I have talked with a great deal of IT leaders in recent months, small to large organizations who all have security concerns on their mind. I always express to many of them the great value of UTM technology. I have had a Fortinet UTM device in the office here for several years, and always impressed with the capability of the device.
Unified Threat Management was originally designed to help protect the networks of small and medium sized businesses, but recently UTM firewalls have been expanding to corporate networks as well. The term UTM is used to describe network firewalls that contain many different features in 1 box.
Such features include e-mail spam filtering, an intrusion prevention system, anti-virus capability, internet filtering, and the functions of a traditional firewall. Basically, what this means is that a UTM firewall can perform the same functions in 1 box that would otherwise require 2 or 3 boxes. In addition, central management, and web based administration.
What are the benefits of UTM Firewalls?
1. The main benefit of Unified Threat Management is the fact that so many necessary functions are combined into one box. This reduces the complexity of the firewall system and saves businesses time and money. In addition, complexity brings risk and opportunity for errors.
2. Since all the security features are in one device, you do not need to spend time figuring out how all your security devices work and then how they all work together. Once you understand how your UTM firewall works, you understand your entire security system.
3. Also, because the whole security system is in one device, there is much less to buy. In fact, the only thing that you have to buy is the UTM firewall. This significantly reduces the cost that needs to be spent on a security system.
4. Maintaining network security can often become complex and confusing, but when all the security features are combined into one system, it is easy to see how all the functions are integrated and how they work together. Also, because it is only one system coming from one vendor, training for the entire system also only comes from one vendor. This means that when you need help, there will only be one company you need to go to. This is much easier than having to contact three or four different companies if the system fails.
The ease that is created by Unified Threat Management as well as the time and money that the system saves makes it a worthwhile investment for any business. If you need to protect your network, get started with a UTM firewall today.
Stay positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Friday, December 17, 2010
Friday, December 10, 2010
Security - Do you have inside threats?
I talk with many IT leaders over the course of a year, and everyone is focused on Firewalls, IDP, IDS, DLP, and the list goes on. No one really talks about inside threats. What about that risk? When IT pros think of securing networks, they typically concern themselves with outside attacks and hackers. But, the easier attack or hack is inside your office or a branch office. They also face threats from their employee’s, especially their internal staff. The threats can be intentional with malicious employees or they can be accidental, when staff will mistakenly leave sensitive information open and available to hackers. What about social engineering - not just an outside attack.
New Threats
The majority of data breaches will involve outside criminals. Verizon’s 2010 Data Breach Investigations Report stated that 70% of breaches in 2009 where from outside criminals. The most surprising number is insider threats reached 48% more, that is double of what it was in 2008. Some of that number is overall with people from both inside and outside the company involved.
The question becomes how can IT Managers reduce the risk of insider threats? The best place to start is your employee’s inside the IT department. Most IT staffers have the highest level of access and the technical knowledge of how to steal data. In addition, some IT staff are over worked, under appreciated and feel negative towards their employer.
To protect against threats within the IT Staff, industry experts recommend the following best practices…
Enforce a Policy of least privilege
48% of the security breaches in the Verizon study involved the misuse of privileges by employees. Help limit the attack by giving them only the access that they need to do their job. That typically means assigning privileges individually, not based on employee groups.
Conduct thorough background check
Make sure your HR department is aware of the positions in your IT department that require access to critical and sensitive data. You can appropriately filter out candidates before they are hired.
Terminate Properly
A recent survey by Cyber-Ark, 63% of IT staffers admitted they would steal passwords, financial reports and other sensitive information if they knew they were about to be fired. Disable account access right away if employees are going to be fired.
Watch for signs of a suspicious employee
Employees involved in cybercrime will often show signs such as absences from work, changes in work habits and a change in temperament.
Enforce your policies
A lax environment can convince some staffers that they can get away with fraud. Make sure you are enforcing all of your polices and violations are dealt with appropriately.
Unknowing accomplices
Staffers and IT professionals might also put their company’s network at risk. The Verizon study shows the cybercriminals are less reliant on malware to steal data. More often, they are gaining access with social engineering or exploiting poorly configured networks. In addition, some staff members can take equipment or company assets home and conduct attacks after hours.
Keep your staff informed….
Provide Training: Watch for hackers’ latest tactics for tricking staffers into providing sensitive data or access credentials. Most IT Pros should know better, but you still need to remind them from time to time.
Conduct Audits:
This can help detect potential fraud and catch holes that IT staffers may have overlooked. Encourage Staff to Report Problems so they can be addressed and fixed.
Keep in mind the human side of the environment. Employees that are happy at work, feel fair compensation, rewards, and apprciation are less likely to do harm to the company. They feel part of the overall success and appreciate the financial rewards of their hardwork, and dedication.
Keep positive!
Scott Arnett
scott.arnett@charter.net
New Threats
The majority of data breaches will involve outside criminals. Verizon’s 2010 Data Breach Investigations Report stated that 70% of breaches in 2009 where from outside criminals. The most surprising number is insider threats reached 48% more, that is double of what it was in 2008. Some of that number is overall with people from both inside and outside the company involved.
The question becomes how can IT Managers reduce the risk of insider threats? The best place to start is your employee’s inside the IT department. Most IT staffers have the highest level of access and the technical knowledge of how to steal data. In addition, some IT staff are over worked, under appreciated and feel negative towards their employer.
To protect against threats within the IT Staff, industry experts recommend the following best practices…
Enforce a Policy of least privilege
48% of the security breaches in the Verizon study involved the misuse of privileges by employees. Help limit the attack by giving them only the access that they need to do their job. That typically means assigning privileges individually, not based on employee groups.
Conduct thorough background check
Make sure your HR department is aware of the positions in your IT department that require access to critical and sensitive data. You can appropriately filter out candidates before they are hired.
Terminate Properly
A recent survey by Cyber-Ark, 63% of IT staffers admitted they would steal passwords, financial reports and other sensitive information if they knew they were about to be fired. Disable account access right away if employees are going to be fired.
Watch for signs of a suspicious employee
Employees involved in cybercrime will often show signs such as absences from work, changes in work habits and a change in temperament.
Enforce your policies
A lax environment can convince some staffers that they can get away with fraud. Make sure you are enforcing all of your polices and violations are dealt with appropriately.
Unknowing accomplices
Staffers and IT professionals might also put their company’s network at risk. The Verizon study shows the cybercriminals are less reliant on malware to steal data. More often, they are gaining access with social engineering or exploiting poorly configured networks. In addition, some staff members can take equipment or company assets home and conduct attacks after hours.
Keep your staff informed….
Provide Training: Watch for hackers’ latest tactics for tricking staffers into providing sensitive data or access credentials. Most IT Pros should know better, but you still need to remind them from time to time.
Conduct Audits:
This can help detect potential fraud and catch holes that IT staffers may have overlooked. Encourage Staff to Report Problems so they can be addressed and fixed.
Keep in mind the human side of the environment. Employees that are happy at work, feel fair compensation, rewards, and apprciation are less likely to do harm to the company. They feel part of the overall success and appreciate the financial rewards of their hardwork, and dedication.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, November 18, 2010
You a top dog leader?
So you say you are a good boss? Really? What makes a good boss? Many things out there to rate what you shouldn't do, what about what should you do?
As we discovered in being a leader, bosses aren’t usually aware that they are bad bosses. The fact is that nobody wants to believe they’re the problem. Nevertheless, there’s a bell curve for all things involving people, which means there are few really bad bosses, few really good bosses, and most of you fall somewhere in the middle.
To me that says, for the vast majority of you, there’s lots of room for improvement. Including myself. So if you’re not exhibiting any of the 7 Signs of a bad boss, that’s great; pat yourself on the back. Still, if you really want to up your management game, maybe even vault into the executive or ownership ranks someday, you’d better start doing at least a few of these 10 Things That Good Bosses Do.
Incidentally, this isn’t from some academic study. These are real attributes of real bosses, culled from decades of observation, which motivate and inspire employees to perform at their best. Including some of my own real life experiences.
Top 10 Things that make a top dog boss -
1: Pay people what they’re worth, not what you can get away with. What you lose in expense you gain back several fold in performance.
2: Take the time to share your experiences and insights. Labels like mentor and coach are overused. Let’s be specific here. Employees learn from those generous enough to share their experiences and insights. They don’t need a best friend or a shoulder to cry on.
3: Tell it to employees straight, even when it’s bad news. To me, the single most important thing any boss can do is to man up and tell it to people straight. No BS, no sugarcoating, especially when it’s bad news or corrective feedback. People can see through the smoke and you just damage the relationship long term.
4: Manage up… effectively. Good bosses keep management off employee’s backs. Most people don’t get this, but the most important aspect of that is giving management what they need to do their jobs. That’s what keeps management away.
5: Take the heat and share the praise. It takes courage to take the heat and humility to share the praise. That comes naturally to great bosses; the rest of us have to pick it up as we go. Pat them on the back, shake a hand, say thank you.
6: Delegate responsibility, not tasks. Every boss delegates, but the crappy ones think that means dumping tasks they hate on workers — i.e., s**t rolls downhill. Good bosses delegate responsibility and hold people accountable. That’s fulfilling and fosters professional growth. Don't be afraid to roll up your sleeve and help out under crunch time. Even if your role is taking out the trash or getting food for your staff - it goes a long way.
7: Encourage employees to hone their natural abilities and challenge them to overcome their issues. That’s called getting people to perform at their best.
8: Build team spirit. As we learned before, great groups outperform great individuals. And great leaders build great teams. Celebrate team wins!
9: Treat employees the way they deserve to be treated. You always hear people say they deserve respect and to be treated as equals. Well, some may not want to hear this, but a) respect must be earned and b) most workers are not their boss’s equals.
10: Inspire your people. All the above motivate people, but few bosses have the ability to truly inspire their employees. How? By sharing their passion for the business. By knowing just what to say and do at just the right time to take the edge off or turn a tough situation around. Genuine anecdotes help a lot. So does a good sense of humor.
How do you rate?All this adds up to an environment where people feel appreciated, recognized, challenged, and appropriately compensated. So what do you think? How do you measure up on the good boss scale?
Keep positive!
Scott Arnett
scott.arnett@charter.net
As we discovered in being a leader, bosses aren’t usually aware that they are bad bosses. The fact is that nobody wants to believe they’re the problem. Nevertheless, there’s a bell curve for all things involving people, which means there are few really bad bosses, few really good bosses, and most of you fall somewhere in the middle.
To me that says, for the vast majority of you, there’s lots of room for improvement. Including myself. So if you’re not exhibiting any of the 7 Signs of a bad boss, that’s great; pat yourself on the back. Still, if you really want to up your management game, maybe even vault into the executive or ownership ranks someday, you’d better start doing at least a few of these 10 Things That Good Bosses Do.
Incidentally, this isn’t from some academic study. These are real attributes of real bosses, culled from decades of observation, which motivate and inspire employees to perform at their best. Including some of my own real life experiences.
Top 10 Things that make a top dog boss -
1: Pay people what they’re worth, not what you can get away with. What you lose in expense you gain back several fold in performance.
2: Take the time to share your experiences and insights. Labels like mentor and coach are overused. Let’s be specific here. Employees learn from those generous enough to share their experiences and insights. They don’t need a best friend or a shoulder to cry on.
3: Tell it to employees straight, even when it’s bad news. To me, the single most important thing any boss can do is to man up and tell it to people straight. No BS, no sugarcoating, especially when it’s bad news or corrective feedback. People can see through the smoke and you just damage the relationship long term.
4: Manage up… effectively. Good bosses keep management off employee’s backs. Most people don’t get this, but the most important aspect of that is giving management what they need to do their jobs. That’s what keeps management away.
5: Take the heat and share the praise. It takes courage to take the heat and humility to share the praise. That comes naturally to great bosses; the rest of us have to pick it up as we go. Pat them on the back, shake a hand, say thank you.
6: Delegate responsibility, not tasks. Every boss delegates, but the crappy ones think that means dumping tasks they hate on workers — i.e., s**t rolls downhill. Good bosses delegate responsibility and hold people accountable. That’s fulfilling and fosters professional growth. Don't be afraid to roll up your sleeve and help out under crunch time. Even if your role is taking out the trash or getting food for your staff - it goes a long way.
7: Encourage employees to hone their natural abilities and challenge them to overcome their issues. That’s called getting people to perform at their best.
8: Build team spirit. As we learned before, great groups outperform great individuals. And great leaders build great teams. Celebrate team wins!
9: Treat employees the way they deserve to be treated. You always hear people say they deserve respect and to be treated as equals. Well, some may not want to hear this, but a) respect must be earned and b) most workers are not their boss’s equals.
10: Inspire your people. All the above motivate people, but few bosses have the ability to truly inspire their employees. How? By sharing their passion for the business. By knowing just what to say and do at just the right time to take the edge off or turn a tough situation around. Genuine anecdotes help a lot. So does a good sense of humor.
How do you rate?All this adds up to an environment where people feel appreciated, recognized, challenged, and appropriately compensated. So what do you think? How do you measure up on the good boss scale?
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, November 11, 2010
Veterans Day
Veterans Day is a time to reflect on the many contributions our veterans have made -- and the sacrifices that go along with it. The men and women who choose to serve in our Armed Forces are doing something truly extraordinary.
This year I lost a friend in the Armed Forces and how tough that is but more so how proud we are of him. My grandfathers and father served in the Armed Forces, and I take the time today to reflect upon their sacrifices and many contributions.
