Tekexpertise Blog

Virtualization is a very valuable technique for small and medium sized business to better control IT costs and to increase IT’s reliability. Virtualization encapsulates software that would normally run on a single physical piece of hardware and creates an image of it that separates the underlying hardware from the physical system underneath. This allows for multiple sets of systems to run on the same physical hardware as if each was running on its own hardware.

There are many benefits to virtualization. This entry concentrates on three:  consolidation of physical systems reducing hardware costs; the quick building of test environments; and, enabling a cost-effective backup and recovery strategy.

Hardware purchased today is for the most part far more capable than that bought even two years ago. The central processors are much faster and built for multiple systems; memory is cheaper; and, disk subsystems have substantial increases in capacity and access speed. All of these improvements make consolidation compelling. If an organization can consolidate two or more older physical devices into one which runs two, three or even more systems on a single device, substantial savings can be realized.

With regards to testing, in the past, organizations would have to invest in multiple sets of hardware in order to test new software, bug fixes, etc. With virtualization, it is possible to create these environments quickly to test various scenarios. It is then easy to restore the state of the system after the test to the original state allowing for effective tuning or debugging.

Another major benefit for virtualization is creating more effective backup and recovery capability. Virtual snapshots can be taken of the total system, the software, running programs and the associated data. These snapshots can be easily redeployed in the case of hardware failure even to a dissimilar piece of hardware. The same technique can be used as well to load balance systems if multiple physical systems are available.

Virtualization software is available from several vendors, the most prominent being VMWare and Microsoft. Virtualization now a standard component of Microsoft Windows Server 2008 R2, and a free version of VMWare is available as well. The more sophisticated features require the purchase of additional software components, but the free versions are a good place to start to understand the benefits and power of virtualization.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

This blog discusses protecting organizations from the dangers posed by spam and malware by using a three-tiered approach. The outer tier is in the cloud (the Internet), the second is at the perimeter of the network and the third is on the devices within the network.

For the first tier, a cloud-based filtering service examines incoming email and quarantines those items suspected to be spam or other malware and then delivers the remaining email. These services allow fine-tuning of the filters and delivery of email improperly quarantined.

If you have an internal email server, the filtering service acts as the front door that delivers email it deems to be non-suspicious to your email server. While there are products that scan email after it enters the network, they use your internal bandwidth, slow down your email server and use its disk space. If you are using hosted email in the cloud, you need to ensure that the hosting service is providing robust filtering as part of its offering.

The next tier is at the perimeter of the network via the firewall and/or security appliances. All firewalls stop simple attacks such as access attempts into your network. More sophisticated firewalls attempt to stop known malware from penetrating into or leaving your network. Similarly, security appliances can augment your firewall to provide protection by looking for known malware and controlling access from systems within your network to suspect sites or from sites your policies prohibit.

The last tier is at the device level: servers, desktops, and laptops. Each of these needs to be protected by a capable anti-virus product and operating system controls. Despite all the protection afforded to you by the first two tiers, some malware can still infect your devices. Innocent web sites can be hijacked and not so innocent web sites can be accessed by users causing malware to be installed. There are also threats from USB storage devices and laptops that connect to the Internet at home or other places without strong protections.

Anti-virus software is available from a number of reliable vendors and needs to be installed on every device: servers, desktops and laptops. Also, Microsoft Windows 7 offers a level of operating system protections much greater than Windows XP and this level of protection is a key reason to upgrade.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

Sharing and collaboration are essential to any well-run organization. There are a set of new technology tools that enable better sharing and collaboration. This article will discuss two, blogs and wikis. Each exists on a company’s Intranet and current website software makes setting them up routine.

There have been several technologies companies have used for many years to enable cross-organizational collaboration. These include shared folders, Electronic Mail, Instant Messaging and texting, and company intranets. Each of these is a valuable tool, but they can be cumbersome to coordinate or to find valuable information. Organizations need the flexibility to share and find information to speed decision making. These tools are also valuable in breaking down communication silos.

Blogs have been on the public Internet for quite a while and many companies are using them internally as well. An author of a blog creates content and invites others to comment providing an interactive discussion of a topic. These comments can be moderated and if approved appear with the original blog entry. Blogs allow for rich content including pictures, video, audio, links to other sites or blogs, embedded documents, etc.

