Let cloud apps manage your systems – if you have nothing to hide
Balance risks versus rewards
There are a growing number of cloud-based security and systems management (CSSM) applications available to consumers and small and medium-sized businesses (SMBs), and I am ambivalent about their use.
On the one hand, I am not fan of things cloudy, especially where they involves trusting US-based companies*.
On the other hand, these products bundle together vital functionality in an easy-to-use package with an understandable licensing structure. Weighing the pros and cons is something of an extended exercise.
Before we embark on that journey, let's take a look at what CSSM applications do. Put simply, they make sure your computer is working the way it is supposed to. They include security features ranging from anti-malware management to website and email filtering.
They also typically include patch management, asset tracking, monitoring and the ability to push configuration changes out to groups of systems.
The three CSSM applications I can name off the top of my head are Windows Intune, SolarWinds' N-Able and GFI Cloud. There are umpteen cloudy competitors and innumerable on-premises offerings. In addition, the scene is muddled by applications such as Spiceworks, which cover some of the common CSSM use cases but by no means all of them.
Secrets and spies
First things first. I am in no way comfortable with any of my data – or that of my customers – going out to the US. At first glance a CSSM based in the US that can do everything from install updates on my PC to change my anti-malware settings looks like the perfect vector. But I feel that i might as well just hand over the administrative passwords to the NSA and be done with it.
So what? If the NSA wants to compromise the networks under my care it will do so, full stop. I once sat down and ran the numbers on what it would take to effectively hide something from our dragnet overlords and I realised that it would be a full-time job, and it would be expensive.
That's before you factor in that the attempt to hide from surveillance itself attracts surveillance, so you would need to be able to do so without appearing to do so.
Very little of what I – or most of us – do is worth stealing or spying upon. CSSM applications help keep out a lot of the bad guys.
They manage anti-malware applications, have web filters and manage updates for not just the operating system but the myriad other attack vectors as well. There are any number of on-premises applications that will do the same job as the increasingly popular CSSM offerings, but sadly, the on-premise applications can be expensive, clumsy and miserable to work with.
We are all of us far more likely to experience a financial loss to our businesses from some [expletive deleted] infecting our entire network trying to inefficiently mine Bitcoins than we are from the US stealing our secrets and selling them to our competitors.
Not worth knowing
On the risk versus reward sheet, I have the following to consider: what is the likelihood that without a security and systems management application my network will be compromised? How much would that cost? Will a CSSM mitigate that risk?
On the side of "risks introduced by CSSM applications" I have more questions. Do I have anything worth stealing? How likely is it an eavesdropper is going to notice that I have something worth stealing? By the time they have run the gauntlet to steal the info, will it still be worth anything? Can they ramp up fast enough to be a competitive threat?
A construction company will see a direct benefit from any management software that makes its task easier
A construction company can have several thousand PCs in play, all needing to be managed, and it will see a direct benefit from any management software that makes its task easier. It certainly has things it wants kept secret – bid amounts on contracts, formulae for building materials and so forth – but how likely this is to be targeted is an open question.
I am sure that my local super construction company's American competitors would love to know the details of its bids. But it's doubtful the NSA would even bother to play that game, let alone be able to get permission for it before the tender was up.
As for the building materials, well, if they find a competitor using a super-secret formula for über-cement, I'm absolutely positive that a Canadian judge would love nothing more than to give that one thorough go in our courts.
On the other hand, if Hacky McHackerson manages to waltz through Yet Another Adobe Reader Vulnerability and cracks the financials system open like an egg, then said construction company will be the one before the court and our friendly local judge will look decidedly less friendly.
Enemies keep out
As a journalist, I keep an emergency kit set up that should – assuming I do everything else right – be untraceable enough to make the bastards actually work for their supper. This might help me as a platform for single-use communication with a mythical future whistleblower who has prize-winning secrets to reveal.
If you have good reason to fear the spooks are after your lucky charms on a corporate level, a digital bug-out bag isn't going to save you. Even hiring professional paranoids might not be enough. So if you are a person – or company – of interest, don't use a CSSM.
That statement may seem somewhat facile at first glance, but there is a requirement to be realistic in your assessment about your own importance to the spooks, or lack thereof. An American CSSM is vulnerable to national security letters from the US government, yes, but there are plenty of other folks out there wanting a peek at what you are up to.
If you want to be doubly sure, you can find a few tools to monitor changes to the file system or changes to the registry on specific systems, or invest the time and money to run an on-premises security and systems management application.
Of all the options on the table, however, nothing at all seems the riskiest.
Risk versus reward: which solution will you choose? ®
*Except for some very rare cases, cloud = USA. There are a few providers from elsewhere, but precious few offering anything beyond IaaS and fewer still selling into markets where American providers dominate.
Sponsored: Global DDoS threat landscape report