Whether we agree with the wars, or the politics around them or not, we respect those that serve. We go to the graveside of the fallen with respect, reverence and leave our agenda, politics and views at the gate. This is no place for protest, or religious views or rants. This is sacred ground.
“Grant me the Serenity to accept the things I can not change, Courage to change the things I can, and Wisdom to know the difference.” – Dr. Reinhold Niebuhr (excerpt from the Serenity Prayer)
Today my friends, we honor those that wear the uniform and show our thanks, gratitude and respect.
Scott Arnett
scott.arnett@charter.net
This year I lost a friend in the Armed Forces and how tough that is but more so how proud we are of him. My grandfathers and father served in the Armed Forces, and I take the time today to reflect upon their sacrifices and many contributions.
Whether we agree with the wars, or the politics around them or not, we respect those that serve. We go to the graveside of the fallen with respect, reverence and leave our agenda, politics and views at the gate. This is no place for protest, or religious views or rants. This is sacred ground.
“Grant me the Serenity to accept the things I can not change, Courage to change the things I can, and Wisdom to know the difference.” – Dr. Reinhold Niebuhr (excerpt from the Serenity Prayer)
Today my friends, we honor those that wear the uniform and show our thanks, gratitude and respect.
Scott Arnett
scott.arnett@charter.net
Wednesday, November 10, 2010
Good Old Days
I was talking the other day to a colleague, one whom I have known over 20 years, and of course we took a walk down memory lane. Remember when IT was fun, we did this, or had to do that. But the conversation came back around to what did happen to the IT profession. Has the IT field changed as much as the technology itself? Why are the jobs going offshore, why doesn't the business understand, and the conversation quickly takes a turn.
IT jobs have gone offshore to balance a budget, and make the numbers look good, regardless of quality or the rework that has to take place. In addition, blind to the security risks and data leak. Furthermore, IT has become very process heavy - are we killing our ability to provide an agile, fast moving, responsive organization? We want controls in place to protect the organization from unplanned outages, and to show structure, but has it gone over the top?
IT seems to be this animal the top management can't figure out how to manage or understand. Some take the easy route and say we will just outsource the entire organization. To which many has become a disaster and now they have to bring in back inside. The problem is, have a strong CIO at the table with the CEO, CFO and be a business partner. Having IT report up through finance or operations usually does not lend itself to high success in the organization. Time to take a step back and take a look at this key business partner is engaged in delivering business capabilities to the business.
IT technology has changed over the years, dramatically, but so hasn't the profession. New skills are needed, new process, new management styles. We have to change to align with the technology, the business, and the change in culture.
The old IT guys can change, bring your wisdom with you, your battle scars, and always strive to understand first, act second. There is the ability to teach an old dog new tricks!
Keep positive
Scott Arnett
scott.arnett@charter.net
IT jobs have gone offshore to balance a budget, and make the numbers look good, regardless of quality or the rework that has to take place. In addition, blind to the security risks and data leak. Furthermore, IT has become very process heavy - are we killing our ability to provide an agile, fast moving, responsive organization? We want controls in place to protect the organization from unplanned outages, and to show structure, but has it gone over the top?
IT seems to be this animal the top management can't figure out how to manage or understand. Some take the easy route and say we will just outsource the entire organization. To which many has become a disaster and now they have to bring in back inside. The problem is, have a strong CIO at the table with the CEO, CFO and be a business partner. Having IT report up through finance or operations usually does not lend itself to high success in the organization. Time to take a step back and take a look at this key business partner is engaged in delivering business capabilities to the business.
IT technology has changed over the years, dramatically, but so hasn't the profession. New skills are needed, new process, new management styles. We have to change to align with the technology, the business, and the change in culture.
The old IT guys can change, bring your wisdom with you, your battle scars, and always strive to understand first, act second. There is the ability to teach an old dog new tricks!
Keep positive
Scott Arnett
scott.arnett@charter.net
Tuesday, October 19, 2010
Change Management
I read an interesting article this past week on how some of the IT "Leaders" are saying ITIL has seen the prime is on a dowward spiral. Really? The organizations that have embraced ITIL and found value - probably would not agree. Yes, there are those organizations that took on ITIL and failed - but that was the approach, not the methodology nor the value it brings when done properly.
I have talked a few times on my blog about Change Management. If you do any ITIL - start and maintain Change Management. If you don't track your changes, then your incident response has to include finding out what changed - right? Having a managed and structure environment really ensures your environment can quickly respond in the event something happens. Planned or unplanned - have documentation.
Change Management:
Scott Arnett
scott.arnett@charter.net
I have talked a few times on my blog about Change Management. If you do any ITIL - start and maintain Change Management. If you don't track your changes, then your incident response has to include finding out what changed - right? Having a managed and structure environment really ensures your environment can quickly respond in the event something happens. Planned or unplanned - have documentation.
Change Management:
- Want to manage risks to the organization
- Reduce risk to a level acceptable to management
- Need to also enable the organization by quickly responding to changes
- Need to design the process accordingly
- Have a solid process
Scott Arnett
scott.arnett@charter.net
Tuesday, October 5, 2010
Cisco MARS: Worth the price?
Looking for that enterprise wide management tool for your network hardware? Think Cisco MARS is the answer? In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay?
What value does MARS bring now that other tools can't? I remember looking at MARS product in early 2000, it fell short of expectations then, where is it now? First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).
Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS. Wait a minute - doesn't it let me configure switches or do a mass IOS update?
How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.
Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider. But what about my non-Cisco UTM products I have at the edge?
As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.
Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.
Given the change in Cisco direction on the product, and that most enterprises are not Cisco 100%, it is no longer a good fit, nor for the money. I can think of better products that are enterprise wide and bring in all my vendor products and give me a holistic view. Sorry Cisco - you missed the boat on this one!
Scott Arnett
scott.arnett@charter.net
What value does MARS bring now that other tools can't? I remember looking at MARS product in early 2000, it fell short of expectations then, where is it now? First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).
Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS. Wait a minute - doesn't it let me configure switches or do a mass IOS update?
How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.
Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider. But what about my non-Cisco UTM products I have at the edge?
As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.
Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.
Given the change in Cisco direction on the product, and that most enterprises are not Cisco 100%, it is no longer a good fit, nor for the money. I can think of better products that are enterprise wide and bring in all my vendor products and give me a holistic view. Sorry Cisco - you missed the boat on this one!
Scott Arnett
scott.arnett@charter.net
Wednesday, September 22, 2010
Employee Expense - Company Expense?
You know I got a great email the other day from someone following this blog, and it really has been on my mind since reading. The email is around company(s) who are no longer paying employee expenses like that of Internet connectivity, cell phones, long distance and the list goes on. Does this really amount to a reduction in salary? The employee out of pocket expenses to have the job has really increased.
This individual is really struggling with paying these expenses, ISP, cell, Long Distance and so forth. The company says it is a privilege of flexible work options, and they are just doing what other companies are doing. Does this individual cut these services to keep the family a float, and if so, what impact might it have on their employment status. Does this put the employee at a disadvantage? What are my thoughts on this.
Have been thinking for several days on this, as it is a complicated situation. With permission, I wanted to add this to the blog as others are facing this same situation. It is important to understand that your primary obligation is to your family. You are working to provide for your family, not the company. If the company will no longer reimburse the employee for Internet connectivity, cell phone and other expenses, then the employee has to bring those expenses into check. Cell phone is not a necessity, and can go away at anytime. If it is essential for the company to reach you anytime, anywhere, they would provide the phone. Kill the cell and let your supervisor know - in writing. I would also evaluate the Internet connection and shop for the best deal, and bandwidth you can afford.
Yes, it is true that companies are taking advantage of the economic climate and are placing undo burden on the backs of the employees. In addition, it is hurting morale, and employee partnership. It is a shame this course of action has taken place over a few dollars per employee per month. But it is what it is, and the employee has to protect their interests and family well being.
I recommend all communication of change be in writing with the supervisor and/or human resources. I would also encourage the employee always keep their options open and in today's climate be looking at their 3 - 5 year goals and direction.
This individual is really struggling with paying these expenses, ISP, cell, Long Distance and so forth. The company says it is a privilege of flexible work options, and they are just doing what other companies are doing. Does this individual cut these services to keep the family a float, and if so, what impact might it have on their employment status. Does this put the employee at a disadvantage? What are my thoughts on this.
Have been thinking for several days on this, as it is a complicated situation. With permission, I wanted to add this to the blog as others are facing this same situation. It is important to understand that your primary obligation is to your family. You are working to provide for your family, not the company. If the company will no longer reimburse the employee for Internet connectivity, cell phone and other expenses, then the employee has to bring those expenses into check. Cell phone is not a necessity, and can go away at anytime. If it is essential for the company to reach you anytime, anywhere, they would provide the phone. Kill the cell and let your supervisor know - in writing. I would also evaluate the Internet connection and shop for the best deal, and bandwidth you can afford.
Yes, it is true that companies are taking advantage of the economic climate and are placing undo burden on the backs of the employees. In addition, it is hurting morale, and employee partnership. It is a shame this course of action has taken place over a few dollars per employee per month. But it is what it is, and the employee has to protect their interests and family well being.
I recommend all communication of change be in writing with the supervisor and/or human resources. I would also encourage the employee always keep their options open and in today's climate be looking at their 3 - 5 year goals and direction.
Friday, September 17, 2010
A unified SAN-LAN Management tool make sense?
Brocade launched a unified resource management application for storage and Ethernet networking devices, and pledged to upgrade its entire SAN platform to 16 Gbps Fibre Channel by the middle of next year.
Brocade Network Advisor combines Brocade's Data Center Fabric Manager for Fibre Channel SANs and the IronView Network Manager for managing the Ethernet networking platform that Brocade acquired when it bought Foundry Networks. The new application will let customers manage devices for SANs and LANs as well as wireless and Multiprotocol Label Switching networks from one interface. Sounds like a good tool.
Many ask if Fibre Channel over Ethernet is really the way to go. I have read the articles and opinions of others that they should remain seperate. Does it make sense to maintain all these individual networks, or is enterprise network with segmentation a good plan? To many eggs in one basket? If you have a core switch go down, is the business impact to significant?
Goes back to your network design doesn't it? Building redundancy, self healing, multi route and proper failover is key now isn't it? Can't take short cuts on the network anymore can you? It is essential now with so much riding on the network that the investment, the design, and the support is there. Now, put unified communications, video, presence and numerous applications on that network - you have a great deal of risk to the business.
If the network is now very vital to the business, why is it that we are not putting the hardware, bandwidth, security and proper staff into the network? The financial impact to have an adequate network is substantial, the financial impact to have a failed network is substantial. I propose to you that as IT Leaders, we need to do a better job helping the business understand that the network is the life line of the business.
A unified SAN-LAN Management tool makes sense to me. If you can have a tool to see across the enterprise and bring efficiency to your support team, it always makes sense. The tool looks to be a great resource, has some great flow, and benefits. I was impressed with the tool, and see it bring value to your network team.
Keep positive!
Scott Arnett
Monday, September 13, 2010
Mailbag
Hello everyone, hard to believe we are in September already, 2010 has gone by fast. What an interesting year.
I have gotten a great deal of mail this month, so let's get started in answering some questions.
Q. Windows 7 really better than Windows XP or Vista?
A. I can tell you from my experience, I have been very pleased with Windows 7. It is newer technology than that of Windows XP so not a fair compare, and it appears more stable and better performance than that of Vista. I would recommend an upgrade and move to Windows 7. The downside is the hard drive wipe and rebuild to get to it. Make sure you have solid backups and tested backups!
Q. What is your opinion on Dell - still a good buy?
A. I have been a Dell customer for many years, but the products have changed as much as the company. I have concerns over product reliability, technology and customer service. In addition, I don't have the sense the company has a leading drive anymore, they are distracted with many internal challenges and reorganizations. I have to say I have quickly become a HP customer, both desktop and server. I am impressed with the new desktop lineups, and server technology. HP is truly a leader right now.
Q. If you are asked to outsource part of your IT Group, what areas would you focus on?
A. This is a tough question, without all the background details. I not a front runner on outsource IT options, though it can make sense in some cases. You have to look at the drivers to this initiative, strictly a cost reduction, cost avoidance, or a performance issue. That will help you determine some course of action.
I would take a good look at your day to day operations and see if you can gain anything in this space, and maintain your engineering, architecture, and application specialists. But if you are looking to fill a gap, and don't have existing resources in that space, perhaps that is an option. Be very careful looking to outsource as a cost saver, I have yet to find a successful case. Most organizations go back to in house staff after a trial period for many reasons, but wasted a great deal of money.
Q. Why can't I get my management team to take backups and recovery serious? It is always cut from the budget, I never get funding for it, and I know as soon as something goes wrong, they will blame me. Do you have any suggestions?
A. You are not alone, there are many organizations running on borrowed time when it comes to data protection - that is what we are really talking about. If the management team does not take data protection serious, this should be an audit finding. Data protection - backups, security, leakage and so on, is the responsibility of the senior management team. You document the fact you put this in the budget every year, and you document the fact it is cut, then I would do one last effort and put together a memo to the team on the issue. Clearly state the current state of affairs, the risk of what is in place today, the risk of not doing anything about it, and provide a couple solutions to the problem. After you have done all of this, and they still do nothing, it is out of your hands. When disaster strikes, and the data is gone, and the company is out of business, you have all the documentation you need to protect yourself. I would recommend you also discuss recovery - how will you effectively recover from a disaster or hardware failure. Important to backup all your data, important to be able to recover.
