The Big Shift to Cloud-based Security

How small and medium-sized organizations can manage their IT risks and maintain regulatory compliance with minimal staff and budget.
Keeping IT systems secure and running within regulatory compliance mandates, especially for mid-sized and even small businesses, seems next to impossible. There are many reasons for this but fortunately, several recent technological trends show that it doesnt have to be this way.

Cyber-threats and regulations dont care about business size

Most attackers dont care whether theyre targeting a Fortune 25 firm or a small town manufacturer with 25 employees. What cyber criminals want is data and identities to steal and sell. Likewise, regulators are expecting the same security diligence from small and mid-sized firms as from large corporations. Consider the various data-breach disclosure laws that are in effect. Theyre not based on the size of the company but the quantity and type of customer records that have been breached. And, while there may be slight differences in how regulations such as HIPAA, PCI DSS, and others affect mid-sized and even smaller firms, their overarching impact is the same. The number of software vulnerabilities announced daily shows no sign of letting up. According to the Common Vulnerabilities and Exposures List, sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security, there have been more than 3,500 flaws reported during the first three quarters of 2010. Thats well over 10 newly announced software flaws every day. And these vulnerabilities, which make it possible for many forms of malware and attackers to gain entry to protected systems, are equally detrimental to businesses large and small. Its not just end-point operating systems, servers, and on-premise software that are at-risk. Its also Web applications. According to a recent study by Web security firm Dasient, more than a million Web domains were infected with malware in just a 90 day span of this year. All businesses are under internal and external pressure. Increasingly, businesses are demanding to see the security and risk management plans of those with which they do a significant amount of business. They want to know about disaster recovery and business continuity procedures. They want to know how security defenses are managed. And they want to know how their confidential information is protected.

Software flaws: an ever-growing concern

The extended business risk: partners, suppliers, and other stakeholders

The Big Shift to Cloud-Based Security

Unfortunately, while the security and regulatory compliance threats and mandates affect all companies, its the mid-sized and small businesses that often dont have the right staff or budget necessary to cost-effectively fight the threats and maintain compliance. Consider a report from Applied Research (published by Symantec) that shows that small and mid-sized businesses spend two-third of their IT management time and $51,000 annually focused on security concerns. Thats twice the amount of time and 27.5 percent more budget spent than they spend on other areas of computing. Thats simply too high a price for security.

Small and mid-sized businesses today are spending 66% of their IT management time focused on security concerns.

When speaking with customers and listening to their experience, we hear a similar story. We heard about how too much time is wasted on installing, maintaining, and managing the software and the hardware behind those security efforts. This paper will detail how businesses without deep pockets or experienced experts on staff can reduce risk and attain regulatory compliance in a simple, reliable, and cost-effective way.

WHY COMMON APPROACHES TO INFORMATION SECURITY FAIL

In an attempt to keep those costs low, many businesses turn to open source software and the least expensive commercial software they can find. While this may spare some budget dollars on the initial outlay, the cost savings are an illusion. Thats because it usually is not the expense of the software thats raising long-term costs, as we saw above its more often labor. Building and maintaining the infrastructure, updating and calibrating the application, and running the software keep costs high. The net result? Security efforts fall short: the tools prove tough to manage, require dedicated teams of experts, and the resulting reports provide inconsistent and too often inaccurate results. This means compliance and security objectives go unmet and the software proves too burdensome to maintain and troublesome to use. Eventually, cumbersome tools go unused. That means vulnerability assessments and remediation go undone, firewall policies go without updates, and flaws on Web servers accumulate over time. Eventually, security slips, successful attacks against the business increase, and regulatory compliance mandates go unmet.

