Cloud Point Security: Deployment, alerts, and reporting

Using cloud point security services enables organizations to quickly gain the benefits of total cost of ownership (TCO) because it eliminates the need to deploy and configure an enterprise internal Management server. However, some cloud-based security products provide only relatively basic limited functionality, which may make it impossible for an enterprise to gain TCO advantages, or even to the contrary! In assessing cloud-computing endpoint security services, never assume that the functionality provided by the internal deployment product can also be found in the cloud service.

This article provides guidance on how to assess cloud endpoint security capabilities from three aspects of deployment, alerting, and reporting. This cloud endpoint security comparison stems from the Tolly group's recent use of five well-known cloud product vendors to build prototype deployments.

Cloud Point Security: Deployment

Flexibility and easy deployment are important factors, regardless of the endpoint security coverage of the entire zone, or just a few new users. When the management system is in the enterprise external environment (for example, cloud-based security), the deployment process must change. Although deployment is a one-time task by definition, it takes a lot of effort for large installations, so businesses should closely review the installation process.

The fundamental difference between a traditional endpoint deployment and a cloud-based endpoint deployment is that, in a cloud-based product, the endpoint is in the internal private network and the Management Server is located in a public external network. Since the enterprise endpoint is located behind the firewall (and is definitely using the private IP address space), communication between the server and the managed client must be initiated by the client.

Our research identified three major deployment methods: Installing packages, downloading software via web sites, and gateway machines. The first two methods are initiated by the client and "pull" the required proxy and endpoint security files from the server. The third approach is to "push" the proxy and related software from the server to the client (through the gateway system located within the firewall).

That is, cloud based deployments should have at least one endpoint client for "pull" installations, although the vendor provides automatic "push". This is because a push installation requires a gateway between the local server as an "external" cloud Management Server and a push to the internal client. However, of the five products we evaluate, only one product offers a push feature. The easiest way to install an endpoint agent is to use the admin console to send an installation URL to an endpoint user by e-mail. (The URL and installer in the Pull method is encoded using the customer's cloud security ID, which automatically associates the client to the customer's cloud security Management Server).

The push system installation process does not require user interaction, as long as the target machine is identified by name and IP address from the admin console, then provides the login account, automates the installation, and logs on to the endpoint.

Cloud Point Security: Alerts

After the installation is complete, the following is the alert feature, which enables administrators to immediately understand potential security issues. In addition to displaying alerts in the product's management console, most cloud-based endpoint security products also allow e-mail or short messages to send alert information.

Typical alert scenarios include detection of threats, blocked URLs, expired virus definitions, X-day runs without scans, and so on. Surprisingly, we found that some services provide only limited alarm functionality or do not provide alerts at all. In addition to real-time analysis, security managers must rely on reporting. Alerts are an important feature because administrators cannot be in the console all day, and businesses should not only ensure that the services they choose to provide that functionality, but also ensure that it works well.

Cloud Point Security: Reporting

Reporting requirements are fully predictable. Security managers often want to know about threats, infected devices, attempts to access blocked Web sites, and so on. However, of the five products we evaluated, three did not provide any predefined reports. Although it is not difficult to generate these reports manually, these vendors did not allow developers to take the time to reflect in their basic reports that many of the products we see are functionally lacking in depth.

Before deploying, organizations must carefully identify alerts and reporting requirements. Do the new systems need to provide an existing endpoint Security report? Do you need new or additional reports? Find out the answers to these questions and ask the prospective cloud security providers if they can provide you with these reports, but only if you don't need to pay extra.