Q. What do you recommend for a new incident management toolset? Should we consider a Software-as-a-Service solution? Should IT keep their own tools and application in house?
A. There are some good tools out there for incident management, some with a great price tag, and many features. You need to find something that will foster ITIL methodology, you also need to be able to grow with it. There is nothing wrong with saying we will look at a SaaS tool, that is not a poor reflection on the IT shop. Do you want to spend your staff resources and cycles on supporting your own tools? I think you have better things to work on - right? You asked for a recommendation, which is hard to do not knowing all your environment, challenges and objectives. I personally like the Service Now SaaS solution myself. I think they offer a great product, it aligns with ITIL and seems to have some great features. Check them out, you will be pleased.
That is all the time I have today. Keep the emails and questions coming in, has been a few busy weeks, so I apologize for the lack of daily entries.
Scott Arnett
scott.arnett@charter.net
I have gotten a great deal of mail this month, so let's get started in answering some questions.
Q. Windows 7 really better than Windows XP or Vista?
A. I can tell you from my experience, I have been very pleased with Windows 7. It is newer technology than that of Windows XP so not a fair compare, and it appears more stable and better performance than that of Vista. I would recommend an upgrade and move to Windows 7. The downside is the hard drive wipe and rebuild to get to it. Make sure you have solid backups and tested backups!
Q. What is your opinion on Dell - still a good buy?
A. I have been a Dell customer for many years, but the products have changed as much as the company. I have concerns over product reliability, technology and customer service. In addition, I don't have the sense the company has a leading drive anymore, they are distracted with many internal challenges and reorganizations. I have to say I have quickly become a HP customer, both desktop and server. I am impressed with the new desktop lineups, and server technology. HP is truly a leader right now.
Q. If you are asked to outsource part of your IT Group, what areas would you focus on?
A. This is a tough question, without all the background details. I not a front runner on outsource IT options, though it can make sense in some cases. You have to look at the drivers to this initiative, strictly a cost reduction, cost avoidance, or a performance issue. That will help you determine some course of action.
I would take a good look at your day to day operations and see if you can gain anything in this space, and maintain your engineering, architecture, and application specialists. But if you are looking to fill a gap, and don't have existing resources in that space, perhaps that is an option. Be very careful looking to outsource as a cost saver, I have yet to find a successful case. Most organizations go back to in house staff after a trial period for many reasons, but wasted a great deal of money.
Q. Why can't I get my management team to take backups and recovery serious? It is always cut from the budget, I never get funding for it, and I know as soon as something goes wrong, they will blame me. Do you have any suggestions?
A. You are not alone, there are many organizations running on borrowed time when it comes to data protection - that is what we are really talking about. If the management team does not take data protection serious, this should be an audit finding. Data protection - backups, security, leakage and so on, is the responsibility of the senior management team. You document the fact you put this in the budget every year, and you document the fact it is cut, then I would do one last effort and put together a memo to the team on the issue. Clearly state the current state of affairs, the risk of what is in place today, the risk of not doing anything about it, and provide a couple solutions to the problem. After you have done all of this, and they still do nothing, it is out of your hands. When disaster strikes, and the data is gone, and the company is out of business, you have all the documentation you need to protect yourself. I would recommend you also discuss recovery - how will you effectively recover from a disaster or hardware failure. Important to backup all your data, important to be able to recover.
Q. What do you recommend for a new incident management toolset? Should we consider a Software-as-a-Service solution? Should IT keep their own tools and application in house?
A. There are some good tools out there for incident management, some with a great price tag, and many features. You need to find something that will foster ITIL methodology, you also need to be able to grow with it. There is nothing wrong with saying we will look at a SaaS tool, that is not a poor reflection on the IT shop. Do you want to spend your staff resources and cycles on supporting your own tools? I think you have better things to work on - right? You asked for a recommendation, which is hard to do not knowing all your environment, challenges and objectives. I personally like the Service Now SaaS solution myself. I think they offer a great product, it aligns with ITIL and seems to have some great features. Check them out, you will be pleased.
That is all the time I have today. Keep the emails and questions coming in, has been a few busy weeks, so I apologize for the lack of daily entries.
Scott Arnett
scott.arnett@charter.net
Sunday, September 12, 2010
9th Anniversary of 9/11
As a family yesterday, we took time to put out our American flag and offer a prayer to the families, victims and citizens impacted by this terrible event. I remember where I was 9 years ago when this all started to unfold, and looking back is still brings mixed emotions.
There are many in the news, on blogs, and other sources of media discussing the response of our country to this event, the wars, the anti-muslim events, and the list goes on. This was an act of war on our country. Many citizens lost their lives, both on the planes and on the ground. This was conducted by terrible individuals that took innocent lives in the name of their god or religious views - was it not. We see all the hate in these foreign countries towards America, towards us as citizens. They burn flags, bibles, and the list goes on, yet we turn the other cheek.
America changed on 9/11, time we all face that. We can't go back, we can't undo that change. Our lives changed, our families changed, and now we go forward in a new order. Security, border control, and yes - a view of who is sitting next to us, and who may or may not be hiding intentions to hurt us. America doesn't have open arms anymore, others hurt those arms. America doesn't have patience left anymore, other took advantage of that, America is low on Tolerance, others stole that.
As we reflected on what happend that September day, we also reflected on how things have changed in the last 9 years, and where we are heading. Interesting times.
Scott Arnett
scott.arnett@charter.net
There are many in the news, on blogs, and other sources of media discussing the response of our country to this event, the wars, the anti-muslim events, and the list goes on. This was an act of war on our country. Many citizens lost their lives, both on the planes and on the ground. This was conducted by terrible individuals that took innocent lives in the name of their god or religious views - was it not. We see all the hate in these foreign countries towards America, towards us as citizens. They burn flags, bibles, and the list goes on, yet we turn the other cheek.
America changed on 9/11, time we all face that. We can't go back, we can't undo that change. Our lives changed, our families changed, and now we go forward in a new order. Security, border control, and yes - a view of who is sitting next to us, and who may or may not be hiding intentions to hurt us. America doesn't have open arms anymore, others hurt those arms. America doesn't have patience left anymore, other took advantage of that, America is low on Tolerance, others stole that.
As we reflected on what happend that September day, we also reflected on how things have changed in the last 9 years, and where we are heading. Interesting times.
Scott Arnett
scott.arnett@charter.net
Thursday, September 2, 2010
Virtual workers - does it work?
Virtual desktops, virtual servers, virtual networks, now virtual workers? We really in a virtual world? Hello - is that really you?
One of the big benefits of having a virtual worker in a virtual office - you get more done! Plus you maximize your time, no water cooler time wasting, no wasted time in traffic, finding a place to park, etc.
To attract today's top talent, "Allowing telecommuting" is second only to "offering higher compensation than competitors" as the best way to attract talent. More than ever before, organizations are looking to expand the ability for their employees to work anytime and from anywhere.
The benefits to allowing teleworking, or the Virtual Office, are tremendous to all parties. The employee saves, on average, $4,000-$7,000 per year, and 350 hours per year. Savings come from reduced auto and business-related expenses.
The employer saves between $5,000 and $10,000 per year from many sources: reduced office space requirements, lowered utilities, lowered employee turnover, increased productivity, and lowered sick time and other unscheduled absences. In addition, the employer is free to expand the hiring pooloutside of typical geographical constraints.
Finally, the environment wins as well. Each car taken off the road is equivalent to the CO2 reduction of 3/4 acre of trees. Move 1,000 employees to a Virtual Office solution is the carbon equivalent to planting 750 acres of trees. That is significant - isn't it?
The Virtual Office is reliant on a few technologies (VPN, IP telephony, and Zero-Touch provisioning)that have entered mainstream adoption and make it very straightforward for an IT department to roll out a Virtual Office solution that is easy to deploy and easy to manage. Typically, the Virtual Office employee is sent a router and an IP phone along with a simple one page instructional sheet. The employee plugs in the equipment, logs on to the network, and the equipment is securely provisioned with a customized configuration within 10 minutes. All home-office equipment can be managed and updated from a central location.
I have seen many companies migrate to a Virtual Office solution for a portion of their workforce, such as a call center, with spectacular results: improved employee morale, increased productivity, and lowered office-related costs.
I propose to you, that we will continue to see an increase in the Virtual Worker in a Virtual Office. It is a win win for the employee, the company and the environment. There is also some challenges with this from a technology stand point, and a business continuity plan. Worth the challenges though, and can strengthen the company long term.
Now, if we can come up with virtual work for the virtual worker - what a deal!
Stay positive!
Scott Arnett
scott.arnett@charter.net
One of the big benefits of having a virtual worker in a virtual office - you get more done! Plus you maximize your time, no water cooler time wasting, no wasted time in traffic, finding a place to park, etc.
To attract today's top talent, "Allowing telecommuting" is second only to "offering higher compensation than competitors" as the best way to attract talent. More than ever before, organizations are looking to expand the ability for their employees to work anytime and from anywhere.
The benefits to allowing teleworking, or the Virtual Office, are tremendous to all parties. The employee saves, on average, $4,000-$7,000 per year, and 350 hours per year. Savings come from reduced auto and business-related expenses.
The employer saves between $5,000 and $10,000 per year from many sources: reduced office space requirements, lowered utilities, lowered employee turnover, increased productivity, and lowered sick time and other unscheduled absences. In addition, the employer is free to expand the hiring pooloutside of typical geographical constraints.
Finally, the environment wins as well. Each car taken off the road is equivalent to the CO2 reduction of 3/4 acre of trees. Move 1,000 employees to a Virtual Office solution is the carbon equivalent to planting 750 acres of trees. That is significant - isn't it?
The Virtual Office is reliant on a few technologies (VPN, IP telephony, and Zero-Touch provisioning)that have entered mainstream adoption and make it very straightforward for an IT department to roll out a Virtual Office solution that is easy to deploy and easy to manage. Typically, the Virtual Office employee is sent a router and an IP phone along with a simple one page instructional sheet. The employee plugs in the equipment, logs on to the network, and the equipment is securely provisioned with a customized configuration within 10 minutes. All home-office equipment can be managed and updated from a central location.
I have seen many companies migrate to a Virtual Office solution for a portion of their workforce, such as a call center, with spectacular results: improved employee morale, increased productivity, and lowered office-related costs.
I propose to you, that we will continue to see an increase in the Virtual Worker in a Virtual Office. It is a win win for the employee, the company and the environment. There is also some challenges with this from a technology stand point, and a business continuity plan. Worth the challenges though, and can strengthen the company long term.
Now, if we can come up with virtual work for the virtual worker - what a deal!
Stay positive!
Scott Arnett
scott.arnett@charter.net
Tuesday, August 24, 2010
Myths of Data Loss Prevention (DLP)
Data Leak Prevention, Data Loss Prevention - all the same thing, very important these days, yet do we really take it serious? Do you really understand what DLP is? Do you want to block, do you want to monitor - and everyone needs a formal incident response.
Successfully using DLP to find & defend sensitive data is depending on a few key items. First - get a handle on your data storage - get it organized and maintained. I would recommend some group policy and operational policy on data storage. I would also highly recommend data classification, data retention, and a robust archive solution.
DLP can help you reduce the number of incidents of data loss, fewer audit findings, and potential financial exposure. But more important - it maybe the tool to let you know you had an incident. Will help you enforce established policies, but show other exposures so you can keep the policies accurate and effective.
DLP is not the cure all to data loss. It is a tool to help you manage this huge effort, but it still comes down to monitor, due diligence, employee honesty and integrity. I would also propose that many times data loss is not intentional acts, but by error. Employees not knowing where to store their data, putting a sensitive PowerPoint presentation out on FTP so they can get it from home to work on, and the list goes on. Keep your employee educational programs active and when you find these procedural errors - force the training issue.
I am amazed at times how unstructured data management really is in many companies today. One of the greatest assets is your data, yet we put very little effort in maintaining it. Now is the time!
DLP takes resources, commitment, financial investment and HR policy(s). It is not a plug and play tool - don't make that mistake.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Successfully using DLP to find & defend sensitive data is depending on a few key items. First - get a handle on your data storage - get it organized and maintained. I would recommend some group policy and operational policy on data storage. I would also highly recommend data classification, data retention, and a robust archive solution.
DLP can help you reduce the number of incidents of data loss, fewer audit findings, and potential financial exposure. But more important - it maybe the tool to let you know you had an incident. Will help you enforce established policies, but show other exposures so you can keep the policies accurate and effective.
DLP is not the cure all to data loss. It is a tool to help you manage this huge effort, but it still comes down to monitor, due diligence, employee honesty and integrity. I would also propose that many times data loss is not intentional acts, but by error. Employees not knowing where to store their data, putting a sensitive PowerPoint presentation out on FTP so they can get it from home to work on, and the list goes on. Keep your employee educational programs active and when you find these procedural errors - force the training issue.
I am amazed at times how unstructured data management really is in many companies today. One of the greatest assets is your data, yet we put very little effort in maintaining it. Now is the time!
DLP takes resources, commitment, financial investment and HR policy(s). It is not a plug and play tool - don't make that mistake.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, August 19, 2010
CIO's can quickly become overwhelmed
IT Management have their hands full these days. IT organizations have a lot on their plates, and keeping the data center humming is only part of the equation. Factor in the threats coming at IT from every direction, and you can see why IT pros have ample reason to be paranoid. The invasion of consumer devices into the workplace, the rush toward cloud computing, the constant vigilance to prevent data spills, all while managing a meager budget in an era when your career can be cut short at any time can cause even the most level-headed IT pro to start looking over his shoulder. How do you keep sane?
