Our Services
Master Sleuth
Key issues and pointers for the IT manager, by John Terpstra.
Wednesday, 24 March 2010 22:39
A business owner set out to update his computer systems and asked for the best new platform for his business. Both his computer and software were out of date, but given how much business information has been invested in the system, there was reluctance to migrate to new software. His fears were based on perceived risks and a desire to avoid the overhead of staff retraining. What is the best platform for this business?
At first observation this is a business problem, not a technical problem. A detailed technical analysis will not help. The world is full of examples that prove that a particular proprietary platform or that “choose your flavor” Linux platform is best. Do a Google search for “best business Linux” - the findings are interesting. Technical answers are well in the forefront, yet there exist few that addresses the bigger business problem inherent in migration from a legacy system to a new platform environment.
One article makes this assertion: “For IT decision makers in small and midsize businesses, Linux is all about having choices -- and all about making choices. That includes sifting through a seemingly endless list of distros, weighing a variety of service and support options, and selecting the most appropriate software for your company's business needs.” Source Link.
The question is, does the business owner have time and interest to pursue an evaluation of opinions from highly diverging technical reporters? Not likely. For the greater part, business owners and managers are time-constrained. In the absence of time and interest, most will find a trusted advisor to help resolve the matter.
The above article goes on to say that: “Most companies, however, will want to pick a mature, respected Linux distro with a solid track record.” Really? How often will a business want to do that? Very few business managers want anything to do with choosing an operating system. More often than not, a business owner or manager wants to know the following:
- Costs today and over the life-cycle?
- Will business information be retained?
- Will staff require disruptive retraining?
- What new capabilities will benefit my business?
- What risks do I need to be aware of?
- What is involved in installation and transition?
- How long will it last?
Those involved in the information technology business should take note that we are paid to solve business problems. If we do that well, business owners and managers will trust our technical judgment and advice.
Wednesday, 17 March 2010 00:00
A conversion at a Starbucks coffee shop made me realize the importance of listening. I think you will agree that there is a lesson here.
There were three IT professionals, seated at a table sipping their drinks, as one complained: "I've been told to cut my IT operating costs by 30%." Matt replied: "If your management team have not bought into your IT plans, the budget is meaningless to them." He hit the nail on the head!
It is easy to sell the benefits of doing more with less. Better, faster, cheaper, more efficiently, reduced staffing, are things that seldom invoke challenge from the team that controls cash flow in a business. But what are the options when your management team demands a large reduction in costs, and you know that the investment in information technology is already too low?
Vince replied that the CEO and the CFO only see IT as a cost center. Matt's response was classic: "In that case you need to listen to them more often." He reminded the coffee sippers that absent management team buy-in the entire IT operation is like a ship lost at sea without a rudder. The key to solving this problem is communication, not in formal meetings, but informal regular contact with key decision makers. The most important benefit of just talking to these folks is that you will gain feedback. Matt said: "The one who listens controls the conversation. If you do not listen to someone he will never sign the check."
Ultimately you need to present your IT plans to the business team. Make certain that it outlines what you are planning to do to meet their business goals and objectives. Highlight in their language the benefits each will obtain. Make sure that there is a key benefit that touches the highest priority each member of the management team has.
Instead of presenting what you want to do first, break everything down in a way that reflects your desire to understand and to implement the business goals that management have spent so much time wrestling with. At the very beginning of a new project start the documentation process. Summarize in suscinct bullet-form the following:
- Project essentials - the MUST have items
- Project nescessities - those things that OUGHT to be included
- Project options - those things that COULD be included
- Make your request: Please help me to trim this down to something we can all execute on.
This approach can be used to engage your team in a purpose-driven communication process. Make sure that you are ready when someone asks for a preferred short-list (it shows you know your stuff). When the time is right, talk to the big picture, and then ask for commitment to make it happen. Remember, this project is just the first step to help us all get there with a smile.
We left that Starbucks with a clear realizaton that times are tough, and tough times mean that it is more important than ever to listen to the men who sign the checks.