Blogs can be organized internally around projects, departments, the organization as a whole, etc. They provide an organized way for teams to offer ideas, draw conclusions and make decisions. They can be superior to simple documents or personal communication since the whole thread of the discussion can be kept and the logic of decision making and conclusions can be examined. Moderation of blogs within the enterprise is essential to remove off-topic and unbusiness-like comments. An important benefit of a blog is that all participants in the activity can and should participate.

A wiki is a web-based article of shared knowledge concerning a specific topic or area of expertise. An original author creates an article and invites others who have knowledge or experience in the topic to refine and expand the article. A search tool allows readers to find the specific topic. As with blogs, rich content can be included with the article to better describe the topic. In most cases, as opposed to a blog, a relatively few people will author the articles while a much larger audience will take advantage of the information contained in the articles. Wikis build invaluable knowledge bases for organizations.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

The smartphone market is undergoing tremendous growth and innovation. iPhones, Androids and the newly announced Windows Mobile 7 are all excellent devices. They are full-fledged handheld computers with capabilities of which only one is the phone application. However, their main audience is consumers. Businesses need to understand which smartphone is best for their needs.

I believe that the Blackberry should still be the smartphone of choice for many businesses at least for now. Most surveys still give them substantial market share. Blackberry’s manufacturer, Research in Motion (RIM), has built a secure operational infrastructure for Blackberries. There is a large range of Blackberry devices which run on all the major wireless networks. RIM has a Blackberry App store (though with far fewer apps available than Apple or Google). However, Blackberries are most effective for businesses when they are coupled with Blackberry Enterprise Server or Blackberry Enterprise Server Express.

Enterprise Server and Enterprise Server Express provide manageability tools that go beyond simple email, calendar, task and contact synchronization which are available on competing devices. Blackberry Enterprise Server provides centralized management via a web-based console that allows network administrators to deploy and manage apps, schedule software updates wireless and manage user settings. Administrators can set a variety of IT policies. Users can get remote file access and access to the company’s intranet. Blackberry Enterprise Server Express is a free version of the product that is restricted on the number of users and does not have some of the advanced features of the full product such as proactive monitoring and high-availability support. Both integrate with Microsoft Exchange while the full product also supports Lotus Notes and Novell GroupWise.

However, the market is already changing. Motorola is coming out with a Droid Pro. Other apps stores are increasingly providing interesting apps for businesses. Some businesses may be satisfied with only email, calendar, contacts and tasks synching with Exchange.  End-users will increase pressure on IT staffs to support the latest devices from Apple, Google and Microsoft. There is no reason to suppose that the other devices won’t get equivalent functionality to the Blackberry servers. Therefore, Blackberries may be an intermediate solution until the inevitable increase in business sophistication comes to these other options unless RIM makes some bold moves to make them more competitive with the other options.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

Within IT, Problem Management is the discipline to ensure that problems are anticipated, handled properly and documented and that changes are made to avoid or minimize similar problems in the future.

A problem can be defined as a condition or set of conditions that indicate an impending or current loss of some of the organization’s IT operational effectiveness. Problems need not be catastrophes that initiate the execution of a Disaster Recovery or Business Continuity plan. Also, in many cases, problems may not require immediate attention.

Problems can be anticipated in a number of ways. The IT staff may notice the condition while maintaining and servicing the IT infrastructure. Problems may be reported by hardware manufacturers, software vendors or in IT publications. Problems may also be anticipated knowing that the hardware or software is aging, is about to go out of warranty or conditions are happening that repeatedly slow or disrupt the business.

Proper handling of problems includes adhering to Change Management which I addressed in a recent blog entry. Problem fixes need to be handled like any change. A crisis shouldn’t lead to shoddy execution of fixes.

The “root cause” of the problem must be determined before attempting a solution. Some are self-evident; others are more subtle. There may even be multiple root causes. There is often a rush to judgment where IT staffs come to hasty conclusions and install a fix that doesn’t resolve the problem. This behavior is hard to avoid particularly when the problem is causing a large disruption.

However, it is often the case that a work-around needs to be installed to alleviate the problem until a proper root cause is determined or until a more permanent fix is available. It is important not to leave a work-around in place since they often decrease IT effectiveness.

Documentation of the problem, the root cause and the fix or fixes applied needs to be created and maintained. This documentation should include a problem analysis, a discussion of the effectiveness of the fix and a discussion of how the process can be improved for the time when a similar problem arises. Problem trends should also be documented. Trends can be very valuable in determining what long-term improvements are required to anticipate or avoid future problems.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

In a previous post, I discussed the new Massachusetts Privacy Regulation covering data such as SSNs, financial account information, etc. HIPAA covers the protection of medical data.