Having your data center go down - can impact the business - hurt the entire organization. From natural disasters to massive power outages, loss of connectivity, server meltdowns, cyber espionage, insider sabotage, cyber attacks, burglaries, and more. Having a solid DR plan and incident response team is essential. How do you do that with budgets being cut at alarming rates?
You have gadget fever impacting the IT organization, you have executives reading trade magazines and all hyped up on cloud computing, and the list is long. So there are reasons many CIO and IT Executives feel it is all out of control.
I propose to you to keep a level head. You have to manage up, down, and peer levels, but don't let it consume your life. You work to live, and don't live to work. Delegate consumer electronic issues to your Director of IT Services - get a handle on what is acceptable and what is not, and let the business make the decision based off your assessment, risks identified, and security threats. This needs to include data leak prevention. Your DR plan should be managed by your governance delegate and have your team keep you in the loop, and up to date in your executive team meetings.
I would also leverage your relationships and business partnerships to do a check/evaluation of your environment and processes. Check and adjust will ensure you are heading in the right direction and that all paddles are in the water. I would also keep all the technology hype in check - don't get carried away on the technology march - but ensure you are delivering value to the organization.
Have a regular scheduled meeting with the business to evaluate how IT is doing, the value they are delivering, and most important - determine the capabilities the business seeks. Keep engaged and close to the business to make sure IT is bringing value to the organization.
It is easy to get overwhelmed and consumed in all the chaos going on. Deal with that which is important and some things - you just have to let go.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Having your data center go down - can impact the business - hurt the entire organization. From natural disasters to massive power outages, loss of connectivity, server meltdowns, cyber espionage, insider sabotage, cyber attacks, burglaries, and more. Having a solid DR plan and incident response team is essential. How do you do that with budgets being cut at alarming rates?
You have gadget fever impacting the IT organization, you have executives reading trade magazines and all hyped up on cloud computing, and the list is long. So there are reasons many CIO and IT Executives feel it is all out of control.
I propose to you to keep a level head. You have to manage up, down, and peer levels, but don't let it consume your life. You work to live, and don't live to work. Delegate consumer electronic issues to your Director of IT Services - get a handle on what is acceptable and what is not, and let the business make the decision based off your assessment, risks identified, and security threats. This needs to include data leak prevention. Your DR plan should be managed by your governance delegate and have your team keep you in the loop, and up to date in your executive team meetings.
I would also leverage your relationships and business partnerships to do a check/evaluation of your environment and processes. Check and adjust will ensure you are heading in the right direction and that all paddles are in the water. I would also keep all the technology hype in check - don't get carried away on the technology march - but ensure you are delivering value to the organization.
Have a regular scheduled meeting with the business to evaluate how IT is doing, the value they are delivering, and most important - determine the capabilities the business seeks. Keep engaged and close to the business to make sure IT is bringing value to the organization.
It is easy to get overwhelmed and consumed in all the chaos going on. Deal with that which is important and some things - you just have to let go.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, August 12, 2010
Home Office Security - Who's Responsibility?
So, you have the ability to work from the home office, sounds like a great opportunity, in many ways. Having the ability to work remote for your company doesn't mean that you no longer have security or environment concerns. Those items are now YOUR responsibility as a teleworker. Know what you are responsible for?
Let me share a few items with you, but would highly recommend you contact your manager for a teleworker guideline. Here are Scott's top items:
Security
Remote access from a company owned device must be by secure VPN
I would also take some time to check out the government readiness websites and know how to build a home DR plan, incident response, and family planning. Important stuff.
Security is EVERYONE's responsibility.
Scott Arnett
scott.arnett@charter.net
Let me share a few items with you, but would highly recommend you contact your manager for a teleworker guideline. Here are Scott's top items:
Security
Remote access from a company owned device must be by secure VPN
- You still need to practice password protected screensavers, and physical security
- If you walk away from your computer - lock it. Will keep the kids or guests from using it or looking at it.
- You done working for the day, turn the computer off, and lock it up.
- Company data is confidential. Not to be shared with family and friends who happen to stop by for a visit. Don't leave sensitive data sitting on the kitchen table or end table. Put it away or shred it. Having a paper shredder in the home office and using it is good security for your company data, and your personal data. Every home these days need a shredder.
- If you are using your personal computer for work, make sure you have:
- Current anti-virus protection
- Personal firewall - software or hardware
- Wireless network locked down
- Backup your files
- I would have a folder on your computer to keep all work related information
- I would also recommend you have a computer for work use, and a computer for the family
- Make sure your work space is a comfortable space, functional and safe
- Have a fire extinguisher in the home
- Have a DR plan. If you are a full time work from the home employee, if your home is no longer available, what is your DR plan? Power is out, what do you do? Network is down? - work out your plan now, document it and practice it.
- Security Systems - if you have company sensitive information or data - how are you protecting it? Are you responsible if it is lost or stolen? Do you have a system to alarm on fire, break in, water, smoke?
- Public exposure - Sensitive company information must not be read, discussed, or otherwise exposed in restaurants, on airplanes or trains, or in other public places. If you require frequently working from public places, a privacy shield should be utilized for your laptop screen.
- Telephone Discussions - Sensitive information must not be discussed on speaker phones unless all participating parties first acknowledge that no unauthorized persons are in close proximity.
- I would track your expense(s) for tax purposes.
I would also take some time to check out the government readiness websites and know how to build a home DR plan, incident response, and family planning. Important stuff.
Security is EVERYONE's responsibility.
Scott Arnett
scott.arnett@charter.net
Wednesday, August 11, 2010
Manager Upgrade?
I got an interesting email from a colleague with some questions seeking some management guidance. Here are some of the details:
The colleague is a Director in IT, has a manager direct report that is not performing as expected or needed. The manager is not leading his/her team, does not give direction, the team is not performing, and the complaints are coming in. The CIO is now coming down on the Director to fix the problem, and unsure how to handle the problem, as several meetings have taken place and no change.
Not to sound like Dr. Phil, let me give some suggestions and insight from my real life experiences. It sounds like the Director has had a few meetings already with the manager and nothing has changed. So that would be step one - have another meeting with the manager. Sit down with the manager and give direct instruction, feedback and expectations. Document the meeting, and send a copy to the manager and keep a copy. Be sure your documentation clearly states expectations, actions, and a timeline. Much of this is going to have to work in parallel, as the CIO is now watching the Director.
Next step is to start attending the manager's team meetings. If there are no team meetings happening, get them started. The manager should run the meeting, set the agenda and communicate to the team on the key issues. You are there to support and help field questions, but not to take away from the manager's position. Take notes during the meeting, and then that day have a follow up meeting with your manager to provide feedback on the team meeting. It is important that the manager is communicating to the team about the performance and concerns of productivity. If that is not happening, you need to make sure the manager understands this is essential. Without having all the background information, perhaps a urgent meeting with the team and manager is in order to start addressing the concerns. I would also take a few of the team members to lunch and get some direct discussion and feedback going.
Keep in mind that many times we put these IT technical folks into management position that can't handle it or have the ability to handle management positions. Find out the details around the person in the position. If things are not changing, have a second meeting with the manager with an HR representative and put together either a correction plan or an exit plan. There are times you may need to make an immediate change. Letting this go on to long can have an impact on the team, and other teams within IT. You need immediate improvement and change, and waiting months for a correction plan make yield nothing. In the meantime, your team members are frustrated and leaving the company.
The otherside of the coin, and I have seen this a couple of times when a team member was promoted to team manager, the team is the issue. Have some one on one meetings with team members and the manager present and set expectations and action items. If the team is walking all over the manager, not listening or working as a team - time for some quality time with the Director. It is the Director's role to bring the hammer and start addressing the behaviors and problems with the team. Sometimes you have to make some changes to the team to change the chemistry or personalities.
As the Director, you also need to keep the CIO updated on your action items you are taking to correct the problem and turn this around. If it is not the manager, be sure to commuicate this to the CIO, as you don't want your manager to have an unearned label. Be decisive, direct and take charge - letting this issue dwell to long can have an impact on your long term position in the company.
I propose to you, as the Director, to address the bad, praise the good, and communicate. Build a better relationship with your manager if you can, and the team. Follow up, even when you think it is resolved and going ok, keep close tabs for awhile - make sure it wasn't just a sweep under the rug, but a true resolution.
Keep positive!
Scott Arnett
scott.arnett@charter.net
The colleague is a Director in IT, has a manager direct report that is not performing as expected or needed. The manager is not leading his/her team, does not give direction, the team is not performing, and the complaints are coming in. The CIO is now coming down on the Director to fix the problem, and unsure how to handle the problem, as several meetings have taken place and no change.
Not to sound like Dr. Phil, let me give some suggestions and insight from my real life experiences. It sounds like the Director has had a few meetings already with the manager and nothing has changed. So that would be step one - have another meeting with the manager. Sit down with the manager and give direct instruction, feedback and expectations. Document the meeting, and send a copy to the manager and keep a copy. Be sure your documentation clearly states expectations, actions, and a timeline. Much of this is going to have to work in parallel, as the CIO is now watching the Director.
Next step is to start attending the manager's team meetings. If there are no team meetings happening, get them started. The manager should run the meeting, set the agenda and communicate to the team on the key issues. You are there to support and help field questions, but not to take away from the manager's position. Take notes during the meeting, and then that day have a follow up meeting with your manager to provide feedback on the team meeting. It is important that the manager is communicating to the team about the performance and concerns of productivity. If that is not happening, you need to make sure the manager understands this is essential. Without having all the background information, perhaps a urgent meeting with the team and manager is in order to start addressing the concerns. I would also take a few of the team members to lunch and get some direct discussion and feedback going.
Keep in mind that many times we put these IT technical folks into management position that can't handle it or have the ability to handle management positions. Find out the details around the person in the position. If things are not changing, have a second meeting with the manager with an HR representative and put together either a correction plan or an exit plan. There are times you may need to make an immediate change. Letting this go on to long can have an impact on the team, and other teams within IT. You need immediate improvement and change, and waiting months for a correction plan make yield nothing. In the meantime, your team members are frustrated and leaving the company.
The otherside of the coin, and I have seen this a couple of times when a team member was promoted to team manager, the team is the issue. Have some one on one meetings with team members and the manager present and set expectations and action items. If the team is walking all over the manager, not listening or working as a team - time for some quality time with the Director. It is the Director's role to bring the hammer and start addressing the behaviors and problems with the team. Sometimes you have to make some changes to the team to change the chemistry or personalities.
As the Director, you also need to keep the CIO updated on your action items you are taking to correct the problem and turn this around. If it is not the manager, be sure to commuicate this to the CIO, as you don't want your manager to have an unearned label. Be decisive, direct and take charge - letting this issue dwell to long can have an impact on your long term position in the company.
I propose to you, as the Director, to address the bad, praise the good, and communicate. Build a better relationship with your manager if you can, and the team. Follow up, even when you think it is resolved and going ok, keep close tabs for awhile - make sure it wasn't just a sweep under the rug, but a true resolution.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Friday, August 6, 2010
Mailbag
The emails are coming in, and I said I would do a mailbag post each month. Being that it is Friday, what better way to end the week, than to answer some of your questions. Has been a busy week, and I know all of you are keeping busy with work, family and summer fun.
Our first question comes to us from Florida.
Q. Scott, we have some really old servers in our data center. The company thinks as long as they are running, we are saving money not replacing them. My concern is not only an eventual hardware failure do to age, but that we are missing other opportunities. What do you think is the benefits to keeping up on server hardware, and how often should we replace them?
A. My rule of thumb has been 4 or 5 years should be the max. Most warranties are done around 3 years, and beyond that the maintenance costs are going to go up. Rather than keep older servers beyond their asset life cycle, one company we spoke to opted for a full replacement of its servers to drop energy costs 60%, while increasing overall performance beyond 500%. Newer hardware now have power saving technology, faster/better performance, so you may be able to have a smaller footprint to provide resources for those applications. There are some great studies out there on this topic, and I would put together your case for why this old hardware is costing money, not saving money.
Q. Jackie Fenn’s Hype Cycle for Emerging Technologies is one of Gartner’s most referenced research notes. The Hype Cycle provides a cross-industry perspective on potentially transformative technologies - what do you think about the Hype Cycle and is it of value?
A. What is all the Hype? Ok, serious - I do find it of value. Senior executives, CIOs, strategists, business developers and technology planners will want to consider these technologies when developing emerging business and technology portfolios. But again, it is one person's research and guess work. Much of it is just that, Hype or vendor driven "make a market" approach. It is of value to see what is going on out there, but you have to keep in mind which of these technologies will bring value to your organization. What will help drive value, capability and game changing business objectives. Don't get caught up in the Hype, or the keep up with the Jones. Many of these technologies come onto the market 1 year and leave the next. Short lived technologies can hurt your organization or put you in a tough spot. Do your homework.
Q. If you had to do it over again, would you go into IT? Knowing what you know now, would that change your career? How will your career change going forward?
