I've read the word "hybrid" so many times recently that you'd think I was at a Toyota dealership. Nope. It's "hybrid IT" I'm dealing with.
This new-ish word describes the intersection of the traditional datacenter, all this cloud stuff everyone's hyping, as well as more traditional forms of outsourced IT, like co-located servers and so forth. Hybrid IT is essentially, "all your IT stuff, no matter where it lives."
Managing and monitoring all of that "stuff" is getting tricky-- and more and more necessary -- as we start to rely more and more on "stuff" that lives outside our datacenter. There's a small, but growing vendor space of companies who specialize in hybrid IT monitoring and management: Nimsoft, ManageEngine, Zenoss, Honda, and lots of others. Wait, scratch Honda -- wrong "hybrid" brochure.
Generally speaking, these tools combine traditional, on-premise monitoring tools, such as server-installed agents and probes -- with specialized monitoring services for outsourced services. Some offer specific functionality for monitoring.
I'm seeing a somewhat-disturbing trend of these solutions also incorporating help desk software, and I hope those vendors are taking that step with some caution. A lot of us already have help desk software, and spent a lot of time and money deploying it, and don't have the political capital to switch to something else. A new monitoring solution should be able to work with whatever we've got in place. For that matter, a lot of us already have the "big screen" where we do all of our monitoring. Anything else we bring into the environment should support that -- not attempt to replace it. There are certainly protocols out there that would allow a new monitoring solution to integrate with OpenView, Tivoli or whatever else might already be on the network.
Still, this is a space to watch. It's evolving quickly. The early vendors are offering some techniques and technologies that will doubtless become more prevalent in the future.
Posted by Don Jones on 12/09/2011 at 11:03 AM0 comments
I was recently with a client whose CTO asked a difficult question. You see, he had been asked by his boss to start doing a better job securing company file servers and other network assets. Like many organizations,its security efforts had been a bit haphazard, and resource permissions weren't exactly in stellar shape -- there were access control entries for individual people who weren't with the company any more, it was difficult to determine who had access to what, and so forth.
His question to me, however, wasn't about the best way to fix things up. He wanted solid grounds to tell his boss no. Or at least, not right now.
You see, he knew that this security fixup was mainly being driven by hype and not by any real business need. He knew it would have to be done, but the directive was coming at a bad time given the company's other concerns and priorities. He knew that this task was going to be expensive, and he didn't want to spend that money right then.
It was kind of a shock, frankly. But I shrugged, and led him out of his office. "I'll show you a reason why locking down network security is kinda silly," I told him. "And this is true in most companies." I pointed to a laser printer, which had a stack of recently printed documents next to it. I pointed to a broken shredder, which had a huge pile of "confidential documents to be shredded" sitting next to it. I pointed to employees' desks, which had file cabinets without locks. "You can lock down the network, but your employees appear to print everything, and those printouts aren't secured in any way at all."
His face fell. Sure, I'd pointed out a reason why securing the network wasn't a high priority -- but I'd done so by pointing out a higher security priority: The real-world treatment of sensitive information.
Now, don't get me wrong -- I know the network should be secured. It's accessible from a broader range of locations and devices than the office. But our offices are rarely that secure. People "tailgate" when entering the office with their smart card badges. Custodial staff and other individuals -- often contractors -- have unfettered access to the office after hours when nobody is watching. And c'mon, doesn't it seem a bit silly to spend all that time on money locking down the network when users can just leave printouts of the same data lying around wherever?
I know, I know -- we have to secure the network. I'm not suggesting otherwise. I'm just also suggesting that we have someone look at the security of those same resources once they leave IT's control.
What's your company's policy in physical security? Do you have a locked-down network and a wide-open real world?
Posted by Don Jones on 12/02/2011 at 9:45 AM0 comments
Rolling out a new client operating system is a complex, lengthy process fraught with risk. A new server OS is less stressful, mainly because we're usually a bit happier to have multiple server OS versions running in the datacenter.
With that in mind, the Server edition of Windows 8 is something every organization should look at closely. Here's why:
- Optional GUI. Removing the GUI shell from Server is as easy as unchecking a checkbox or running a PowerShell command, and doing so can increase server stability and reduce the number of patches that have to be installed. Microsoft is on a mission to remove the GUI entirely, so Windows Server 8 is your chance to start getting used to the brave new world on your own terms. You'll rely on rich, client-side GUIs and on the PowerShell command-line. It's happening. Not everyone is happy about that, but it's happening anyway. Might as well start getting used to it.
