In security, free isn't always easy
In security, free isn't always easy

Many idioms fall apart at the seams when you subject them to close scrutiny. A bird in the hand is worth two in the bush, for example, just seems a little impatient. And while slow and steady may sometimes win the race, this excuse would fall on deaf ears if used by an IT professional taking an age to address downtime. That said, there is one well-worn phrase that holds up, and should be heeded by IT professionals when evaluating cloud security providers: there is no such thing as a free meal. 

The cloud is playing an increasingly significant role in the way modern businesses operate. More and more organisations are embracing distributed workloads to realise benefits, including improved costs, greater efficiency, and a reduction in the hours dedicated to maintenance. In fact, SolarWinds research found that 74 percent of UK survey respondents have already migrated applications to the cloud. 

Of course, cloud deployments aren't all sunshine and roses, and various issues must be addressed before organisations reap the benefits they promise. For many businesses, security is the number one reason for sleepless nights and sweaty palms. This is unsurprising, given the increasingly advanced threat now facing organisations and their IT teams. Cyber-attackers now find themselves in a growing, profitable profession, so the idea of giving somebody else (in this case, a cloud service provider) the keys to your precious applications and data is enough to make IT professionals lie awake at night. 

With this in mind, you would think that due diligence and time investment into cloud security tools would be a given, right? Wrong. A number of businesses rely on free security tools to guard their most precious assets, assuming that adoption alone is enough to ensure security. Sadly, there really is no such thing as a free meal. 

Patch things up

It's important to note that free cloud security tools don't represent a folly for organisations. They can be very useful, picking up on vulnerabilities and informing businesses and their IT professionals of when and where maintenance needs to be carried out. 

The problem, however, is when organisations think that a free tool will do everything required to keep their business safe. This is like expecting a thimble-full of free ice cream handed out at your supermarket to satisfy your hunger. It's free and, as a result, is unlikely to give you absolutely everything you need. 

And here lies the difference between companies willing to invest in cloud security and those opting for the free version. Companies who work with paid-for cloud security providers will expect that said provider will carry out patches on their own initiative, and will likely find that this is the case. After all, you get what you pay for. 

This, however, isn't how free tools work. Instead, free tools will usually offer prompts and require you to meet them halfway. There have been cases in which organisations have expected a free tool to behave the same way as one that has required investment. Unfortunately, these organisations have learned the hard way that this is not the case. 

Take Equifax®, for example. The credit reporting agency became victim of a monumental breach where 43 million consumers in the US may have been affected, and up to 400,000 Brits reportedly had their personal details stolen. Equifax has since become a byword for data complacency, and, you guessed it, Equifax was using a free cloud security tool. 

The organisation was using Apache® Struts 2, an open source service which recognised a vulnerability and alerted Equifax to its existence. Unfortunately, Equifax ignored or missed this warning and failed to patch the vulnerability. As a result, untold damage was done to the company, its reputation, and, most damningly, its customers.  

The issue here isn't that the tool is free. Laying the blame at the feet of Apache Struts 2 would be like blaming an open window for letting in a burglar. Free tools work perfectly well if used correctly. The fault lies with the organisation, and the hubristic, and sometimes lax, assumption that by merely implementing a tool, they are protected. 

So, what's the solution for businesses hoping to protect their data without breaking the bank? 

Due diligence 

If you opt for a free cloud security tool, you will save yourself money, but could cost yourself time. Before you implement your free security tool, ask yourself this: will your organisation have the time to patch every vulnerability that your tool finds? If the answer is no, then perhaps opt for a more comprehensive solution. That, or hire a risk compliance officer who can work with the tool to check and carry out patches and ensure your business is at as little risk as possible. 

Another option—and this is something you should consider whether your tool is free or not—is to adopt a comprehensive monitoring and management tool. One of the main reasons security issues occur in organisations with cloud deployments is a lack of visibility. With distributed workloads, it's often difficult for IT professionals to establish where their remit begins and ends. If a vulnerability doesn't appear to be on your end, but your cloud service provider assures you they are guilt-free, how can you establish root cause and fix the issue?

A comprehensive monitoring and management toolset can offer insight and visibility across on-premises and cloud deployments, so regardless of whether your tool is paid for or free, you have the information necessary to locate and address vulnerabilities before a breach occurs. 

With free cloud security tools comes great responsibility. If you can't dedicate the time to meet your free tool halfway, then it may be best to look to an alternative solution. Regardless of how you choose to protect your company, a monitoring and management solution can help you rest easy. 

Contributed by By Destiny Bertucci, head geek, SolarWinds.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

By Destiny Bertucci, Head Geek™, SolarWinds 
By Destiny Bertucci, Head Geek™, SolarWinds