the service be completely unavailable while still meeting that SLA? You may think it unlikely that the time could stretch into days, but in some cases things could be that bad.
And what happens if the SLA is broken? If the hosting company just hands back your monthly fee with an apology, no matter how heartfelt, you’re not going to be popular with your bosses.
Of course, if you run security software locally and you experience a hardware or software failure, the security software will be offline until you replace the part that’s causing a problem, so going for the local option means you still need to think about ensuring continuity.
One question you need to consider is overall security. It’s clear that Cloud-based security will control threats as they enter your organisation, but what about potential internal threats? If the security is checking emails in the Cloud before they enter your organisation, for example, what happens if someone inside somehow attaches a virus to an internal email? If you’re not checking internally too, your entire organisation can still be compromised.
A differentiator between the available services is what content or data is protected. Most will check emails for viruses and malware, and will block spam from arriving in email inboxes. Most have options for scanning Web sites for problems, and can be used to block specific Web sites, types of Web site, or online applications – do you really want your users playing Farmville all day?
Some have software with the ability to check instant messages. If your company allows (or even encourages) the use of instant messages for business use, this is an important area for control. Beyond these basics you’re into a grey area of what constitutes security and what is really content control. Several of the services covered below let you guard against sensitive data being transmitted out of the company without permission, for example.
The requirements for keeping information secure are very clearly defined which means the central features provided by each of the products mentioned below are very similar. The differences and the way you might choose between them comes down to two main criteria. Firstly, whether there are any other products from the same company that you might want to use; and secondly, the price.
Symantec has a long history in the security market, and many people will have encountered its Norton range of security software. Symantec.cloud is a new offering that builds on MessageLabs. However the Norton heritage still shows through, with all the advantages and drawbacks that implies. If you liked the strong control that Norton applied to the computing environment, then you’ll like Symantec.cloud. If you felt that it interfered with the way you work, you may feel the same about Symantec.cloud.
The Cloud-based service has options for security for emails, Web browsing, instant messages and endpoint protection. In the case of Web protection, all Web requests are scanned in real time, and you can block Web site categories, file types and specific Web sites. The rules can change according to the time of day and whether the user is working within the corporate network or remotely.
The Email Security.cloud option protects against viruses and spam. If you want to scan emails for inappropriate content then Symantec Content Control.cloud let you do so in the cloud. Similarly, Symantec Image Control.cloud can be used to scan email and attachments to identify, control and stop inappropriate images from entering or leaving your network. Finally, Instant Messaging Security.cloud provides similar protection against viruses, URL filtering and content control when your users are using Instant Messaging software.
GFI’s MailEssentials Complete Online is a hosted email security and spam filtering service that provides anti-spam and anti-virus checking before emails enter your corporate network. The checks on emails can be carried out on both inbound and outbound emails. There’s also an optional archive service that can be used to keep copies of emails so you get off-site archiving as part of the service.
GFI has a stated aim to provide software for small to medium businesses, and in general the software does live up to its promise to be easy to use, and in my experience draws fewer complaints from users than some other software. It also allows you to try most of its options in the free trial version – some trial versions block features so you can’t see how well they work.
Kaspersky is generally quite non-intrusive so users aren’t irritated by it. The company entered the hosted market a little later than some rivals, and say they’ve learned from the mistakes of others. The administrative interface is clean, and fixed-price billing has the advantage that you know what your costs will be.
Kasperksy has Hosted Email and Hosted Web security, both administered from a Web portal. The Email security has filters for spam, malware and phishing attempts, while the Web security checks for and blocks any viruses and spyware that is hidden on Web sites, as well as providing Internet content control and the option of blocking files of particular types. The Web security also offers the option of scanning outgoing traffic to stop data being transferred without your knowledge, and to ensure that spyware isn’t sending information gathered illicitly.
Bitdefender has Cloud-based software for protecting endpoints and emails. The Cloud Security for Endpoints protects systems remotely, while the Cloud Security for Email protects against viruses, spyware, phishing and Trojans. Outgoing emails are scanned as well as incoming, and unsolicited or problem emails are intercepted.
Cloud Security for Endpoints can be used to protect laptops, desktops and servers from problems including malware. Administrators can set access options for applications, Web usage depending on the time of day, category of Web site, or keywords being entered in search terms. Roaming and remote users can be protected using a personal firewall with intrusion detection.
Bitdefender claims that its software protects systems in a quiet and non-intrusive way, but behind the scenes it takes quite a tough approach as to what’s allowed and what isn’t. It checks any running programs to see that the way they’re working remains within ‘normal parameters’, and if that isn’t the case, the application is stopped. There is a 30-day trial version that’s worth trying to make sure your current applications will co-exist peacefully.
Mcafee Cloud Security
Mcafee’s Cloud Security platform offers the choice of deploying as Software-as-a-Service, locally, or a combination of the two. Administrators can use it to secure email, Web and authentication data to and from your organisation and the Cloud.
The software is split into a number of modules. The Email Gateway offers built-in encryption for emails as they are sent or received, even from mobile devices. There’s also an option to archive emails in the Cloud. The Web Gateway can be set to enforce your company’s policy on acceptable Web use. It also lets you define and control the way 1,000 Web-based applications can be used. Other options provide identity management and control of REST Web services.
Mcafee is owned by Intel, and the products in the platform have some features aimed particularly at larger companies. The Cloud Security Platform is integrated with McAfee ePolicy Orchestrator platform, which is designed as a central administration tool for managing enterprise security.
Trend Micro Hosted Security
Trend Micro Hosted Email Security protects emails from spam and malware such as viruses, spyware and phishing attempts. It also has the option of encrypting emails while in transit to ensure the information remains secure, and there’s the option of filtering the content of outgoing emails for compliance purposes.
Trend Micro tends to score well against other products in blocking spam and malware, and the company is confident enough to promise good money-back terms in its service level agreements, claiming to offer three times more compensation than other vendors. You can try the service for free for a month to check it out for yourself.
Websense offers a range of options including Hosted Email Security which guards against spam and threats such as viruses, encrypts emails in transit, and has a content filter to prevent confidential data being transmitted without authorisation. Web Security Gateway is also available with options for managing who can see what in terms of Web categories, and for blocking problem Web sites.
The service offers strong filtering, including URLs. This does mean you can protect against users visiting sites where there might be problems, but it can also result in frustration and lost time. In the event that Websense decides a site should be blocked, but you know it to be acceptable, then you can gain access by filling in a form to release the link, and then waiting for Websense to remove the block.
Forefront Online Protection for Exchange (FOPE) is an Internet-based service that protects your business’ inbound and outbound email from spam, viruses, phishing scams and email policy violations. It’s part of Office 365, Microsoft’s hosted email and calendar offering that also provides Web conferencing and lets you edit Office documents.
Forefront Online Protection for Exchange traps spam and viruses before they reach your network. There’s an add-on called Exchange Hosted Encryption (EHE) if you want emails to be encrypted as well.
The main advantage of FOPE is its close integration with Office 365. Earlier releases of the service were less than flexible in the options you were offered for creating and managing custom rules for company policies to filter what was marked as spam, but this has been improved in the most recent version.