A. Great question, one that makes me stop and think. The rear view mirror is a great thing isn't it? You can see what just happened, but you can't do anything about it, but use it as a reference for what you seeing coming at you. If I had to do it over again, I would probably go into IT, I love the technology, and the challenges, love figuring out the tough crisis. I would probably do some of it different, but all in all IT has been good to me. The politics is what will kill you. I still encourage high school kids to take a serious look at IT and Technology as a career choice. What will my career look like going forward - that is a good question. My dream job would be a technology focused attorney. That means someday I have to get back to school and get a law degree. Taking all I know in technology, business, and data and apply that to legal challenges seems like a great career version 2.0.
Q. Do you think there will be another revolution in our country in the future? Are we heading to another civil war?
A. I am keeping this blog focused on Information Technology, and try to stay out of politics, religion and kitchen wars. I do find this question interesting, and I know a great deal of folks are talking about this these days. We went to a family reunion some weeks back and this topic came up as well. I do think our country is heading in a bad direction, enourmous debt, to much foreign influence. Our relationship with China should bother everyone, this is a relationship that will come back to hurt us. They own to much of our debt, they have a huge military build up, and have a retail store in every US town - Walmart. I think civil unrest is happening today and will possible increase in the year to come. I think we have to deal with the immigration issues, lock down the borders, and get a handle on these terror groups. Will the South rise again - maybe, but will it be against the north or another group? I think the current administration has done more harm than good, and Washington has become so corrupt that the wheels have come of the little red wagon. It is a dark cloud future for us, and I fear for the world our kids will have in 20 years. We need to make changes now, before it is to late.
Have a great weekend - keep the emails coming.
Scott Arnett
scott.arnett@charter.net
Our first question comes to us from Florida.
Q. Scott, we have some really old servers in our data center. The company thinks as long as they are running, we are saving money not replacing them. My concern is not only an eventual hardware failure do to age, but that we are missing other opportunities. What do you think is the benefits to keeping up on server hardware, and how often should we replace them?
A. My rule of thumb has been 4 or 5 years should be the max. Most warranties are done around 3 years, and beyond that the maintenance costs are going to go up. Rather than keep older servers beyond their asset life cycle, one company we spoke to opted for a full replacement of its servers to drop energy costs 60%, while increasing overall performance beyond 500%. Newer hardware now have power saving technology, faster/better performance, so you may be able to have a smaller footprint to provide resources for those applications. There are some great studies out there on this topic, and I would put together your case for why this old hardware is costing money, not saving money.
Q. Jackie Fenn’s Hype Cycle for Emerging Technologies is one of Gartner’s most referenced research notes. The Hype Cycle provides a cross-industry perspective on potentially transformative technologies - what do you think about the Hype Cycle and is it of value?
A. What is all the Hype? Ok, serious - I do find it of value. Senior executives, CIOs, strategists, business developers and technology planners will want to consider these technologies when developing emerging business and technology portfolios. But again, it is one person's research and guess work. Much of it is just that, Hype or vendor driven "make a market" approach. It is of value to see what is going on out there, but you have to keep in mind which of these technologies will bring value to your organization. What will help drive value, capability and game changing business objectives. Don't get caught up in the Hype, or the keep up with the Jones. Many of these technologies come onto the market 1 year and leave the next. Short lived technologies can hurt your organization or put you in a tough spot. Do your homework.
Q. If you had to do it over again, would you go into IT? Knowing what you know now, would that change your career? How will your career change going forward?
A. Great question, one that makes me stop and think. The rear view mirror is a great thing isn't it? You can see what just happened, but you can't do anything about it, but use it as a reference for what you seeing coming at you. If I had to do it over again, I would probably go into IT, I love the technology, and the challenges, love figuring out the tough crisis. I would probably do some of it different, but all in all IT has been good to me. The politics is what will kill you. I still encourage high school kids to take a serious look at IT and Technology as a career choice. What will my career look like going forward - that is a good question. My dream job would be a technology focused attorney. That means someday I have to get back to school and get a law degree. Taking all I know in technology, business, and data and apply that to legal challenges seems like a great career version 2.0.
Q. Do you think there will be another revolution in our country in the future? Are we heading to another civil war?
A. I am keeping this blog focused on Information Technology, and try to stay out of politics, religion and kitchen wars. I do find this question interesting, and I know a great deal of folks are talking about this these days. We went to a family reunion some weeks back and this topic came up as well. I do think our country is heading in a bad direction, enourmous debt, to much foreign influence. Our relationship with China should bother everyone, this is a relationship that will come back to hurt us. They own to much of our debt, they have a huge military build up, and have a retail store in every US town - Walmart. I think civil unrest is happening today and will possible increase in the year to come. I think we have to deal with the immigration issues, lock down the borders, and get a handle on these terror groups. Will the South rise again - maybe, but will it be against the north or another group? I think the current administration has done more harm than good, and Washington has become so corrupt that the wheels have come of the little red wagon. It is a dark cloud future for us, and I fear for the world our kids will have in 20 years. We need to make changes now, before it is to late.
Have a great weekend - keep the emails coming.
Scott Arnett
scott.arnett@charter.net
Tuesday, August 3, 2010
Computer Hackers - Targeting Power Plants?
You have heard me say before, if you want a secure network, unplug it. Right? Do we really need our critical infrastructure on the public internet? Can they not have a private network - sure they can. Many organizations are not taking Information Technology (IT) security serious.
Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. You know, those items that come up every year during the budget process, that we put off another year..........
Cyber criminals have long tried, at times successfully, to break into vital networks and power systems. But last month, experts for the first time discovered a malicious computer code _ called a worm _ specifically created to take over systems that control the inner workings of industrial plants.
In response to the growing threat, the Department of Homeland Security has begun building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country. In addition, we need to start holding corporation internet users accountable. If you plug in - you be secure. If you can't pass the Homeland Cyber Security Audit - you are unplugged. Simple isn't it?
As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear and electric power plants to transportation and manufacturing systems. Many of the new attacks have occurred overseas, but the latest episode magnified worries about the security of plants in the U.S.
"This type of malicious code and others we've seen recently are actually attacking the physical components, the devices that open doors, close doors, build cars and open gates," said Sean McGurk, director of control systems security for Homeland Security. "They're not just going after the ones and zeros (of a computer code), they're going after the devices that actually produce or conduct physical processes." I think that is crucial point, don't you?
Officials have yet to point to any operating system that has been compromised by the latest computer worm. But cyber experts are concerned that attacks on industrial systems are evolving.
In the past, it was not unusual to see hackers infiltrate corporate networks, breaking in through gaps and stealing or manipulating data. The intrusions, at times, could trigger plant shutdowns. The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do. What about HealthCare? Patient data secure? Key life support systems that sit on the network and report to the nurse station - secure?
The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.
In many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet. Who is being held accountable? What about annual audits? Vulnerability scans? Seems to me there should be some wake up calls here.
Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses or worms into the programs that operate the plants. There needs to be appropriate network design, check points, monitoring and prevention.
I propose to you that the wake up call will not happen till we see major power grid failure due to a computer hack from a foreign interest. Computer security has not been taken serious, it is always a budget line item that is cut, and there is no one being held accountable. If a corporate or enterprise network compromised - there needs to be an investigation and determination of what happened, and why. To many times we sweep these under the rug, hope it will go away to save face, and hackers are benefiting. If your company has a network, plugs into the internet backbone - you better have security, monitoring and a response team. If you can not pass a security check - random check, you get unplugged. You are compromising all organizations.
Security is everyone's responsibility!
Scott Arnett
scott.arnett@charter.net
Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. You know, those items that come up every year during the budget process, that we put off another year..........
Cyber criminals have long tried, at times successfully, to break into vital networks and power systems. But last month, experts for the first time discovered a malicious computer code _ called a worm _ specifically created to take over systems that control the inner workings of industrial plants.
In response to the growing threat, the Department of Homeland Security has begun building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country. In addition, we need to start holding corporation internet users accountable. If you plug in - you be secure. If you can't pass the Homeland Cyber Security Audit - you are unplugged. Simple isn't it?
As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear and electric power plants to transportation and manufacturing systems. Many of the new attacks have occurred overseas, but the latest episode magnified worries about the security of plants in the U.S.
"This type of malicious code and others we've seen recently are actually attacking the physical components, the devices that open doors, close doors, build cars and open gates," said Sean McGurk, director of control systems security for Homeland Security. "They're not just going after the ones and zeros (of a computer code), they're going after the devices that actually produce or conduct physical processes." I think that is crucial point, don't you?
Officials have yet to point to any operating system that has been compromised by the latest computer worm. But cyber experts are concerned that attacks on industrial systems are evolving.
In the past, it was not unusual to see hackers infiltrate corporate networks, breaking in through gaps and stealing or manipulating data. The intrusions, at times, could trigger plant shutdowns. The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do. What about HealthCare? Patient data secure? Key life support systems that sit on the network and report to the nurse station - secure?
The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.
In many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet. Who is being held accountable? What about annual audits? Vulnerability scans? Seems to me there should be some wake up calls here.
Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses or worms into the programs that operate the plants. There needs to be appropriate network design, check points, monitoring and prevention.
I propose to you that the wake up call will not happen till we see major power grid failure due to a computer hack from a foreign interest. Computer security has not been taken serious, it is always a budget line item that is cut, and there is no one being held accountable. If a corporate or enterprise network compromised - there needs to be an investigation and determination of what happened, and why. To many times we sweep these under the rug, hope it will go away to save face, and hackers are benefiting. If your company has a network, plugs into the internet backbone - you better have security, monitoring and a response team. If you can not pass a security check - random check, you get unplugged. You are compromising all organizations.
Security is everyone's responsibility!
Scott Arnett
scott.arnett@charter.net
Monday, August 2, 2010
Windows? Linux? Need to switch?
Talk about a hot button - Linux or Windows. You have to also ask yourself, we talking desktop or server? There are some great appliances out there using a custom harden Linux kernel - and they work great. I know there is a great debate taking place about which operating system is better. Jack Wallen, host of the Linux and Open Source blog, started a lengthy discussion asking the question: Why would you choose Windows over Linux? I thought that was kind of funny, because recently I have been asking myself the opposite question: Who would choose to switch to Linux? You have Windows at home, kids use it at school, and I have a great productive office suite called MS Office 2010.
I could go through a litany of complaints I have about Linux. I could complain about the confusing number of distributions. I could complain about the propensity of Linux proponents to cause unnecessary confusion by abbreviating or using acronyms for Linux-only functions. I could complain about the silly confusing names they give applications. I could go on about the support structure, and the endless "experts" out there.
I could complain about cryptic command lines, nonexistent instructions, obscure references, and septic responses from the “open source community” to novices and their questions. I could reiterate that a multi-step process that takes an hour to work through to get Linux to put music on to my iPod is not EASY. I could point out that I receive security patch notices almost weekly for SUSE Linux, which indicates that as an operating system Linux is not anymore safe than Windows. We all love to bash Microsoft of the weekly updates or patches - is it really different in the Linux world?
But all of that is not addressing the correct issue, is it?
Digging deeper - The debate about operating systems is a senseless debate about something that, in the long run, makes no difference. An operating system exists only to create an environment for applications; nothing more, nothing less. Most people sit down at a computer and just start using it without worrying about what operating system it is running. I want to make sure my applications work, that the computer works, and is painless. Right?
I have no knowledge of the operating system that runs my microwave oven. I don’t have to install the popcorn application — it is already there, and it works just fine. I don’t care who made it, I don’t care if it is open source, and I don’t spend time on PopcornRepublic discussing the merits of one popcorn application over another. It doesn’t matter — what matters is that I get a good bag of popcorn.
What matters in a personal computer is that I can run the applications that I want to run without having to worry about whether I have the correct operating system. You can argue that we are not quite there yet, but I think outside of the information technology industry, at the user and consumer level, they are there already. Consumers buy a personal computer for the applications; they know what they want a computer for. Much of the time, the operating system is Windows, but do you really think they care?
Why Windows? Jack wanted to know why Windows and not Linux. At the base level the answer is simple: Because that is what came with my PC when I bought it and there is ABSOLUTELY NO COMPELLING REASON to go through the trouble of switching operating systems just so I can run applications that are similar (or even identical) to the applications I already have. Plus, I can point and click and get to what I need.
The whole mythology that Linux is perfectly safe and never crashes is just wishful thinking. I have seen Linux crash — I’ve watched John Sheesley crash Linux over and over again. Viruses and worms exist that take advantage of Linux bugs and security lapses just like Windows. Those kinds of problems are not exclusive to any one operating system. So did we really benefit from switch to Linux? You will always have the IT guru wanting something cool, better, new - but for the average user - worth it? Probably not.
The real security weakness lies with users and their willingness to click on a link, any link, just to see where it leads. The nefarious among us take advantage of this aspect of human behavior — that has nothing to do with the operating system. Those emails, those text messages - even the phone scams - we have to be on guard at all times.
Need to switch? So why Windows — why not? That is what the user knows and, so far, no one has offered any compelling reason for them to change their operating system. For the part of the population not engaged in the raging operating system debate, the question is meaningless — they just want to run applications
I propose to you, that Windows is still a solid operating system, meets the needs, has great applications that perform well on it, and is getting better every year.
Keep positive!
Scott Arnett
scott.arnett@charter.net
I could go through a litany of complaints I have about Linux. I could complain about the confusing number of distributions. I could complain about the propensity of Linux proponents to cause unnecessary confusion by abbreviating or using acronyms for Linux-only functions. I could complain about the silly confusing names they give applications. I could go on about the support structure, and the endless "experts" out there.
