The frustrating this is that, while Cloud Computing has it’s place, it is NOT a panacea and comes with it’s own set of problems.

A recent study conducted by Ponemon Institute (commissioned by CA) focused on Cloud IT providers with an emphasis on security.

The complete study reveals some startling details about the inner working of major cloud services providers that, in my opinion, highlight a huge chasm of expectations between the provider and consumer.

The summary of findings reads;

• The majority of cloud computing providers surveyed do not believe their organization views
  the security of their cloud services as a competitive advantage. Further, they do not consider
  cloud computing security as one of their most important responsibilities and do not believe
  their products or services substantially protect and secure the confidential or sensitive
  information of their customers.
• The majority of cloud providers believe it is their customer’s responsibility to secure the cloud
  and not their responsibility. They also say their systems and applications are not always
  evaluated for security threats prior to deployment to customers.
• Buyer beware – on average providers of cloud computing technologies allocate10 percent or
  less of their operational resources to security and most do not have confidence that
  customers’ security requirements are being met.
• Cloud providers in our study say the primary reasons why customers purchase cloud
  resources are lower cost and faster deployment of applications. In contrast, improved security
  or compliance with regulations is viewed as an unlikely reason for choosing cloud services.
  The majority of cloud providers in our study admit they do not have dedicated security
  personnel to oversee the security of cloud applications, infrastructure or platforms.
• Providers of private cloud resources appear to attach more importance and have a higher
  level of confidence in their organization’s ability to meet security objectives than providers of
  public and hybrid cloud solutions.
• While security as a “true” service from the cloud is rarely offered to customers today, about
  one-third of the cloud providers in our study are considering such solutions as a new source
  of revenue sometime in the next two years.

So, before you join the masses rushing to jump on the Cloud bandwagon, be VERY careful; take the time to understand where the responsibility for security lies and who is responsible for the safety and security of your critical data.

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

Start with this list of Top 5 Exchange Security Snafus to reduce risk in your company.

Lack of Patching

Patching is at the top of the list for a reason. This is hands down the biggest single problem we see with insecure Exchange environments. Patches are released for a reason, they ensure that the latest vulnerabilities are secured and protect your servers from commonly known “back doors.”

Leaving an Exchange server un-patched and accessible on the Internet is a sure fire way to run into problems. Unless you have a formal patching process in place, chances are that you are NOT current with patches and are putting your business at significant risk.

Weak or common passwords

Second in the list of common security problems is weak or common passwords. For example; if your email address is “jdoe@”, your network login in “jdoe” and your password is “jdoe” also…. then you are making a huge mistake.

Other common password problems are;

• Sharing a common password across the entire company
• Using a common algorythm that can be guessed by others, ex: your log in name followed by the month
• Not forcing period password changes (over time people find out other users passwords, forcing periodic changes increases security

Unsecured Outlook Web Access

Outlook Web Access is super cool and a very useful tool, granting you full access to your email infrastructure from outside the office right from a web browser. However; this ease of use requires proper security to avoid problems. One very common problem I see is running Outlook Web Access without an SSL Certificate. Running SSL unencrypted allows other users on a network (wireless or otherwise) to capture passwords and communications at will.

Be sure your Outlook Web Access is configured to use HTTPS (It installs this way by default but is often modified to remove the annoying security warnings when using an internally generated SSL certificate) and you are using an SSL Certificate from a well-know SSL issuer, ex: Thawte.

Proper Termination Procedures

Security is a process, not a technology. Handling common events, like staff turnover, needs to be taken seriously. When someone leaves the company be sure to re-set their password and periodically review old accounts to see if they are still necessary.

It is not uncommon to find an Exchange server bogged down with email in mailboxes of employees that are no longer with the company. No one deleted their account and they are continuing to get email just as if they are still at the company.

Improper use of Public Folders

Double-check the security on Public Folders. I often see users create public folders to share between them and inadvertently allow everyone to see the contents of the folder. This can cause some sticky situations to say the least.

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

But when it happens to a huge company with ample security resources it ought to highlight the risks inherent in using in-house IT.