THE BIG SHIFT TO CLOUD-BASED SECURITY

Avoiding the cost and the complexity of traditional software is one of the reasons why so many companies are investing in cloud and Software-as-a-Service (SaaS) solutions. Most of us are familiar with the benefits of cloud and SaaS by now: low cost, faster-time-to-value, flexibility, as well as pay-as-one goes. For instance, unlike patching performed by individual organizations work that must be duplicated for every system and at every business installation when a SaaS vendor updates its software applications, all of its customers are updated instantaneously. Thanks to this simple fact, many of the security problems that plague todays

The Big Shift to Cloud-Based Security

business-technology systems such as patches and software misconfiguration issues are solved. Thats just one example of how much of the burden of maintaining a secure application is transferred from the business to the software service provider. The business benefits, cost savings, and reduction in complexity are just too compelling for businesses to overlook. This is why we are seeing more security and risk management applications move to the cloud. These range from e-mail management to contentfiltering to disaster-recovery/business continuity to vulnerability management and many other processes and technologies. Navigating, and reaping the benefits of this transformation in risk management, is one of the most important steps a business can take to manage ever-spiraling IT costs.

This trend toward cloud and SaaS-based applications is driven by the need to innovate, simplify, and cut costs.

This trend toward cloud and SaaS-based applications is driven by the need to innovate, simplify, and cut costs. This on-demand approach to IT security and compliance enables organizations of all sizes to achieve both vulnerability management and policy compliance in one, unified approach. One of the key distinguishing features of cloud-based security is the lack of equipment or software that must be deployed the SaaS provider within secure data centers hosts those resources. Furthermore, without capital requirements, the business controls its costs. Some of the benefits of security delivered via cloud computing and SaaS for mid-sized and smaller businesses include:

Minimal hardware

Since there is little or no equipment required on-premise, businesses can deploy the cloud-based service with relative ease. Cloud computing can be in use within a matter of minutes or hours, and its use of the Web as a transport mechanism to provider data centers actually increases the availability of the service to the organization. Additionally, the organization automatically receives the latest functional upgrades and service improvements from the provider whenever the service is requested. The cloud application executes only when requested putting the business in total control of costs with the pay-as-you-use expense model. Recognizing the latest vulnerability, malicious code, or rogue web site requires a dedicated team of researchers to characterize the threat and update the security inspection process. The cloud ensures that the most recent information possible is utilized every time the business uses the service.

No hassle

Pay as-one-goes

The most up-to-date threat information

The Big Shift to Cloud-Based Security QUALYS ON DEMAND SECURITY RISK AND COMPLIANCE SOLUTIONS
Recognized as the leading provider of on-demand IT security risk and compliance management solutions, Qualys enables organizations of all sizes to easily and cost-effectively ensure that their business technology systems remain secure and within regulatory compliance. Qualys makes it possible for businesses to strengthen the security of their networks and applications, as well as conduct automated security audits that ensure regulatory compliance and adherence to internal security policies. Qualys is the only security company that delivers these solutions through a single Software-as-aService platform: QualysGuard. All of Qualys on-demand solutions can be deployed within hours anywhere around the globe, providing an immediate view of security and compliance posture. As a result, QualysGuard is the most widely deployed securityon-demand solution in the world, performing nearly 500 million audits per year. Utilizing its innovative Software-as-a-Service (SaaS) platform, the QualysGuard Security and Compliance Suite incorporates Qualys industry-leading vulnerability management service with a robust IT compliance solution, comprehensive web application scanning, and malware detection services. That way, no matter where the vulnerabilities or threats reside, QualysGuard is there to strengthen the infrastructure and mitigate the threat. For more information visit: http://www.qualys.com/

QualysGuard IT Security & Compliance Suite for SMBs Everything a business needs to streamline network and application security risks and policy compliance.
The QualysGuard Suite automates the process of vulnerability management and policy compliance, providing network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. Policy compliance features enable businesses to audit, enforce, and document compliance with internal security policies and external regulations. The core components of the QualysGuard Security and Compliance Suite include: QualysGuard Vulnerability Management Globally Deployable, Scalable Security Risk and Vulnerability Management QualysGuard Policy Compliance Define, Audit, & Document IT Security Compliance QualysGuard PCI Compliance Automated PCI Compliance Validation for Merchants and Acquiring Institutions QualysGuard Web Application Scanning Automated Web Application Security Assessment and Reporting Qualys SECURE Seal Web Site Security Testing Service and Security Seal that Scans for Vulnerabilities, Malware, and SSL Certificate Validation