Thursday, June 15, 2017

How Do You Quantify “Better?”

It’s a simple question with an oh so complex answer, how do you quantify better? Specifically, in terms of cost, how do you quantify better in the context of paying for a better class of internet access?

Internet access is the foundation for everything that gets done in the business world today, you simply cannot operate a business without your employees having access to the public internet. If you have an office where your people gather to work together, they need a fast, reliable connection to the internet. As an organization how much are you willing to pay for internet access? How much is too much? Do you need a 100 Mbps symmetric fiber connection or will coax cable be enough? Can you scrape by and use a Wi-Fi hotspot that has a cap on the amount of data that can be used without incurring additional charges?

These days practically every task that is part of what your employees do takes place in the cloud. So if everything is in the cloud, a fast & reliable connection to the internet should be considered mission critical. I’ll ask the question again, how do you quantify better (in this case better internet access)? How much are you willing to spend so that your employees have a fast & reliable connection to the Internet?


 - Rob  

Friday, February 10, 2017

Versioning

How do you defeat ransomware? Versioning, that is how you defeat it (and other malware). Let me explain...

There was a time when the only options for backup & recovery was versioning in the form of a tape device. You put a blank tape into the device, the backup job ran during off hours and the tape was automatically ejected once the backup job completed. So that tape represents one version of your critical data and it has the added advantage of being physically separated from all systems after being used. Fast forward to now when its all about continuous backup of data. An excellent concept and useful for backup & recovery of certain types but take a step back and consider how versioning works in the context of continuous backup. Part of the answer comes from the type of backup & recovery solution that you are paying for. If you're willing to spend a bit more money, you can put a solution in place that allows for versioning of data and that is a critical factor. Do not assume that whatever solution you have allows for versioning, make the vendor prove it. Another aspect of versioning has to do with the way the vendor has built out their back-end systems. Are they multi-tenant? Does your data literally sit right next to another customer's data? If something infects your data, can it jump and infect another customer's data? Don't laugh, don't dismiss this because there are documented cases of this happening. And the infection could go back months.

Have a backup to your backup & recovery solution. Independent of whatever cloud-based backup & recovery solution have an additional in-house process for backup & recovery of critical data. I know its a bit old school but tapes are still a viable, cost effective solution. Automate the process & rotating the tapes will allow for your own "version" of "versioning."


- Rob

Monday, December 19, 2016

Address cannot be validated...

It's the season for gift giving so I dutifully went to the shipping store to send off a package of toys for my niece & nephew. To use a technical term, I'd pre-configured everything (aka boxed & labeled) so it was ready to go. I put the box on the scale, the person behind the counter measured it then started up the shipping app. Typical questions, what are the contents, when do you want it to get there, do you want insurance? Everything was proceeding fine until we hit a snag, the shipping address cannot be validated? What do you mean, I've shipped items to them before without an issue. So the clerk asked if I wanted to ignore the warning and I said yes. So we are at the end of the process, a physical label has been printed (it will be affixed to the package itself) and I'm asked to check it. That is when I saw the error, we're missing a 1 in the address field. Had to start the process again, got to the part for the address field and yes, with the "extra" 1 the address was validated, the label was printed and the package shipped - success! But what does this say about "we" humans and our ability to acknowledge or ignore warnings? This was a simple task and yet both humans (with one of them purporting to be a Subject Matter Expert regarding the correct shipping address) missed a warning that could have lead to a critical error.

Let's extrapolate this situation to the field of information technology, specifically security and the protection of digital assets. The hack of Sony Pictures comes to mind. Let's hypothesize that Sony Pictures had a robust Intrusion Detection \ Intrusion Prevention System (IDS \ IPS) in place at the time of the hack. Imagine members of the IT Department sitting at their desks, staring at their screens when an alert pops up along with an alarm bell. The IDS \ IPS indicates there is abnormal activity on the network, that a large amount of data is outbound and do they want to allow (click "Yes") or block (click "No") the activity?

So, what will you do next time you get a warning that, a) the shipping address cannot be validated or, b) that there is abnormal activity on the network and that a large amount of data is outbound?



- Rob

Friday, November 04, 2016

When the Owner of the Company Says, "Pull Everything Out of the Cloud" You Know it's Trouble

More and more stories about cyber this & digital that are appearing in the mainstream media these days. Marketing terms, inaccurate descriptions and lots of misinformation that leads to confusion. So when the owner of the company barges into your office and proclaims, "Pull everything out of the Cloud" you know you're in for a long day.

The October 21st attacks again managed DNS provider DYN were all over the news because of the effects the attacks had for entities such as Netflix (streaming media), Twitter (social media) and even Vonage (Voice-over-IP and unified communications provider). So when something like this happens, as a Technologist you must be prepared with Ninja-like reflexes because there will be blow-back and maybe a little panic.

Owner barges in and the following conversation begins,

Owner's Question: What's that thing we use for files?

Response from Technologist: Box, we use it for file synchronization & sharing.