Often, business owners tell me that they prefer using an in-house IT “guy” to outsourcing support because of the perceived risk associated with having another company holding the proverbial keys to the castle but in fact, outsourcing IT is MUCH less risky than hoping your IT Guy maintains his sanity when it comes time to cut ties.

According to a ComputerWorld article, “A network engineer fired by fashion house Gucci has been charged with going on an IT rampage against his former employer in which he deleted data, shut down servers and left the company nursing an estimated $200,000 cleanup bill.”

As the story guys this network engineer was fired in May of 2010 and was clearly peeved about the situation. He then tricked staff at Gucci into granting him access to the network under the name of a fake employee.

This gave him access to the Gucci IT Network for “months”

The ComputerWorld article continues with “At its worst, Gucci US is said to have lost access to email and stored documents for 24 hours, an incident in which he also permanently destroyed some files. On Nov. 12, he also shut down virtual servers, a storage area network (SAN), and deleted a number of corporate email inboxes.”

In fact, the disruption affected stores across the US and caused the loss of thousands of dollars in sales. Who knows what other person information regarding customers was compromised as well!

Here’s the rub; while Gucci has the law on it’s side and the authorities have finally gotten on the ball about prosecuting such crimes, because this was an employee, Gucci has absolutely NO ability to be made whole AND with an employee miffed enough to break the law for revenge don’t you recon there is a line of “wrongful termination” lawyers lining up chomping at the bit to go after Gucci’s deep pockets?

When a large business like Gucci let’s a key employee go, you would think they would have the processes and procedures to ensure something like this didn’t happen, but if they can be compromised, what hope does a small business have?

So here is where it is actually LESS RISKY to hire an outside support firm to handle your IT needs for these very important reasons;

Reputation

Reputable computer support firms have a reputation to protect (that’s what makes them reputable!). You can bet they won’t do anything to damage this reputation.

Mind you, I’m talking about real companies, not “one-man” shows!

Insurance

Computer support firms that are real businesses operate as such. They carry general liability and professional liability to protect themselves and their customers against such problems.

At least if you deal with a real company you have some hope of being made whole if something crazy goes down.

Law

When dealing with a corporation you have the right to sue rather than relying on the criminal law to take on your case.
All these add up to one, unavoidable conclusion, it is a lot less risky to deal with a professional IT management company rather than try to handle your IT in house and dance around sticky HR issues trying to avoid a “rouge employee!”

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

This time, let’s look at the other side of the same coin…

Lack of Control

When you outsource your disaster recovery you obviously give up a degree of control over the process. What you are doing essentially is relying on your partner to understand your environment and design a solution that meets both your needs.

You may not get the exact retention or snap shop parameters you would like and it is awfully tough to get a provider to change their entire service infrastructure based on one companies needs.

So if you have super special retention requirements then outsourcing your DR may be way more expensive than you would like since you are, in effect, purchasing a custom designed DR solution versus leveraging the system already designed and tested by the partner. In these cases, make darn sure you really NEED special features in your backup or you’re just wanting these capabilities. If your requirements are ‘wants’ then give it up and use the solution proposed and tested by the provider to avoid any dropped balls. If your requirements are ‘needs’ then be ready to pay for them!

Lack of Scale

So how do you know what to spend? How do you know if you’re getting a “good deal” or getting ripped off?

First, it’s pretty hard to get ripped off. With the wealth of information available on the Internet to each and every business owner, it is a rarity indeed that a company can make a living getting ripped off!

Second, toss out the “good deal” providers like Carbonite. These folks are GREAT at what they do (in fact, I recommend this service for your home PC) but this is not the type of service you want to rely on for a business network.

What’s a fair price for DR? My suggestion is to calculate your cost of downtime first (employee costs per hour) along with a guess as lost business – I know this is a huge guess but just do your best. Now you should have a good feeling for what an hour of downtime costs your business. Multiply this number by the number of hours your provider tells you it will take to get you back up and running then compare this “outage cost” to the monthly cost of the service.

This simple calculation take into consideration the three key factors;

• Time to recover
• Down-time cost
• Monthly cost of service

Inability to Differentiate

Oftentimes businesses lack the technical expertise to properly evaluate alternative and, not wanting to rely on a sales person for consulting, attempt to make an “apples-to-apples” comparison. In most instances; they are trying to compare a fruit and a vegetable!