HIPAA is a federal law that covers many aspects of health care. This blog entry covers specifically the Privacy and Security Rules for “covered entities” which are organizations that manage medical data which the law calls Protected Health Information (PHI).

As in the Massachusetts Privacy Regulation, covered entities need to create a written policy covering the use and protection of PHI, appoint a Privacy Officer to manage the policy, to train their staffs on the policy and procedures and to ensure that there is sufficient management buy-in. The policy must address access, authorization, establishment, modification, and deletion of PHI. Note that staff includes not only employees but contractors, vendors and outsourcers that have access to PHI.

The Privacy Rule covers the protection, use and proper disclosure of PHI. Disclosure is allowed in specific cases such as individuals requesting their own data or when the data is required to be disclosed by law. The covered entity can use PHI to facilitate treatment, to do billing, etc. but must take care to only use the minimum amount of data needed. Covered entities need to document how they are using PHI and allow for complaints concerning the use of PHI.

HIPAA’s Security Rule requires a covered entity to institute a security program designed to protect the electronic data containing PHI (ePHI). The rule requires that ePHI be encrypted and access to it be restricted to only those who need it to perform their jobs. ePHI must be protected from intrusion or other improper disclosure. Physical access to the hardware containing ePHI must be restricted. Written documentation of all these measures is required to be kept and updated as the infrastructure evolves. Additionally, the covered entity is required to have documented Risk Management procedures, DR plans and periodic audits.

The steps outlined in my Massachusetts CMR blog entry need to be implemented with regards to ePHI as well. Given the commonality between the two (often both types of data are in the same database), a covered entity could combine the efforts augmenting each to meet the requirements of both.

If you would like a tutorial or consultation on how your organization can have an effective HIPAA program, please email me at ed.mchugh@tekexpertise.com.

In every technical environment, changes are inevitable. Some are simple such as applying a software update or more extensive such as replacing a part of a company’s IT infrastructure. Some changes are required to fix an issue such as new security updates or bug fixes. However, whatever the complexity of a change, certain prudent steps must be taken to ensure the success of that change and to avoid any disruptions.

These steps include:

1. Validating that the change is important, necessary and/or will result in cost savings or major business value
2. Creating a plan and getting the appropriate approvals
3. Ensuring that the change is properly tested
4. Creation of an implementation plan that details all the steps necessary and describes the back-out plan if the change fails
5. If a major hardware component is being swapped out, keeping the old equipment in place until the new equipment is running properly
6. Scheduling the change so that it occurs at a time that will be least disruptive to the organization
7. Validating that the change once in production is working as advertised and backing the change out otherwise
8. Communicating the results to management and to the affected staff
9. Publishing the documentation describing in detail the new infrastructure

Even small organizations need to follow these steps, although in a more simplified manner than a large organization. Smaller organizations normally would rely on outside experts such as a Managed Service Provider to implement changes.

Business managers should work with IT during the process and they should not allow any changes without their permission. They should be sure they understand the value or necessity of the change. Next, they should discuss how the change has been tested, perhaps at other sites. Particularly for complex changes, business managers should ask to see the plan or set of steps that will be followed to implement the change and in particular what the back-out plan is. They should discuss scheduling of the change and ensure that the change stays within that schedule. If the change can’t be completed in the agreed upon time frame, then the back-out plan needs to be executed. Finally, IT needs to thoroughly document the change and keep a record on how the new infrastructure is architected.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

Internet scam artists and criminals are always looking for ways to infect computers with viruses, “root kits”, spyware, “botnets” and other harmful software. One type of attack that is occurring more and more often is referred to commonly as Fake Anti-virus or “Scareware”. The usual approach is to have a pop-up appear, sometimes from an innocent web site, declaring that your PC is infected and listing a large number of scary-sounding viruses purportedly on your PC. The pop-up will ask you to download some new anti-virus software to “fix” the problem. Of course, what really happens is that you allow a download of some very nasty software which borrows deep into your computer and is very hard to remove. To make matters worse, the downloaded software very often prompts you to pay for the malware and sometimes holds your PC hostage until you do pay them.

