Security Through Simplicity

Every year for the past 13, InformationWeek has fielded our Strategic Security Survey. While a bellwether for the IT industry, the survey results are something of a nonevent as they pertain to emerging threats. What we find is that all sec- tors generally face every threat, and that they're increas- ingly sophisticated and fielded with the intent of stealing financial data.

Small businesses face many of the same threats as large enterprises. Any thinking that your company is too small to be interesting to bad guys is wrong-headed--see our cover story on p. 4 for more on that. For SMBs, which don't have dozens of security specialists, the outlook can seem bleak. But if you keep things simple and manageable, good security can be a natural outcome.

There are key differences between behemoth enterprises and smaller businesses. One tech vendor familiar with Windows 7/ Server 2008 migrations suggests that large companies tend to have one supported desktop app for every 100 users and one supported server-side app for every 500 users. Thus, a complicating factor that small businesses don't face is having a large number of disparate apps with varying levels of integration. Your goal should be to keep it that way.

Whether it's for end user applications or security infrastructure, we see small businesses taking the sensible approach of choosing a few strategic partners. Once you've mastered the management of one Microsoft application, managing the next is a similar process. On the security side, vendors are trying to field products based on a single operating system and with similar management tools and/or providing "a single pane of glass" for management of their applications. Some succeed better than others, but the goal of simplicity is the right one.

The SaaS Factor

One new question that all companies increasingly face is the degree to which they should use software as a service. That's by no means a no-brainer. While SaaS apps can be up and running quickly without much capital outlay or configuration effort, each comes with its own administrative interface, including account management and access control. Integration with other applications is a relatively new concern for SaaS providers and can lead to headaches down the road for IT teams. Even mature SaaS applications can present integration challenges, and while this might not seem to be a security issue, it becomes one when small IT teams are required to "just make it happen" (whatever "it" may be).

Likewise, managing the user account life cycle for one SaaS application might not be onerous, but managing accounts for a few dozen, all with different management interfaces, is going to be problematic.

Adding to the challenge is that it's not just IT that's considering SaaS applications. Sales VPs, HR directors, and other executives are learning what's available in the SaaS world, so, like it or not, IT needs to have a response other than "emphatically not" when business partners start inquiring about the options. If you're already a Salesforce.com user, for instance, you'll want to at least consider other apps that leverage the environment, including the access control system. No matter where you are in terms of SaaS adoption, it's better to be involved in vetting new applications before they're purchased than to get pulled into the conversation after the deal is done.