Owner's Follow-up: I want everything pulled out of  "the Box" and put on a file server in the headquarters because that way everyone can get to it and its secure.

Follow-up by Technologist: Actually, if we put everything on a file server in the headquarters, only those employees IN the headquarters can get to the files on that server. It's only a file server for the headquarters.

Owner thinks for a moment then responds with: But we have offices everywhere.

Technologist: And that is why we went with a cloud-based enterprise file synchronization & sharing solution so we didn't have to put a file server in every office nor have everyone try and access a single file server in the headquarters by way of VPN.

What we're talking about here is a mindset and the way things used to be. Having everything on a single file server in the corporate headquarters doesn't guarantee the files on it will always be available. What happens if the server's hardware fails? It has to be replaced (which takes time) and then the necessary operating system configuration as well as files & folders have to be setup again (which takes more time). Oh, its a virtual file server? That virtual server still has to sit on top of a piece of hardware. Restoring a virtual machine takes less time than for a physical server but its not instantaneous.

In the end cloud-based services offer scale as well as business continuity for anytime anywhere access. That is practically a requirement for an organization because as the Owner so eloquently put it, "...we have offices everywhere."

One more observation, Services are relatively easy, resilient Infrastructure is hard (and yes, DNS is infrastructure, just ask the folks at DYN).


Rob

Monday, September 26, 2016

My thoughts on the IANA Stewardship Transition

My thoughts on the IANA Stewardship Transition. Via the IANA Stewardship Transition, ICANN (in basic terms the organization that controls Internet domains and their distribution) will move into a more global multi-stakeholder system and away from one that is US-centric. More & more of the World uses the Internet, it's not just something for the West. There are those pundits in the US that say the Internet is being handed over to totalitarian regimes. Keep in mind that those regimes already control the telecommunications infrastructures in their countries and thus already have some measure of control. Examples include the "Great Firewall of China"  and don't forget that Turkey has cutoff access to sites such as Facebook.

In the end my belief is that the rest of the World has a stake in a free & open Internet and wants a say in how the Web is governed.

ICANN has a post with questions & answers regarding the IANA stewardship -



Rob

Thursday, July 28, 2016

Dog-fooding, base-lining and knowing when something is off...

Dog-fooding & base-lining are phrases known in the tech industry. To "dog food" something means that you are using it on a daily basis to see if the technology works as advertised. Many tech firms "dog food" their own technology as a way of proving that it works. To establish a baseline is to determine what normal looks like. In the case of network traffic, what is the normal pattern of data flow across your local area network on a Friday afternoon (when everyone is trying to complete their work and get out of the office) as opposed to a Tuesday morning. What is the baseline performance of your application?

With the help of data collected while dog-fooding & base-lining you (as an organization) should be able to tell when something is off. That something being the performance of your application, the performance of the network, whatever it is that's bother you.


Rob

Monday, May 23, 2016

Voice-activated Services In The Home

The news these days is still filled with stories about encryption and the U.S. government but what about voice-activated services, digital assistants & self-incrimination. They might be the next big questions that need to be asked.

Self-incrimination is the act of exposing oneself (generally, by making a statement) to an accusation or charge of crime; to involve oneself or another [person] in a criminal prosecution or the danger thereof. The part in parentheses is import.

These days Amazon Echo & Google Home are in the news. They are voice-activated hardware & software that combine into a powerful digital assistant service. One description that I liked was that they helped folks manage everyday tasks. Oh, I haven't forgotten about Apple's Siri product but for now I'm going to concentrate on Amazon & Google.

"Hey Echo, order me three packs of toilet paper." That was easy.

"Hey Google, put on my calendar for tomorrow from 1 PM to 2 PM that I'm meeting Johanna & Fernando for lunch." Easy to do and I didn't have to type anything.

Remember the key phrase, voice-activated. So for these products to be responsive (after all, they are voice-activated), they are always on and listening to what's being said in their environment. How does Echo know that it is not your voice, but someone else's? Everything that is said is captured, sent back for processing then evaluated as far as what to do. Where is all that data stored? How long is it stored for and who has access to it? Some interesting questions to ponder as we move forward with this technology.

Which entities with Amazon and Google have access to this data? What about third parties that pay for access to customer data, can they see everything captured by Echo or Google Home? What about law enforcement, if they present a warrant for access to the data then what?

Let's say a master criminal (who has so far eluded law enforcement) decides to setup Amazon Echo at home. The master criminal then posts on Instagram about Amazon Echo and how great it is. Basically Echo is a listening device, a bug. So someone in law enforcement gets the idea to serve a warrant to Amazon for several accounts (law enforcement narrowed it down to about a dozen) that they believe are used by the master criminal. They are in luck, one of the account is tied to Echo. What happens to all those conversations that the master criminal held with others at home? Can they be used in court? There were no warrants issued to authorize the eavesdropping on conversations but on the flip side, the master criminal consented to allow a third party (Amazon) to in a sense record all conversations.

The courts are going to have to sort these legal questions out. Something for all of us to think about.


Rob