I could complain about cryptic command lines, nonexistent instructions, obscure references, and septic responses from the “open source community” to novices and their questions. I could reiterate that a multi-step process that takes an hour to work through to get Linux to put music on to my iPod is not EASY. I could point out that I receive security patch notices almost weekly for SUSE Linux, which indicates that as an operating system Linux is not anymore safe than Windows. We all love to bash Microsoft of the weekly updates or patches - is it really different in the Linux world?
But all of that is not addressing the correct issue, is it?
Digging deeper - The debate about operating systems is a senseless debate about something that, in the long run, makes no difference. An operating system exists only to create an environment for applications; nothing more, nothing less. Most people sit down at a computer and just start using it without worrying about what operating system it is running. I want to make sure my applications work, that the computer works, and is painless. Right?
I have no knowledge of the operating system that runs my microwave oven. I don’t have to install the popcorn application — it is already there, and it works just fine. I don’t care who made it, I don’t care if it is open source, and I don’t spend time on PopcornRepublic discussing the merits of one popcorn application over another. It doesn’t matter — what matters is that I get a good bag of popcorn.
What matters in a personal computer is that I can run the applications that I want to run without having to worry about whether I have the correct operating system. You can argue that we are not quite there yet, but I think outside of the information technology industry, at the user and consumer level, they are there already. Consumers buy a personal computer for the applications; they know what they want a computer for. Much of the time, the operating system is Windows, but do you really think they care?
Why Windows? Jack wanted to know why Windows and not Linux. At the base level the answer is simple: Because that is what came with my PC when I bought it and there is ABSOLUTELY NO COMPELLING REASON to go through the trouble of switching operating systems just so I can run applications that are similar (or even identical) to the applications I already have. Plus, I can point and click and get to what I need.
The whole mythology that Linux is perfectly safe and never crashes is just wishful thinking. I have seen Linux crash — I’ve watched John Sheesley crash Linux over and over again. Viruses and worms exist that take advantage of Linux bugs and security lapses just like Windows. Those kinds of problems are not exclusive to any one operating system. So did we really benefit from switch to Linux? You will always have the IT guru wanting something cool, better, new - but for the average user - worth it? Probably not.
The real security weakness lies with users and their willingness to click on a link, any link, just to see where it leads. The nefarious among us take advantage of this aspect of human behavior — that has nothing to do with the operating system. Those emails, those text messages - even the phone scams - we have to be on guard at all times.
Need to switch? So why Windows — why not? That is what the user knows and, so far, no one has offered any compelling reason for them to change their operating system. For the part of the population not engaged in the raging operating system debate, the question is meaningless — they just want to run applications
I propose to you, that Windows is still a solid operating system, meets the needs, has great applications that perform well on it, and is getting better every year.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Friday, July 30, 2010
Gartner - Friend or Foe?
Many IT Executives really base all decisions on what Gartner says. Good plan? Today, the smart money is on innovation, powered by IT. What can you do that you didn’t do before? What can you offer that your competition can’t? The answers lie in emerging technology concepts that will forever change how you collaborate with colleagues, interact with customers and use information to make faster, better business decisions. So is Gartner a friend in this?
As the flow of unstructured information grows in volume and intensity, even those organizations with a BI stake in the ground are struggling to understand the impact of shifting data patterns, and deliver on an increased demand for transparency and improved data quality. Still others are trying to bring order to their data chaos to eliminate the “white spaces” that prohibit a common view of the enterprise and negatively impact cohesive, collaborative decision making. Can Gartner help you with this?
The technology successes of the past 20 years, while remarkable, are sometimes less surprising to IT experts than the failures are. Why does one IT concept get derailed in its infancy while another achieves widespread adoption? Can we expect technology advances to emerge more quickly in the future than they have in the past? How do you know what technology will make it and what will not? Does anyone know?
Gartner does not have a lab, they do not test any of the technology or put it through any kind of lab research, they interview both vendor and customer and do analysis. So is what Gartner has to say gospel? Probably not. The information they have to share is of value, and as a IT Executive you should read and evaluate.
I propose to you that Gartner is a tool in the management toolbox for the IT Executive. I would reference their opinion, but I would also develop relationships with your vendors, colleagues and industry leaders. A balanced opinion on a topic is best, and your decision should be based on a well balanced view. In addition, take your business needs, business capabilities and direction into account when deciding your technology direction. This is no time for the faint-hearted. Having the confidence to act decisively is key to your company’s success, and crucial to your career. Thousands of CIOs and senior IT executives return regularly to Gartner to identify trends, plan initiatives and evaluate both short- and long-term strategies. Keeping in mind Hype is Hype. Don't always follow the pack just for the sake of being a follower. See what others are doing and see if it plays a key role in your organization - does it bring value, a good TCO, and meet enabiling capabilities.
Therefore, I would say Gartner is a friend, but not the authority on what you should do. As IT Executive - your business is asking you to be the technology authority for your company. Take the responsibility serious.
Stay Postive!
Scott Arnett
scott.arnett@charter.net
As the flow of unstructured information grows in volume and intensity, even those organizations with a BI stake in the ground are struggling to understand the impact of shifting data patterns, and deliver on an increased demand for transparency and improved data quality. Still others are trying to bring order to their data chaos to eliminate the “white spaces” that prohibit a common view of the enterprise and negatively impact cohesive, collaborative decision making. Can Gartner help you with this?
The technology successes of the past 20 years, while remarkable, are sometimes less surprising to IT experts than the failures are. Why does one IT concept get derailed in its infancy while another achieves widespread adoption? Can we expect technology advances to emerge more quickly in the future than they have in the past? How do you know what technology will make it and what will not? Does anyone know?
Gartner does not have a lab, they do not test any of the technology or put it through any kind of lab research, they interview both vendor and customer and do analysis. So is what Gartner has to say gospel? Probably not. The information they have to share is of value, and as a IT Executive you should read and evaluate.
I propose to you that Gartner is a tool in the management toolbox for the IT Executive. I would reference their opinion, but I would also develop relationships with your vendors, colleagues and industry leaders. A balanced opinion on a topic is best, and your decision should be based on a well balanced view. In addition, take your business needs, business capabilities and direction into account when deciding your technology direction. This is no time for the faint-hearted. Having the confidence to act decisively is key to your company’s success, and crucial to your career. Thousands of CIOs and senior IT executives return regularly to Gartner to identify trends, plan initiatives and evaluate both short- and long-term strategies. Keeping in mind Hype is Hype. Don't always follow the pack just for the sake of being a follower. See what others are doing and see if it plays a key role in your organization - does it bring value, a good TCO, and meet enabiling capabilities.
Therefore, I would say Gartner is a friend, but not the authority on what you should do. As IT Executive - your business is asking you to be the technology authority for your company. Take the responsibility serious.
Stay Postive!
Scott Arnett
scott.arnett@charter.net
Monday, July 26, 2010
PC Virus Phone Scams
Have you gotten a phone call claiming you have malware on your computer and for a small fee they will remote into your computer to help clean it up? Sounds like a good deal - right? Wrong -
The stories out there about people being scammed by cold calls from Indian call centres has been remarkable. (A quick reminder: people get cold-called and told there's a "problem with your computer" and talked into handing over remote access, and then $85 or so for "remote support". It's not worth taking up the offer, and the police took action against a number of sites used for this scam in April.)
Here is an interesting story from a victim... "These aren't always "cold" calls. My mother called her telephone/internet provider about an intermittent problem with her phone line - it was an Indian call centre. 15 minutes later she received one of these calls - obviously her information had been passed on by an insider - claiming to be a follow-up as they had spotted a problem with her broadband. She was thoroughly bamboozled by the caller (she's in her mid -70s), but had enough presence of mind to put the phone down when he started demanding money. Fortunately, this was before the dodgy software had been downloaded.
"Of course, her phone provider denied that this was possible..."
If you have a good virus and internet security software loaded on your computer, you have little to worry about, just keeping it updated. Hang up on these calls. I would recommend if you have a concern or issue, Microsoft has a free scan tool, others have as well. Call a local, store front business for assistance. Keep in mind, your data is on that computer. If you leave that computer behind, ensure you have an agreement in writing around confidential information, and privacy. Set the expectations up front - it is your computer, your data, and your responsibility.
I find working with these call centers very difficult. Difficult to hear, difficult to understand, and personally, I don't want my account information, financial information and details about me being access by these offshore centers. India does not have the same laws or social expectations as we have here. In addition, there are questionable motives in many of these activities.
Personally, if I call a company and the call center is offshore, I hang up. If unsure, ask - you have a right to. I propose to you that untill we get global laws dealing with privacy, data security and network security - this will be a ongoing threat to our well being. Not everything is as cheap as it appears on a spreadsheet.
I like to deal with the small town business man, where a handshake still means something.
Scott Arnett
scott.arnett@charter.net
The stories out there about people being scammed by cold calls from Indian call centres has been remarkable. (A quick reminder: people get cold-called and told there's a "problem with your computer" and talked into handing over remote access, and then $85 or so for "remote support". It's not worth taking up the offer, and the police took action against a number of sites used for this scam in April.)
Here is an interesting story from a victim... "These aren't always "cold" calls. My mother called her telephone/internet provider about an intermittent problem with her phone line - it was an Indian call centre. 15 minutes later she received one of these calls - obviously her information had been passed on by an insider - claiming to be a follow-up as they had spotted a problem with her broadband. She was thoroughly bamboozled by the caller (she's in her mid -70s), but had enough presence of mind to put the phone down when he started demanding money. Fortunately, this was before the dodgy software had been downloaded.
"Of course, her phone provider denied that this was possible..."
If you have a good virus and internet security software loaded on your computer, you have little to worry about, just keeping it updated. Hang up on these calls. I would recommend if you have a concern or issue, Microsoft has a free scan tool, others have as well. Call a local, store front business for assistance. Keep in mind, your data is on that computer. If you leave that computer behind, ensure you have an agreement in writing around confidential information, and privacy. Set the expectations up front - it is your computer, your data, and your responsibility.
I find working with these call centers very difficult. Difficult to hear, difficult to understand, and personally, I don't want my account information, financial information and details about me being access by these offshore centers. India does not have the same laws or social expectations as we have here. In addition, there are questionable motives in many of these activities.
Personally, if I call a company and the call center is offshore, I hang up. If unsure, ask - you have a right to. I propose to you that untill we get global laws dealing with privacy, data security and network security - this will be a ongoing threat to our well being. Not everything is as cheap as it appears on a spreadsheet.
I like to deal with the small town business man, where a handshake still means something.
Scott Arnett
scott.arnett@charter.net
Friday, July 23, 2010
Laptop Encryption - Necessary? Really?
Have a laptop? Travel with it? Ever worry about it being lost or stolen? Do you take extra efforts to ensure the security of your laptop - like place it in the trunk, never leave in your hotel room? Who is responsible for the laptop if it is lost or stolen? Was it your responsibility? Do you know the laws around this topic?
The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms. Do you know what law? Try the new privacy laws. Some of the new privacy law requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction. Right?
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the company could be out $5M. Okay, that’s serious. Taking it serious? Not many companies are yet. Every laptop should be encrypted before it leaves the setup lab. The law requires a combination of “technical, administrative and physical safeguards.” Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?
I propose to you that tools such as PointSec and SafeBoot are essential to every laptop build. Yes MS Windows is now coming with these features, so turn them on. No laptop should ever leave the building without safeguards. Laptops are lost or stolen at airport security check points all the time, hotel rooms, cars, and the list goes on. The laptop was assigned to you, so you are responsible.
Laptop encryption should be part of your security framework, it is necessary, and now required by new privacy laws. I would also propose that each user should be careful of what data they do store on the laptop, backup that laptop and maintain the data.
It really is necessary.
Scott Arnett
scott.arnett@charter.net
The law mandates encryption of data on laptops, smart phones, USB sticks and like platforms. Do you know what law? Try the new privacy laws. Some of the new privacy law requirements are unsurprising. Perhaps the bases are already covered: a Written Information Security Plan (WISP), encryption from laptops to servers, policy controls on third party access, yada yada. You realize you’re not there yet, but already steps have been taken in the right direction. Right?
Fines? $5,000 per breach or lost record. Lose records for a thousand Massachusetts residents and the company could be out $5M. Okay, that’s serious. Taking it serious? Not many companies are yet. Every laptop should be encrypted before it leaves the setup lab. The law requires a combination of “technical, administrative and physical safeguards.” Workstations and servers may be password protected, but what if the box is simply carried off and the disk contents examined? You may have a state-of-the-art firewall, but do your perimeter protections guard against walk-offs?
I propose to you that tools such as PointSec and SafeBoot are essential to every laptop build. Yes MS Windows is now coming with these features, so turn them on. No laptop should ever leave the building without safeguards. Laptops are lost or stolen at airport security check points all the time, hotel rooms, cars, and the list goes on. The laptop was assigned to you, so you are responsible.
Laptop encryption should be part of your security framework, it is necessary, and now required by new privacy laws. I would also propose that each user should be careful of what data they do store on the laptop, backup that laptop and maintain the data.
It really is necessary.
Scott Arnett
scott.arnett@charter.net
Thursday, July 22, 2010
The Good Old Phone Service
One thing you can usually count on with high degree is picking up the telephone at home and getting a dial tone - right? In the past 40 plus years I can only think of about 5 times our phone service was down. Is the new VoIP that reliable? Do we have the same expectations? I know I do......