To the untrained eye, a Fake Anti-Virus warning seems real and does cause anxiety. The criminals are very adept at faking the look and feel of legitimate web sites and products. Symantec claims that over 40 million people have been infected by scareware over the last twelve months. Criminals are earning hundreds of thousands of dollars from these scams. Typical names of these scareware viruses include Anti-virus 20xx, Virus Shield, Volcano Security Suite and Malware Destructor. There is even a recent Fake Anti-virus that masquerades as Microsoft Security Essentials.

Never download software from a pop-up claiming to be an anti-virus program. No legitimate anti-virus software is ever sold in this manner. Also, never pay for anti-virus software from a source you never heard of. There are many reputable anti-virus firms including Symantec (also known as Norton), McAfee, Trend, etc. and always keep your anti-virus software up-to-date by ensuring that your licensing for the anti-virus software is current.

If you do get infected, immediately disconnect your PC from the network, either wired or wireless. Contact your company’s IT staff or some other reputable IT engineer if you’re not at work to remove the virus.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

A Virtual Private Network (VPN) is a network connection where another network or a remote PC/laptop can securely access a company’s network. A VPN connection is secure and encrypted and it mitigates the risk of unauthorized access to a company’s network and data.

This discussion will concentrate on using VPNs to connect remote PCs and laptops. Other techniques for these remote connections are available including Remote Desktop software and Terminal Servers. However, remote desktop software requires that a target PC be available and a Terminal Server implies that a separate physical or virtual server be available. VPNs don’t have those restrictions. However, there are a maximum number of VPN connections available at any one time.

There are different ways to create VPNs for users. Many companies use Microsoft’s VPN which comes bundled with Windows Server. However, this access method may be less secure than some other methods. Further, in many public places, such as hotel rooms, this type of VPN is blocked.

Another approach is to use the built-in VPN capabilities provided by most business-grade firewalls. These firewalls use much stronger encryption and control access better than the Microsoft VPN. However, the user needs a special program loaded on his PC and his password stored there. Most public networks prohibit this type of VPN as well and even if they allowed it, the storage of the password on a public PC would be a security breach.

A better method combines the very secure SSL or IP Sec Internet protocols with a VPN and is much better in terms of security, stability and accessibility than the other approaches. These types of VPNs allow users to access not only files, but also applications. A user connects through a website generated by the firewall in very much the same way that a bank creates a secure connection for checking balances and paying bills. Not only does this method provide secure access, it also prevents the saving of passwords locally; it is not blocked by public networks; and, it doesn’t require special software or a specific operating system.

Not all firewalls can provide this capability, particularly older ones. A license or software upgrade may also be required. However, the benefits of this type of access make upgrading your firewall an excellent investment.

If you would like to discuss this topic in more depth, please send an email to ed.mchugh@tekexpertise.com.

For almost all organizations, the server(s) they have are essential to their operation. Servers contain all of the business’s shared data, company-wide services such as email and often Line of Business applications. Some studies say that small businesses that lose their server(s) for more than 48 hours are lucky to survive. While there is an emerging trend to move at least some server functions to the Internet “Cloud”, many still need or want to own and operate their own servers.

Given criticality of servers, some simple rules should be followed:

1. Servers should be placed into a lockable room along with related equipment such as firewalls, switches and backup devices.
2. This room should have basic environmental safeguards such as room temperatures that stay below 75^o and minimum levels of dust and dirt.
3. The room should co-exist with the incoming Internet connection(s).
4. Servers should not be placed near any source of water. Where fire codes require sprinklers, it is best to place the equipment away from sprinkler heads if possible.
5. The equipment should be placed on a sturdy surface, preferably in a server rack.
6. An Uninterruptable Power Supply (UPS) should be installed with the ability to keep the key devices running for at least fifteen minutes.
7. A reliable backup device or method should be installed and monitored. Periodically, full back-ups should be brought off-site.
8. All wiring should be labeled and properly tied. The network wiring should be a minimum of CAT 5E, with CAT 6 preferred.

Best practices would include these additional measures:

1. Placement of the most important production systems into a high-quality data center.
2. Provision of a fail-over device to use when a server is not available for an extended time. Note that virtualization may be the most cost effective way to provide fail-over.

An emerging option to consider is to move at least some server-based applications to the “cloud”. That is, rather than owning physical servers, functions those servers provide (for example email) are outsourced to a cloud provider. This approach could be very cost effective when all costs, including the hidden ones, are taken into account. For more information about using the Cloud, please see my recent blog entry on this subject.

If you would like to discuss this topic in more depth or have an analysis of your current server environment, please send an email to ed.mchugh@tekexpertise.com.