Wednesday, 10 March 2010 00:00
The good news is that this was just a dream, because had it been otherwise it might have been a nightmare. Please imagine a hypothetical situation, here goes:
It is 8:30am one Monday morning. In walks Jack Brown (not his real name), Marketing Manager (could be anyone with access to confidential business information). He walks right up to the CEO and informs him that his laptop computer has been missing since Sunday (well, that's when it was no longer where it should have been). Bill Blaster (not his real name either), CEO, replies that he has received an email from a competitor insisting that the confidential deal the company has been working on had better not go ahead. Blaster immediately suspects that Jack's laptop has found its way into enemy hands! Sweating profusely, Jack wakes from his sleep. The next day the company's IT expert is asked to comment. What would you say if you were in his shoes?
The dream is over, but for Jack and Bill, there are a few sleepless nights ahead. Why? Because they now realize that the company's preferred mail client is Microsoft Outlook. Like many mid-sized businesses, email is downloaded to local PST files. How difficult would it be to gain access to confidential files? Most uses simply suspend their laptops so that they start up more rapidly, and many have automatic logon to save time. Oh, I almost forgot, this is all a dream and it would never happen like this in the real world. Right?
Today I was asked how a small business (35 employees with mobile computers) can secure the confidentiality of their email, without changing too much. My advice: Do not store any mail locally on any laptop computer, not even in a local cache. I suggested the use of IMAP, or better still, of web-based email. My suggestions were initially not well received, but it seems the message has hit a home run - the company will change their email policies. Finally information security is being taken a little more seriously. As it happens, in the last 6 months three people lost their laptops - only one was found and returned. Management are now most concerned to avoid information loss. Act now, before it is too late! Review the security of your mobile information practices. Don't wait for the horse to be out of the gate.
Wednesday, 03 March 2010 00:00
Information security is one of the most misunderstood disciplines in the modern technology world. The IT managers responsibility to establish and maintain a secure network environment can be readily vexed by conflicting demands. Users demand simplified access controls and are inclined to breach the principles of good security by writing down network credendials such as user IDs and passwords. It is not uncommon to witness the practice of writing critically secure information on prominently displayed post-it notes. At the same time, and for good reason, there is a growing intollerance of security breaches.
An effectively secure network environment does not happen by accident - nor should a breach of security be treated as an accident. The advent of key-stroke-logging trojan malware means that basic weaknesses in the overall nentwork environment can facilitate infestation and security breaches. These should never be accepted as a necessary evil for the sake of systems usability, or user peace of mind. Network security requires discipline. That sounds simple but in most organizations the effective level of discipline is often much lower than secure practive standards would dictate. Let's consider the three key elements of network and data systems security: Authentication, Authorization, and Access Control.
Authentication
Ask yourself this question: "If someone were to access your on-line bank account with your username and password, is that sufficient warrant for legitmate withdrawal of your money?" - Obviously not. Likewise, the mere fact that someone may know how to access an information system with a valid set of user credentials is not enough to establish the transaction as a bona fide event. The obvious question that needs to be answered is: "What assurance do we have that the valid set of credentials are in fact being used in a legitimate manner?" An equally daunting follow-up question that every business must consider is: "Can this user be trusted if indeed the credentials presented are correct, and it has been reasonably established that the user is as claimed?"
One way of dealing with every authentication event would be to report the transaction to the organization's security officers, and in particular to report it to the user whose credentials were used. This is an after-the-event notice, but is better than not at all. Fraud investigation would then be tasked with any follow-up that may be called for.
Authorization
Many business network perimeter security systems rely on no more than presentation of correct credentials to permit access to the internal, supposedly secure, environment. But how many systems adequately track and control network, systems and applications access for permitted access times? Corporate networks that permit access from the Internet should carefully track the origin of network connection attempts. A legitimate set of credentials for a connection that originates from a far-flung place such as Camelot while the user is actually in New York should raise immediate alarm. All data and systems resource access attempts ought to be treated as a potential threat. Appropriate risk abatement policies should be meticulously followed at all times.