- Better manageability for server groups. Because much, if not most, of Windows Server 8's management is now PowerShell-based, even management GUIs (which you'll still have) can more easily manage batches of servers through PowerShell's Remoting features. Combined with PowerShell v3's Workflow feature, multi-server management finally becomes a reality. Larger organizations will truly appreciate this level of control and centralization, but you'll need Windows Server 8 pretty widely deployed to take advantage of it.
- Windows Server 8 is introducing what I call "foundation" features, such as the new file security model. Microsoft is finally acknowledging vastly outdated models and building in ones that are more modern and manageable. Getting Windows Server 8 in place will allow you to start reducing your overhead and centralizing both administration and auditing. Some of these new foundation features might not be ones you'll fully deploy yet, but you'll definitely want to start playing with them in isolated scenarios.
Have you looked at the Windows 8 Server preview, yet? It's available to TechNet members, and if you haven't installed it and given it a whirl… well, that's what virtualization is for! Is it something your organization will consider? What are you looking forward to… and what are you fearing about it?
- For more information on this topic, see:
Posted by Don Jones on 11/28/2011 at 10:36 AM0 comments
Windows 8 is likely to be released in 2012, so as 2011 starts meandering to a close, it's worth looking at Microsoft's latest offering and considering whether or not it'll make it into our organizations. Here are four reasons I think organizations will give this new OS a miss:
- They're just now deploying Windows 7. Having skipped Vista, dealt with Windows XP for close to a decade and finally facing the end of Win XP support, organizations are in the midst of Win 7 deployment and planning. They're unlikely to do it again for Win 8. Now that we know we can get by with a 10-year-old, extended-support OS without the world ending, Win7 will probably stick around until 2020 at least.
- The Metro UI. Everyone I talk to either loves it or hates it -- much like the Ribbon introduction in Office 2007. Like the Ribbon, Metro penalizes experienced Windows users the most by moving common tasks to hard-to-find new places. A Win 8 deployment means potential user frustration, retraining, and lost productivity. Is it worth the risk?
- Insufficient new business-class features. Apart from the perennial "most secure version ever" promise, Windows 8 doesn't really offer a ton of must-have new business features. At least in in the preview we have so far, it seems heavily consumer-focused. Businesses are more inclined to go with the "if it ain't broke" mantra and skip any OS version that doesn't deliver significant, obvious advantages.
- Will it really run everything? Microsoft says Win 8 will be Win 7-compatible -- but most companies are still concerned about Win XP compatibility, ideally without using desktop virtualization. Win 8 is still too early to test for compatibility, but simply the concern will slow down a lot of business' interest and adoption.
This just refers to the client edition of Win 8; the Server operating system is a bit of a different situation and I'll write about that in an upcoming post. But regarding the client, what are your thoughts? Is Win8 something your organization will at least look at? Based on what you've seen so far, does it stand a chance in your organization?
- For more information on this topic, see:
Posted by Don Jones on 11/18/2011 at 11:00 AM13 comments
It isn't exactly around the corner, but Windows "8" ( or whatever it's finally called) will be here before you know it. Here are four reasons I think most organizations will give it a serious look:
- It's pretty cross-compatible with Windows 7. That means there should be less resistance to having a mixed 7/8 environment, so as new computers enter the organization pre-loaded with Win 8, there will be less reason to just blow them away and install Win 7.
- It uses less memory. Every indication is that Win8 will use just over half of the RAM Win7 uses to start up, which is a fundamental performance gain. That means users will be able to use more of their computers' memory for their applications.
- It's a win for tired users. Let's face it, our users aren't exactly in the best of moods, what with the economy, cutbacks, and so forth. Strategically deploying a shiny, new OS is a way to liven up their lives a bit.
- The new "reset and refresh” functionality should help meet a critical IT need, making it easier to wipe and restore systems back to a baseline state when needed. This could be a significant time-saver for IT.