In the end, the “bottom line” is used as a gauge and some type of goofy ROI or payout analysis is done. The big thing missing is the result! What will happen when the service is actually called upon?

Can you “save a ton” by using Mozy to backup your data? You bet. But let’s see you try to get a failed server back up and retrieve your critical company data in some reasonable amount of time.

Because of this inability to differentiate the lowest cost is normally the driving factor which is a quick and sure-fire way to set up a business to be sorely disappointed when the chips are down – this sours a business to outsourcing as they tend to lump all providers into the same bag as the commodity service that just let them down.

For more information, check out my white paper titled Backup and Disaster Recovery Best Practices

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

Sure, they’ll tell you they have a backup but that is just one small part of a proper disaster recovery plan.

What most businesses need is an experience partner who knows DR inside and out.

There are many benefits to outsourcing the disaster recovery function to an experienced partner, including;

Peace of Mind

There are ten thousands things a businesses needs to worry about each day. Finances, HR, Sales / Marketing, Service, all represent “here and now” issues that demand immediate attention.

Most business owners and manager, when they have a spare minute to reflect, are well ware of that nagging feeling around backups and disaster recovery.
Outsourcing DR takes one item off the worry list.

Experience

Can a business do all the research, testing, evaluation necessary to select a proper backup and disaster recovery system?

Sure! But wouldn’t that time be better spent on growing the business?

By outsourcing the DR function you not only get a proven solution, you also get a partner who will back you up when you need it most AND as an added bonus you automatically leverage the experience that the partner brings to the table from implementing dozens of DR solutions.

Cost

A one-off solution is expensive. Something designed, purchased and installed just for one business doesn’t take advantage of any purchasing power or leverage.

Outsourcing your DR to a partner allows you to get a solution at a lower cost since you are essentially buying in ‘bulk’ buy sharing resources from other businesses.

Plus DR providers avoid the large upfront costs of tape drives or failover servers which often price out smaller businesses.

Avoid Obsolescence

Backup and Disaster Recovery solutions are constantly changing. Even the best solution is quickly obsolete as better, faster and cheaper technology is announce just about every day.

When a business invests in it’s own solution you are stuck with it until you are able to pony up another chunk of change to upgrade to the next evolution.
With outsourcing you shift this obsolescence to your DR partner. It then becomes their issue to deal with and in their best interest to keep up with the latest in technology and reduce costs on your behalf.

This solution is in stark contrast to a traditional IT support company always pushing customers to upgrade to the latest solution and incur hefty out-of-pocket expenses.

For more information, check out my white paper titled Backup and Disaster Recovery Best Practices

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

PicResize (www.picresize.com) is an easy to use online tool that deserves a quick look.

PicResize doesn’t require a download or install and can be used from any browser. What’s more, it’s free!

To use PicResize;

1. Go to the PicResize web site located at www.picresize.com.
2. Select the down arrow next to the “or Quick Resize” link to reveal more options.
3. Click the browse button to locate the file you want to upload
4. Choose the resize options.
5. Select special effects if desired
6. Choose the file format to save the newly create image in (this is a handy way to change picture file formats also, ex: .jpg. to .gif.
7. Press the Resize Pic button.
8. Once the picture is resized you will be taken to a different screen showing the original picture size (physical and on disk) and the newly created size.
9. Click Preview to see the new image or Save To Disk to save the new image back to your PC.

PicResize supports resizing both by specific sizing, ex: in percent or pixels or default resizing options of 75%, 50% and 25%.

The custom resizing supports by a percent or pixels which is extra handy when you need a picture sized to a specific pixel size.

As an added bonus, PicResize, also support several special effects such as grayscale, rotation, flipping, sharpening, etc.

While the options are limited; this is actually a good thing as PicResize is a simple on-line tool that does only a few things but does them well.

So the next time you need a picture resized or in a different format, use PicResize for quick results.

There are three backup types, Full, Differential and Incremental, each with it’s own pros and cons.

REMEMBER: A backup, regardless of the method, must include ALL of your data—don’t even think that a partial backup is OK!

Full Backup

A Full Backup is a simple as it gets, it is a complete backup of everything.