VoIP phone services keep growing. The cable companies, for example Charter, are competing very effectively against the traditional legacy carriers for voice services. Pay phones keep disappearing. Mobile voice call volume keeps growing. How reliable is your cable TV or cable modem? I know mine is not reliable - has been down 9 times in the past 10 months - and not weather related. So why would I move my phone service to this unreliable provider?
We will eventually see the PSTN retire and POTS disappear. Wireless and broadband connections proliferate while the old copper pair connections offered by the Telcos are turned off, as many as 700,000 lines per month. The trend is all downhill for the PSTN and its legacy operation. This however does not mean the PSTN will close soon or without any challenges. Not everyone is going to live with this poor performance - or will they? Nevertheless, when all else fails, POTS is what we turn to as a back-up.
Is there a National Security concern here? Federal, state and local governments depend on the PSTN. The Department of Defense (DoD) and the Department of Homeland Security (DHS) will be very interested in any degradation, loss of coverage or closure of PSTN services. Since the PSTN has been and continues to be part of the plans of these agencies, I expect they will have to evaluate the ramifications posed by the PSTN closure. I also expect that there will be long drawn out process of evaluation before any decisions are made. Are wireless or broadband services as secure as the good old phone service?
The replacement of the PSTN with broadband access will affect many of the DoD and DHS systems as well as the government communications contracts that are in place. These contracts assume there is a PSTN. Can the government agencies cancel the contracts in favor of the broadband solution? At what cost? How will the migration occur? What about the networks used by these agencies that are beyond the US border? Will there have to be two distinctly different networks, broadband in the US and international PSTN for the rest of the world? These are complicated issues that will make to closure of the PSTN for these agencies a primary problem that most do not want to face soon.
I propose to you that we will continue to see a decrease in new demand for wired phone services. As fewer customers are now required to cover the fixed costs to maintain the wired network, that is less profit for the carrier. If they raise the rates to make up for fewer customers, they will push more customers away. I know I don't want more bills or higher bills. The other side of the coin, where are the customers pushing these broadband providers to provide a reliable service? I can live without cable tv, and I can live without internet or email - but it is a safety concern to have no working phone service in the home. VoIP services need to have the same reliable, redundant and simple services as what we have become to expect from the good old phone system. I don't see that today, I refuse to push my phone service over to a broadband provider and have on going outages monthly - and most of the outages are in the middle of the day. Nothing like doing router upgrades, network changes or maintenance in the middle of the day. These providers need to understand these services have to be available 24/7 365. Till they can provide that - they won't win over all the customers from the good old phone service.
I can still take your call on my good old phone service!
Keep engaged and positive!
Scott Arnett
scott.arnett@charter.net
VoIP phone services keep growing. The cable companies, for example Charter, are competing very effectively against the traditional legacy carriers for voice services. Pay phones keep disappearing. Mobile voice call volume keeps growing. How reliable is your cable TV or cable modem? I know mine is not reliable - has been down 9 times in the past 10 months - and not weather related. So why would I move my phone service to this unreliable provider?
We will eventually see the PSTN retire and POTS disappear. Wireless and broadband connections proliferate while the old copper pair connections offered by the Telcos are turned off, as many as 700,000 lines per month. The trend is all downhill for the PSTN and its legacy operation. This however does not mean the PSTN will close soon or without any challenges. Not everyone is going to live with this poor performance - or will they? Nevertheless, when all else fails, POTS is what we turn to as a back-up.
Is there a National Security concern here? Federal, state and local governments depend on the PSTN. The Department of Defense (DoD) and the Department of Homeland Security (DHS) will be very interested in any degradation, loss of coverage or closure of PSTN services. Since the PSTN has been and continues to be part of the plans of these agencies, I expect they will have to evaluate the ramifications posed by the PSTN closure. I also expect that there will be long drawn out process of evaluation before any decisions are made. Are wireless or broadband services as secure as the good old phone service?
The replacement of the PSTN with broadband access will affect many of the DoD and DHS systems as well as the government communications contracts that are in place. These contracts assume there is a PSTN. Can the government agencies cancel the contracts in favor of the broadband solution? At what cost? How will the migration occur? What about the networks used by these agencies that are beyond the US border? Will there have to be two distinctly different networks, broadband in the US and international PSTN for the rest of the world? These are complicated issues that will make to closure of the PSTN for these agencies a primary problem that most do not want to face soon.
I propose to you that we will continue to see a decrease in new demand for wired phone services. As fewer customers are now required to cover the fixed costs to maintain the wired network, that is less profit for the carrier. If they raise the rates to make up for fewer customers, they will push more customers away. I know I don't want more bills or higher bills. The other side of the coin, where are the customers pushing these broadband providers to provide a reliable service? I can live without cable tv, and I can live without internet or email - but it is a safety concern to have no working phone service in the home. VoIP services need to have the same reliable, redundant and simple services as what we have become to expect from the good old phone system. I don't see that today, I refuse to push my phone service over to a broadband provider and have on going outages monthly - and most of the outages are in the middle of the day. Nothing like doing router upgrades, network changes or maintenance in the middle of the day. These providers need to understand these services have to be available 24/7 365. Till they can provide that - they won't win over all the customers from the good old phone service.
I can still take your call on my good old phone service!
Keep engaged and positive!
Scott Arnett
scott.arnett@charter.net
Wednesday, July 21, 2010
HIPAA Proposed Modifications
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated notice of proposed modifications to the HIPAA privacy, security and enforcement. Why the changes? The goal is to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules.
The proposed statement states: "We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . . to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person." Sounds like our cloud computing efforts?
In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact. This appears to be exactly what HHS has in mind. As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance." Keep in mind, you can't outsource your responsibility!
It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate. Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly. It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency). However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook. Ensure your contracts cover all your obligations under the HIPAA act.
The NPRM provides the following example: "under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).
• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?
Wrong. Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate: "a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."
As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule. It is your responsibility that you have clearly defined the business partner/associate/vendor role. It is their responsibility to ensure they understand their role and the contract clearly states roles, compliance and how this will be under audit. It is your responsibility to audit your providers under contract for compliance, awareness and security.
I propose to you that these changes are necessary and good steps to ensure security around health data. To many organizations are quick to move portions of their IT organization to business partners in hopes to get out of HIPAA requirements. Like I said before, you can't outsource your responsibility. The responsibility remains with you and and any willful neglect is on your shoulders. Security has to be taken serious - throughout the organization. This includes social engineering training for your reception staff!
One more thing, research your cloud computing vendors, do a complete audit of their process, facility, security and review their 3rd party audits. Make sure you understand their complete security posture and what safeguards they can provide around your data. There are SaaS and cloud providers going into business that shouldn't be in business - they clearly don't understand security. Be cautious.
Keep positive and engaged!
Scott Arnett
scott.arnett@charter.net
The proposed statement states: "We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . . to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person." Sounds like our cloud computing efforts?
In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact. This appears to be exactly what HHS has in mind. As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance." Keep in mind, you can't outsource your responsibility!
It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate. Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly. It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency). However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook. Ensure your contracts cover all your obligations under the HIPAA act.
The NPRM provides the following example: "under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).
• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?
Wrong. Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate: "a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."
As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule. It is your responsibility that you have clearly defined the business partner/associate/vendor role. It is their responsibility to ensure they understand their role and the contract clearly states roles, compliance and how this will be under audit. It is your responsibility to audit your providers under contract for compliance, awareness and security.
I propose to you that these changes are necessary and good steps to ensure security around health data. To many organizations are quick to move portions of their IT organization to business partners in hopes to get out of HIPAA requirements. Like I said before, you can't outsource your responsibility. The responsibility remains with you and and any willful neglect is on your shoulders. Security has to be taken serious - throughout the organization. This includes social engineering training for your reception staff!
One more thing, research your cloud computing vendors, do a complete audit of their process, facility, security and review their 3rd party audits. Make sure you understand their complete security posture and what safeguards they can provide around your data. There are SaaS and cloud providers going into business that shouldn't be in business - they clearly don't understand security. Be cautious.
Keep positive and engaged!
Scott Arnett
scott.arnett@charter.net
Tuesday, July 20, 2010
Help Desk Challenges
Every successful IT organization has a help desk or service desk component to it. Service desk staff are the front door to the IT organization - they take all the phone calls, emails, IM's and have to assure the user community their issues will be addressed.
Help desk analysts are a unique breed. Not only must IT support professionals thoroughly understand enterprise computing systems, they must also convey their technical expertise clearly and succinctly to end users. Above all, help desk professionals must possess top-notch customer-service skills and stay cool under fire. In addition, a good manager of the group to keep a pulse on the team.
To help you hire the best people for these critical spots, use your team to help interview. In addition, you need a ready-to-use job description that lists all the skills the perfect candidate will have, as well as the duties that person is expected to be able to do. In addition, you should have a series of interview questions geared to help you zero in on the right candidates. People skills are key in this position. You can teach a candidate all the technical skills they need to be successful but people skills are tough to teach - should come natural.
Of course, quickly and efficiently resolving users' technology problems is a challenging and often thankless job. While you're expected to manage a wide range of issues, from deploying new solutions to calming irate users, few resources exist to help you overcome not only technical hurdles, but interpersonal issues as well. The manager needs to be able to move staff around to tasks and not just keep them on the phone 8 hours a day, 5 days a week. You can burn staff out, so keep a pulse on the team and have options for them to have a break from the phones. That is why I like to put help desk, procurement, and desktop groups under 1 Director level position. Cross training, knowledge share and many of the ITIL functions fit this model well.
I would also make sure you have the necessary tools in place to help this team be successful. Incident Management, Asset Management, and the applications needed to manage these are essential. Take a look at Service Now, it is a SaaS solution, it meets many ITIL functions, but it also does not require infrastructure support for the tool itself. Nice solution, worth taking a look at.
I propose the biggest challenge to the enterprise help desk is staffing, morale, and job satisfaction. We manage our call centers for the business appropriate, but we don't always look at our help desk as a call center and it becomes a negative environment quickly. Manage the staff workloads, morale, tool sets, workflow, and provide a success track. A manager's goal should be to see their staff be successful and move on to other teams within IT, like tier 3 support, server support, staff training, etc. Give them a promotional track.
I would also ensure the IT management team spends time with the help desk team and get their feedback, they hear from the user community hourly, so a great resource to collect feedback. Engage the team, thank the team, and give them some recognition.
Keep it postive!
Scott Arnett
scott.arnett@charter.net
Help desk analysts are a unique breed. Not only must IT support professionals thoroughly understand enterprise computing systems, they must also convey their technical expertise clearly and succinctly to end users. Above all, help desk professionals must possess top-notch customer-service skills and stay cool under fire. In addition, a good manager of the group to keep a pulse on the team.
To help you hire the best people for these critical spots, use your team to help interview. In addition, you need a ready-to-use job description that lists all the skills the perfect candidate will have, as well as the duties that person is expected to be able to do. In addition, you should have a series of interview questions geared to help you zero in on the right candidates. People skills are key in this position. You can teach a candidate all the technical skills they need to be successful but people skills are tough to teach - should come natural.
Of course, quickly and efficiently resolving users' technology problems is a challenging and often thankless job. While you're expected to manage a wide range of issues, from deploying new solutions to calming irate users, few resources exist to help you overcome not only technical hurdles, but interpersonal issues as well. The manager needs to be able to move staff around to tasks and not just keep them on the phone 8 hours a day, 5 days a week. You can burn staff out, so keep a pulse on the team and have options for them to have a break from the phones. That is why I like to put help desk, procurement, and desktop groups under 1 Director level position. Cross training, knowledge share and many of the ITIL functions fit this model well.
I would also make sure you have the necessary tools in place to help this team be successful. Incident Management, Asset Management, and the applications needed to manage these are essential. Take a look at Service Now, it is a SaaS solution, it meets many ITIL functions, but it also does not require infrastructure support for the tool itself. Nice solution, worth taking a look at.
I propose the biggest challenge to the enterprise help desk is staffing, morale, and job satisfaction. We manage our call centers for the business appropriate, but we don't always look at our help desk as a call center and it becomes a negative environment quickly. Manage the staff workloads, morale, tool sets, workflow, and provide a success track. A manager's goal should be to see their staff be successful and move on to other teams within IT, like tier 3 support, server support, staff training, etc. Give them a promotional track.
I would also ensure the IT management team spends time with the help desk team and get their feedback, they hear from the user community hourly, so a great resource to collect feedback. Engage the team, thank the team, and give them some recognition.
Keep it postive!
Scott Arnett
scott.arnett@charter.net
Monday, July 19, 2010
Shouldn't compliance be a enterprise wide initiative?
Governance, risk, and compliance (GRC) issues are hot topics today, thanks to a myriad of high-profile stories about companies that failed to meet regulatory requirements governing finance, environmental compliance, and other areas.
Addressing individual regulations can prove to be a costly and complicated process. Quickly organizations start to wonder can they afford compliance and regulations, and where are all the FTE staff going to come from.
SAS70 type audits are now being replaced. SSAE 16, the new standard for SAS70 compliance. How do you keep it all straight? Should we have a compliance department just dealing with all of this? Most cases, yes. In addition, the compliance department should not report up through the CIO, it should belong to the risk or legal group.
Many companies have responded to regulatory mandates by implementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions and GRC data - data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain complete view of enterprise risk.
A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities - making it easy to compile data for comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.
