Updates of cloud-based applications not as automatic as they may seem
According to experts, some of the onus still falls on users to update cloud-based applications, despite vendor promises of automatic upgrades.
There are many reasons for companies to adopt cloud-based applications. They're easier to deploy than on-premises software, and businesses can save money on expensive hardware and costly licensing fees. Furthermore, it's easy to add or subtract bandwidth, and upgrades are automatic.
However, some users are confused about what exactly the phrase automatic upgrades means. When users hear pitches from cloud-based software vendors, they think they won't have to do anything to get the latest and greatest versions of the software, which often contain important security upgrades.
As a result, users of cloud-based applications assume they're running the same releases as all other users. But while that technically might be correct, it might not be in terms of functionality.
And there's the rub when it comes to cloud computing: Companies can fall several releases behind functionally because they haven't manually turned on the new capabilities.
"It's important for users of all software to update [it] to ensure they're on the latest release," said Mark Bermingham, director of global product marketing at Woburn, Mass.-based computer security company Kaspersky Lab. And that's because people authoring malicious malware designed to extract sensitive company information are primed to take advantage of vulnerabilities that companies can expose themselves to by being lax about upgrades.
"Vendors are aware that they need to continually evolve their software to stay ahead of this ever-increasing threat landscape," Bermingham said. "[But] if an end user isn't being vigilant in getting the latest update, they're putting themselves at unnecessary risk."
And it's not all that difficult to get these updates -- all the user has to do is "hit click," according to Bermingham.
When an update or a release is available, vendors of cloud-based applications will push out a notice that users just have to click through and the update will run in the background, he said.
"It's usually pretty easy," he said. "But the fact of the matter is automatic is only so automatic. There is some acknowledgement that users have to push a button to start the process. How often do you turn on your machine and see there's a Java or an Adobe update available?"
Typically, major software vendors will have two or three major product updates per year, but there's still some onus on the end users to click those buttons.
Vendors of cloud-based applications fix as much as they can on their ends but that only goes so far, said security expert Brian Krebs, author of the KrebsonSecurity blog.
"In some situations you may have a client-side component that's designed to interact with the cloud service," he said. "[But] some of these cloud services have been known to reset the options when a new version gets pushed out. Maybe they alert the user that they installed a new version and tell them about the new features, but sometimes the settings have been changed to what they were before and the user has to redo them. It's not obvious for a lot of people."
Krebs said this is a sticky situation because people tend to accept whatever the defaults are.
However, it behooves the cloud service companies to communicate what the defaults are and make sure it's clearly stated if an update changes any of the defaults or the user-selected settings, he added.
"I've seen some of these cloud services and it's not the easiest thing to figure out all the options. It's about usability and default matters. Whatever the default settings are tends to be what 80% of the user base is going to use.
"So users should keep in mind that they have to change those settings, even if the service provider doesn't remind them to do so," Krebs said.
About the author:
Linda Rosencrance has written about technology for more than 10 years and has been a reporter for more than 20 years. A former Computerworld reporter, she is a freelance writer in Massachusetts and also an author of several true-crime books.