Pros:

• Restoring a full backup is fast; you only need restore the most recent backup set.

Cons:

• Since you are backing up all your data each time the backup will be slow and the storage requirements are high since you need enough storage media to contain a complete copy of your system.

Differential Backup

In the Differential method the backup software grabs only the files that have changed since you last did a full backup.

If you do more that one differential backup (ex: Monday is a full and Tuesday—Friday are differential), differential backups will contain all the files that have changed since the last full backup, even if you already have these same files in a previous differential backup.

To explain further, the Tuesday differential contains the files changed on Tuesday while the Wednesday differential contains the files changed on Tuesday AND the files changed on Wednesday.

Pros:

• Faster to create than a full backup since you are only backing up changed files.
• Restoration is faster than using incremental backup but slower than a full. To restore you’ll need your most recent full and most recent differential.
• Each differential is smaller and faster than the full, requiring less time and storage capacity.

Cons:

• Restoration is slower than using a full backup since you must first restore the full then the latest differential.
• Creating a differential backup is slower than creating an incremental backups since you are grabbing everything since the last full even if it is backed up on a prior differential.

Incremental Backup

During an incremental backup the backup software grabs a copy of all the files that have changed since you last did a backup of any type (full, differential or incremental).

If you do more than one incremental backup (ex: Monday is a full and Tuesday—Friday are incremental), incremental backups will contain only the files changes since the last backup, regardless of type.

To explain further, the Tuesday incremental contains only the files changed on Tuesday while the Wednesday incremental contains only the files changed on Wednesday.

Pros:

• This method is the fastest when creating a backup, since you are only backing up the files changed since the last backup.
• Incrementals have the smallest storage space requirements.

Cons:

• Restoring from incremental backups is the slowest because it require the latest full plus ALL the incremental made since that backup, with each being restored in order.
• If any of the backups in the incremental set don’t restore properly, you are pretty much sunk.

Conclusion

Which backups type is best? That’s a trick question, each has it place and as long as you understand what method you are using, the pros and cons, and have made an informed decision ahead of time then you have done your part.

For more information, check out my white paper titled Backup and Disaster Recovery Best Practices

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

All Caps

Sometimes you need to type several words, sentences or paragraphs in all caps to stress emphasis. You can type the text, highlight the right-click and format the text as all caps but a quicker way is to just hit CTRL-SHIFT-A which turns on all caps then type the test. To turn off all caps just hit ctrl-shift-a again.

Bullet List

Bulleted lists are an easy way to call out a readers attention. To start a bulleted list just hit CTRL-SHIFT-L. Word will continue adding list elements as long as you are hitting enter at the end of each element. To return to regular test just hit enter twice.

Center, Left, Right

To center paragraphs, just hit CTRL-E and type away. Your paragraphs will be centered automatically. To return to regular justification hit CTRL-E again. You can left justify paragraphs with CTRL-L and right justify with CTRL-R.

Bold, Underline and Italics

Bold, Underline and Italics are very common text formatting options. Each of these options are quickly accessed via CTRL and the first letter of each formats name. Example: CTRL-B for Bold, CTRL-U for Underline and CTRL-I for Italics. Each of these shortcuts acts a ‘switches’ and will continue to act on the formatting until you turn them off by selecting them again, ex: CTRL-B to turn on bold and CTRL-B again to turn it back off.

Save

I always worry about loosing saved work. Yes, I have auto-save turned on but I was around a LONG time before auto-save and I just feel better knowing that I’m saving my work at appropriate intervals. A super quick way to do a manual save of your work is CRTL-S. This shortcuts works in just about every Office application also!

Find

Looking for a spot in the document? Don’t bother scrolling, just hit ALT-F and type in the txt you are looking for then hit enter.
Not the occurrence you were looking for? Just hit enter again and Word will send you to the next occurrence.

Undo

Probably the shortcut key I use most often is the Undo function. Ever deleted something you wanted back or performed and change you wish you hadn’t, just hit CTRL-Z to Undo the change.

Cut / Copy / Paste

After highlighting text you can quickly cut using CRTL-X, Copy using CTRL-C and past using CTRL-V.
Once often overlooked feature of these function is that they work across applications, for instance you can copy something from Excel or PowerPoint using CTRL-C then paste into Word using CTRL-V.

