Cloud computing is everywhere these days but one of the more mundane places is in providing anti-virus/anti-spam endpoint protection. The idea is that you don’t have to worry about your users forgetting to install the latest virus signatures or turning the protection off, or in the case of last week’s McAfee fiasco where a legit file was incorrectly tagged as malware. You can instantly see what is happening across your network and find out which PCs are protected. Cloud-based AV simplifies deploying new PCs, too because there is less software to install on each one. AV scans happen more regularly, since they are initiated by the cloud service and again don’t depend on individual user behavior. And it costs about the same or in some cases less than the traditional desktop AV software.
The cloud AV services all operate the same way: a small agent or client piece of software runs on each desktop, and makes a connection to the central monitoring server in the cloud. As long as you have an Internet connection, updates to the virus signatures happen automatically and frequently. The client uses as little memory footprint as possible, since most of the heavy lifting is happening in the cloud in terms of protection and processing.
There are two types of services: ones for single PCs that are sold by Microsoft, and ones that are geared towards enterprises that are sold by the major security vendors. The latter typically have a Web-based or some other type of management console to monitor your users’ PCs and see if anything is amiss.
Some of these advantages are not new nor exclusive to cloud-based AV services: Symantec and others for a several years have had client/server AV products which offer many of the same things as a hosted AV service, just with a central server that you have to run on your local area network. The difference is that the central server doesn’t have to maintained with a cloud-based service, and it also is more useful for those occasionally-connected laptops: most central-server AV products require that the server and the laptop be on the same local area network, or connected via a VPN, to perform the updates. If you have a lot of frequent travelers, this could be an issue.
Here are some of the things you should look for:
- How lightweight is the client really? Check the running programs in Windows (CTRL-ALT-DEL and choose Task Manager) to see how many different executables are installed and how much RAM and system resources does each one consume.
- How much information is the central management console reporting and is it meaningful to your situation? In Trend’s case, they charge extra for any console users ($8/year per user), the others include their management console as part of the price tag. Not all consoles are created equally: this is where conducting a free trial is worth the trouble to see how each service is managed. Things to check include what kinds of reports are available, how the central service alerts you to exploits or potential trouble PCs, and how flexible the settings are for these tasks to your particular needs.
- What protective features does it share with the client or client/server solutions from the same vendor? For example, the Trend TRVprotect shares the same software code base with its desktop OfficeScan product line, and the new Microsoft Intune shares its protective code with their Forefront security services. This can be either a blessing or a curse, depending on what you think of the thick client versions.
- Does it work on all Windows versions that you have in your shop, or do you need patches or additional software? Some of the services require XP SP3, for example, or other supporting software from Microsoft, to work. Most of the products work with both 32-bit and 64-bit versions and some also work with Windows Server versions, but again this is worth checking. Some want a more recent browser than IEv6 to run the central management console, too.
- What happens if your users don’t regularly connect to the Internet? All of these products assume a more or less continuous Internet connection to do their business on the desktop for updates and sending back alerts. Without this, they are pretty useless since a PC could become infected and not let anyone know for some period of time while it is offline. If you have some of your end users that are infrequently online, you might want to consider a traditional desktop AV solution.
- What else comes with the service besides AV? Some of these products offer separate add-ons to include email scanning, OS patching, Web site phishing protection and desktop firewalls. The Microsoft products, for example, are tied into the Windows Update process, as you would expect. Panda has a confusing array of cloud-based service offerings that could be better explained on their Web site.
- Do they really offer zero-day protection? One of the potential benefits of the cloud AV services is that they can get an update out very quickly, in some cases just in time for any new threats that have been observed. It is worth looking at how often they update their protection signatures too.
- Finally, what does it all cost? Each product has quantity site discounts, but in some cases you can save money over purchasing the desktop versions.