I propose to you that whatever GRC solution you are looking at, make sure you do a five year cost evaluation. Year 1 looks very good, but make sure you clearly understand the cost matrix for year 2- 5. Many of these vendors love to raise license cost(s) or maintance cost(s) after year 1.
In summary, it only makes sense to have a enterprise wide initiative and approach to compliance. A accurate and complete application inventory, data management (classification, retention, storage), and a security framework will help drive the success of this initiative. Don't be afraid to audit yourself internal to measure how you are doing, and how you can improve.
Keep engaged and postive!
Scott Arnett
scott.arnett@charter.net
Addressing individual regulations can prove to be a costly and complicated process. Quickly organizations start to wonder can they afford compliance and regulations, and where are all the FTE staff going to come from.
SAS70 type audits are now being replaced. SSAE 16, the new standard for SAS70 compliance. How do you keep it all straight? Should we have a compliance department just dealing with all of this? Most cases, yes. In addition, the compliance department should not report up through the CIO, it should belong to the risk or legal group.
Many companies have responded to regulatory mandates by implementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions and GRC data - data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain complete view of enterprise risk.
A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities - making it easy to compile data for comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.
I propose to you that whatever GRC solution you are looking at, make sure you do a five year cost evaluation. Year 1 looks very good, but make sure you clearly understand the cost matrix for year 2- 5. Many of these vendors love to raise license cost(s) or maintance cost(s) after year 1.
In summary, it only makes sense to have a enterprise wide initiative and approach to compliance. A accurate and complete application inventory, data management (classification, retention, storage), and a security framework will help drive the success of this initiative. Don't be afraid to audit yourself internal to measure how you are doing, and how you can improve.
Keep engaged and postive!
Scott Arnett
scott.arnett@charter.net
Friday, July 16, 2010
Confrontation in the workplace - does it make you uncomfortable?
Ever have those days where you just dread going to work? Think about calling in sick? Have an employee issue you have to address? Really stressed over it aren't you - but why? Why is confrontation uncomfortable?
Confrontation in the workplace is impossible to avoid, but there are some ways of handling it that are better than others. Whether you are the one faced with having to confront someone, or whether you are being confronted, here are a few tips on how to get through it.
If you are the manager of a business it is most likely you will deal with confrontation often, that is simply the nature of managing. Because confrontation can have a seemingly negative connotation, you may wish to avoid this. But rather than avoid confrontation you must simply learn to rethink your perception of confrontation. Even the environment in which the confrontation will take place, and never in front of others.
Learn to recognize that confrontation can actually be a positive. The reason you confront your employees on their job performance, is simply to make better employees, not to unnecessarily rat on a friend. If you were appointed manager it is because someone believed in your ability to manage. To manage means keeping your employees doing their best and continually helping them seek to do better. In this way confrontation can clearly be seen as a positive. Keep it positive!
Your employees, at first, may not feel the same about confrontation. But whether they're flipping hamburgers or saving lives, as the manager you want to help them continually do their job better, so you must help to change their perspective. To do this when you first sit down with them state clearly the positives you see in them, and the things that you respect in the way they handle their job performance. Let your employees know that you are confronting them only to help the company as a whole function better. The topic may be better received over a lunch out of the office.
Be open to their feedback and perspective; remember that even though you're the manager, you can still learn from the little guys. After confronting them on whatever the issue is, be willing to listen to their perspective of the same issue. Sometimes they may not have a perspective and you will simply be telling them something new, but sometimes they may have a reason for doing things the way they are doing them so you need to listen so that together you can agree on a better plan. Don't be afraid to admit you don't have all the answers, and you are willing to listen and accept their input.
Be prepared for the employees who won't accept your advice. Being as nice as you can be, laying things out clearly, and recognizing the positive in your employee may still not be enough for some employees. Some of your employees may not feel they need the criticism and if so then confrontation may need to take a more negative face. You are the manager and regardless of how nice you are as a person, your job requires you be firm in managing your employees. If you have an employee who is unwilling to be managed, then you have to simply give them the do or walk out option. Do follow your criticism, or do walk out of this company. You might want to be everyone's friend but be prepared to be the manager first if the situation arises. If you are open, honest and to the point, they may not be happy, but they should respect you. Follow up on your meeting, and keep it positive.
Lastly, follow up with your employees. After you have confronted them on any topic, a part of managing is making sure your employees follow through. You may feel like you are micromanaging, but that is necessary after having given instructions to anyone. Meet with your employees weekly if you have to until they learn to take your advice and immediately learn to apply it. It can also be a simple hallway chat and manager check in. Keep tabs on the employee and their response and behavior changes.
After having confronted one or more of your employees, also make sure and recognize if they follow your instructions. Recognition of the good and the bad will help your employees to respect you a lot more than they will be able to if all they ever hear is the bad. Reward with thanks, but the big things a dinner certificate can go a long way.
I propose to you that it is human nature to want to be liked, appreciated and part of the team. As a manager you can at times feel isolated. Keep in mind what makes you feel appreciated or part of the team and leverage that on your staff. Shake hands, stay positive and informed, engaged and in tune with your team.
Scott Arnett
scott.arnett@charter.net
Confrontation in the workplace is impossible to avoid, but there are some ways of handling it that are better than others. Whether you are the one faced with having to confront someone, or whether you are being confronted, here are a few tips on how to get through it.
If you are the manager of a business it is most likely you will deal with confrontation often, that is simply the nature of managing. Because confrontation can have a seemingly negative connotation, you may wish to avoid this. But rather than avoid confrontation you must simply learn to rethink your perception of confrontation. Even the environment in which the confrontation will take place, and never in front of others.
Learn to recognize that confrontation can actually be a positive. The reason you confront your employees on their job performance, is simply to make better employees, not to unnecessarily rat on a friend. If you were appointed manager it is because someone believed in your ability to manage. To manage means keeping your employees doing their best and continually helping them seek to do better. In this way confrontation can clearly be seen as a positive. Keep it positive!
Your employees, at first, may not feel the same about confrontation. But whether they're flipping hamburgers or saving lives, as the manager you want to help them continually do their job better, so you must help to change their perspective. To do this when you first sit down with them state clearly the positives you see in them, and the things that you respect in the way they handle their job performance. Let your employees know that you are confronting them only to help the company as a whole function better. The topic may be better received over a lunch out of the office.
Be open to their feedback and perspective; remember that even though you're the manager, you can still learn from the little guys. After confronting them on whatever the issue is, be willing to listen to their perspective of the same issue. Sometimes they may not have a perspective and you will simply be telling them something new, but sometimes they may have a reason for doing things the way they are doing them so you need to listen so that together you can agree on a better plan. Don't be afraid to admit you don't have all the answers, and you are willing to listen and accept their input.
Be prepared for the employees who won't accept your advice. Being as nice as you can be, laying things out clearly, and recognizing the positive in your employee may still not be enough for some employees. Some of your employees may not feel they need the criticism and if so then confrontation may need to take a more negative face. You are the manager and regardless of how nice you are as a person, your job requires you be firm in managing your employees. If you have an employee who is unwilling to be managed, then you have to simply give them the do or walk out option. Do follow your criticism, or do walk out of this company. You might want to be everyone's friend but be prepared to be the manager first if the situation arises. If you are open, honest and to the point, they may not be happy, but they should respect you. Follow up on your meeting, and keep it positive.
Lastly, follow up with your employees. After you have confronted them on any topic, a part of managing is making sure your employees follow through. You may feel like you are micromanaging, but that is necessary after having given instructions to anyone. Meet with your employees weekly if you have to until they learn to take your advice and immediately learn to apply it. It can also be a simple hallway chat and manager check in. Keep tabs on the employee and their response and behavior changes.
After having confronted one or more of your employees, also make sure and recognize if they follow your instructions. Recognition of the good and the bad will help your employees to respect you a lot more than they will be able to if all they ever hear is the bad. Reward with thanks, but the big things a dinner certificate can go a long way.
I propose to you that it is human nature to want to be liked, appreciated and part of the team. As a manager you can at times feel isolated. Keep in mind what makes you feel appreciated or part of the team and leverage that on your staff. Shake hands, stay positive and informed, engaged and in tune with your team.
Scott Arnett
scott.arnett@charter.net
Wednesday, July 14, 2010
UTM - a great option
Unified Threat Management (UTM) is a great option for SMB infrastructure. I would also say it is a great option for enterprise customers as well. Many of you know that I am a great customer of Fortinet, as I think their products are a great asset to any organization.
Let's get down to what is UTM. In theory, it is the evolution of the traditional firewall into an all-inclusive security product that has the ability to perform multiple security functions in one single appliance. Functions such as firewall, network intrusion prevention (IPS), gateway antivirus (AV), anti-spam, VPN, content filtering, load balancing and management reporting. This seems to be the concern of many IT professionals - to many things in a single appliance. But is it really? Line speed processing, centralized management, and controls. The advantages of unified security lies in the fact that rather than administering multiple systems that individually handle anti virus, content filtering, intrusion prevention and spam filtering functions, organizations now have the flexibility to deploy a single UTM appliance that takes over all their functionality into a single rack mountable network appliance. From my lab experience, you can push a great deal of traffic through this appliance without performance impact.
The main advantages of UTM solutions are simplicity, streamlined installation and use, and the ability to update all the security functions or programs concurrently. So, not only are they a cost-effective purchase, but day-to-day network running costs are also considerably lowered. Such a great degree of functionality provided by a UTM appliance is held as the justification for the replacement of older, more basic Firewalls in favor of a Unified Threat Management firewall appliance that does it all.
The ultimate goal of a UTM is to provide a comprehensive set of security features in a single product and managed through a single console. Integrated security solutions evolved as a logical way to tackle the increasingly complex blended internet threats impacting organizations. As support staff get smaller, making security management easier and more efficient should be a goal.
I propose to you some key values to UTM:
Key advantages
1.Reduced complexity: Single security solution. Single Vendor. Single AMC
2.Simplicity: Avoidance of multiple software installation and maintenance
3.Easy Management: Plug & Play Architecture, Web-based GUI for easy management
4.Performance: Zero-hour protection without degrading the network performance
5.Troubleshooting: Single point of contact – 24 × 7 vendor support
6.Reduced technical training requirements, one product to learn.
7.Regulatory compliance
Many IT shops still feel it is better to have single devices in the core - your large enterprise shops. That is ok, use UTM technology on the perimeter, sales offices, remote employees, - there is a use for this technology at all companies. I propose for enterprises with remote networks or distantly located offices, UTMs are the only means to provide centralized security with complete control over their globally distributed networks. Enterprises, thus get zero-hour protection at branch offices against security attacks despite the lack of technical resources at these locations.
There are many UTM products on the market these days, so take a look at each one, do your homework. Don't buy into the single appliance can't handle the traffic or is a single point of failure. You can have HA options with UTM, and they can process a great deal of traffic before becoming a bottleneck. There is great value in UTM technology.
Stay positive and engaged!
Scott Arnett
scott.arnett@charter.net
Let's get down to what is UTM. In theory, it is the evolution of the traditional firewall into an all-inclusive security product that has the ability to perform multiple security functions in one single appliance. Functions such as firewall, network intrusion prevention (IPS), gateway antivirus (AV), anti-spam, VPN, content filtering, load balancing and management reporting. This seems to be the concern of many IT professionals - to many things in a single appliance. But is it really? Line speed processing, centralized management, and controls. The advantages of unified security lies in the fact that rather than administering multiple systems that individually handle anti virus, content filtering, intrusion prevention and spam filtering functions, organizations now have the flexibility to deploy a single UTM appliance that takes over all their functionality into a single rack mountable network appliance. From my lab experience, you can push a great deal of traffic through this appliance without performance impact.
The main advantages of UTM solutions are simplicity, streamlined installation and use, and the ability to update all the security functions or programs concurrently. So, not only are they a cost-effective purchase, but day-to-day network running costs are also considerably lowered. Such a great degree of functionality provided by a UTM appliance is held as the justification for the replacement of older, more basic Firewalls in favor of a Unified Threat Management firewall appliance that does it all.
The ultimate goal of a UTM is to provide a comprehensive set of security features in a single product and managed through a single console. Integrated security solutions evolved as a logical way to tackle the increasingly complex blended internet threats impacting organizations. As support staff get smaller, making security management easier and more efficient should be a goal.
I propose to you some key values to UTM:
Key advantages
1.Reduced complexity: Single security solution. Single Vendor. Single AMC
2.Simplicity: Avoidance of multiple software installation and maintenance
3.Easy Management: Plug & Play Architecture, Web-based GUI for easy management
4.Performance: Zero-hour protection without degrading the network performance
5.Troubleshooting: Single point of contact – 24 × 7 vendor support
6.Reduced technical training requirements, one product to learn.
7.Regulatory compliance
Many IT shops still feel it is better to have single devices in the core - your large enterprise shops. That is ok, use UTM technology on the perimeter, sales offices, remote employees, - there is a use for this technology at all companies. I propose for enterprises with remote networks or distantly located offices, UTMs are the only means to provide centralized security with complete control over their globally distributed networks. Enterprises, thus get zero-hour protection at branch offices against security attacks despite the lack of technical resources at these locations.
There are many UTM products on the market these days, so take a look at each one, do your homework. Don't buy into the single appliance can't handle the traffic or is a single point of failure. You can have HA options with UTM, and they can process a great deal of traffic before becoming a bottleneck. There is great value in UTM technology.
Stay positive and engaged!
Scott Arnett
scott.arnett@charter.net
Subscribe to:
Posts (Atom)