Open / New

Use CTRL-O to open an existing document or CTRL-N to create a new document.

Thesaurus

Use SHIFT-F7 to open the Thesaurus with alternate work suggestions.

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

WRONG, and here’s why…

Stuff gets in the way. It’s as simple as that. I’m sure there is someone who is responsible for doing this vital function but things crop up, priorities and the day-to-day firefighting prevent this task from being completed long-term.

Once more, when it IS checked, there is usually some cryptic error message that seems to indicate a problem but after doing a bit of research and not tuning up anything solid, we jump back on the urgent and hope that the important will sort itself out.

But as business owners, you and I both know that the important rarely resolved itself in anything less than a crisis, and always at the least opportune time!

Backups, like any other part of your business need careful management and inspection, “What gets inspected gets respected.” Make this task important to you and it will become important to your staff. Ask questions and keep asking them until you feel confident that you are getting the straight answers.

Not only should the backup logs be inspected, someone should periodically re-certify what is being backed up AND that the backup is properly getting data from all your applications, like Exchange and SQL (see my post Are Your Backups Application Aware for more information)

It is all too common to see a backup job configured to only get critical data because the backup system is not properly sized for the business or the business has outgrown their backup and their vendor never bothered to tell them.

The ‘selective’ backup is a sure-fire recipe for disaster because experience had taught me that the data you aren’t backing up is the stuff you always turn out to really, really need back.

So what can you do to be sure your backup logs are properly reviewed?

1. Make the log review a specific individuals job, don’t just assume someone is doing it.
2. Configure your backup software to email you the log, this way it is always sitting there staring you in the face, you don’t have to remember to go check it.
3. Review the backup job quarterly to know what you are backing up and, more importantly, what you are NOT backing up.
4. Take the time to resolve backup log errors. No, it’s NOT OK to have errors in your backup log, no matter what lame excuse you are being given that let’s someone off the hook for getting a problem figured out.

For more information, check out my white paper titled Backup and Disaster Recovery Best Practices

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct

Simple; it’s a huge pain in the rear and bordering on impractical to fully test a recovery plan with traditional backups. To fully test the recovery process you need to start as if you have just lost it all, the server is gone, all the software with it and all you have left is your backup media.

So who has a spare tape drive, spare server and copies of all their installation media and installation keys? The answer is; just about no-one.

In a desperate attempt to get some sense of security most people resort to using verification as ‘proof’ that the backup is working as expected. Taking this a step further, every now and then a random file will be restored from the backup as added evidence that all is working properly.

These two ‘test’ as worthless and if you doing these things and thinking that you are achieving any measure of validation then you are completely wasting your time. For starters, these methods;

1. Don’t tell you how long your system will take to get back up and running from a disaster. It is 2-hours, 2-days, 2-weeks, longer?
2. Don’t tell you that the entire system can be restored and booted properly. Restoring a random file and restoring an entire SQL database or Exchange mailstore are two completely different animals.
3. Don’t tell you if you have all the pieces and parts (starting with a written and tested procedures) to actually pull off the restoration of your critical data systems.

Most business use the HAP method of backups (hope-and-pray) which, surprising enough, works out a great deal more than I would guess. Maybe someone upstairs is looking after your backups?

A better way is to take a holistic approach to backups. Design the backups with the RECOVERY in mind. No from the start what it is going to take to get your company back up and running and be dang sure you have access to everything you need.

Even better than that; use a backup method that you can easily test. For our customers we use image based backups that are portable and can be launched on any machine. This allows us to grab a customer’s backup data and do a test restore to one of our spare servers.

We can prove to ourselves (and our customer) that the restore works as planned AND the process we have documented for a recovery works flawlessly. A side benefit is that since we can easily do a test restore we also can document exactly how long this process takes and set reasonable expectation with our customers for recovery time.

Plus, actually performing regular restores give our entire team a chance to see the process start-to-finish so they are comfortable with the process and familiar with the steps.

For more information, check out my white paper titled Backup and Disaster Recovery Best Practices

Good Networking!

Eric Hobbs
Technology Associates
ehobbs@technologyassociates.net
919-459-0109 – Direct