Authorization can be implemented as a two step process. Firstly, the user can be provided with immediate feedback upon being authorized to access an information resource. Secondly, the user and his/her manager may be notified of the authorization event. The second step provides a means of additional auditing and validation, and while it may not prevent unauthorized intrustion, at least it provides an avenue by which the organization can become aware of a potential felony.
Access Control
After a user has been authenticated and the connection or session has been authorized, is there any further need to control or monitor what the user does? Obviously there are many situations where additional access controls are essential. For example, the janitor would not likely have good reason to access a payroll application. For that matter, a shipping clerk would not likely have good cause to access a company's HR database. These situations demand appropriate privileges that also could be carefully monitored. In the event of an access attempt that is beyond the users' privilege level how could the attempt be rerouted to protect vital business information while not unduely alarming the person making the inappropriate access attempt?
Many organizations spend more effort considering how aversive action may impede legitimate systems use, rather than focusing on the negative impact of leakage of vital information into the wrong hands. It goes without saying that there is a justifable need for sound policies and procedures so that information that is important to the organization, its employees, and its customers can be safe-guarded and protected.
Thursday, 25 February 2010 00:47
Technology users and organizational executives need to be more involved in basic data storage and transmission decisions.
To highlight the significance of the issues consider the problem faced by George, the Director of Music for an educational organization. George tried to email a very large document to the Board of Directors. His email was rejected by the organization's mail server. The rejection message said (in part):
“The message has been blocked because it contains a component (as a MIME part or nested within) with declared name or MIME type or contents type violating our access policy. To transfer contents that may be considered risky or unwanted by site policies, or simply too large for mailing, please consider publishing your content on the web, and only sending an URL of the document to the recipient.”
His organization mail server recently had added filtering of all outgoing mail so as to avoid transmission of content that might be rejected by recipient sites. A month earlier someone had emailed an executable file and the mail message was rejected and their site was added to a block-list.
George has attempted to send a large MS Office spreadsheet with detailed budgetary information. Help Desk staff were able to resolve the problem. Later that day, George met the IT manager over a quiet cup of coffee to explain his annoyance over the matter.
The head of IT asked George what is the importance of long term ability to read and recover the information sent. George explained that so long as the file could be reliably accessed within his life-time this would be good enough for him. The IT guy was on the ball – he asked George if this was his first incidence where he could not get information into external user hands in a timely manner and with complete format accuracy. The answer: “Oh, no! I've received prior complaints from certain board members.”
The IT guy mentioned the many factors that impinge on the policy decisions that vitally impact future generations. He related the many thousands of WordPerfect, WordStar, and MultiMate files that contain potentially important records and information the contents of which are possibly not recoverable today. George had not considered his problem from the 100,000 foot level. Suddenly he felt a passion to be involved in solving a problem that strikes at the heart of the very purpose of an educational body – the accurate transmission of information to future generations.
Information that ceases to be accessible can result in a loss of culture and of context for a whole society. Document format standards play a vital role in keeping future generations in touch with the past. Those who can not learn from the past are bound to repeat its mistakes.
Thursday, 18 February 2010 12:04
IT Managers and business executives have good reason to be concerned about loss of vital information about their business. Data breaches can originate from many sources. Business intelligence that is leaked into competitive hands is just one risk among many. Spying out the competition takes on a whole new meaning when account is taken of the prevalence of portable and mobile computing facilities and storage devices.
How easy would it be for someone who knows your company and its business to gain control of a laptop computer or a flash drive from one of your employees? What about mobile phones? Are any ever lost? Have you wondered what use a stranger might make of the information that is stored or available from mobile devices?
Have you taken positive steps to secure the internet connections that your busienss depends on. What about the wirelsss networks that give executives the freedom and flexibility to move about the office - are they secured?
Business convenience and data security need not be opposed to each other, unfortunately in many business environments they are today. Is it time for a full security audit of your company's business information?