This just refers to the client edition of Win 8; the Server operating system is a bit of a different situation and I'll write about that in an upcoming post. But regarding the client, what are your thoughts? Is Win8 something your organization will at least look at? Based on what you've seen so far, does it stand a chance in your organization?
- For more information on this topic, see:
Posted by Don Jones on 11/16/2011 at 10:58 AM3 comments
At Microsoft Tech-Ed 2010, I moderated a roundtable discussion on Active Directory auditing, although the discussion sometimes spun off into auditing things like Exchange, SQL Server, SharePoint and the like. One thing we all concluded was that, simply put, auditing sucks.
The computing power to produce detailed audit messages across a wide range of possible events is non-trivial, leading many organizations to decide to forgo auditing certain things just to maintain a certain level of workload capability. How messed up is that? Organizations have spent years of time and millions of dollars building their own auditing systems. Of course, there's a robust third-party market in auditing solutions, all of which take different approaches and all of which claim to be the best. Where's a decision maker to turn?
Based on that Tech-Ed discussion, as well as some recent conversations with clients, I'm trying to wrap my head around some of these issues -- and I'd love your feedback. There's a very quick, five-question survey that you can take to help me see where folks stand on some key differentiators. At the end, there's also an opportunity to provide even more detailed feedback through a phone or e-mail conversation with me. If you can spare 15 minutes for a call, I'd certainly appreciate it, no matter what size organization you work for. I'll summarize the results -- this may be a paper rather than a blog post here, but I'll make sure you get a copy either way.
Posted by Don Jones on 11/08/2011 at 12:39 PM3 comments
There's a whole new world coming for the IT decision maker, and it isn't just which Android handset you're going to adopt as a corporate standard.
IT is increasingly coming under pressure to support the business' communications capabilities. In the past, this often meant being responsible for the office's broadband connection, and perhaps negotiating VoIP services. Now, wireless communications and data plans from cellular carriers are getting into the mix.
In some organizations, IT is already handling wireless carrier contracts, and it may have been doing so for some time. But for many companies (especially several clients I'm working with right now), the companies have never really paid for wireless service, or they've had a sort of informal arrangement with several employees to just pay all or part of the cellular phone bills. In some cases, the company will just negotiate special rates with a carrier, and offer those to employees as a sort of added benefit, while staying out of any ownership of the actual contracts.
But as mobile devices continue to become a formal, supported part of the IT landscape, organizations have to take on the heavy and often-confusing responsibilities of managing carrier contracts. And that means you're going to need to start being more informed. How much data do your employees use, on average? How many calls are they making? What sorts of applications are they running, and how will those affect their data usage?
Right now, most organizations have zero tools for answering those questions, and those organizations should stay away from carrier contracts for as long as they can. But you're going to need to get those tools, because the time likely will come that your organization will be paying for voice and data charges. When that day does arrive, you'll want to be informed.
What's your organization's take on wireless contracts? Do you provide them to employees now, or plan to do so in the future?
- Read more of Don Jones' Mobile Device blog series:
Posted by Don Jones on 10/21/2011 at 9:20 AM0 comments
Invent something cool, something fun, something useful, and someone will find a way to ruin it for everyone.
That's what malware has repeatedly done for computers, for the Internet, for e-mail, and for anything else it can latch its ugly hands onto. We've responded with suites of anti-malware-ware, designed to catch phishing attempts, stop viruses and spyware, and much more.
Now our smartphones are at risk.
No, we're not really seeing traditional viruses, which for a variety of reasons don't yet make sense on a smartphone. But we are seeing an increasing number of e-mail and Web-based attacks that phish for information, direct users to malicious Web sites, and more. Regardless of what you allow your users to do with their mobile devices on their own time, what comes through the corporate e-mail server is your concern, and the risk of data loss is also your concern. It's not impossible -- or even difficult -- for phone-based malware to harvest users' contact lists, which would include business contacts. Phishing Web sites can easily harvest business credit card numbers, login accounts, and more.
We can fight the e-mail vectors in the normal fashion, by having our e-mail servers act as a secure bastion. Scanning and filtering tools become even more important than ever. But protecting users' smartphones against Web-based attacks is trickier, because they won't always be passing through our corporate firewalls and gateways.
There's an emerging vendor space for tools designed to help us protect mobile devices when they're off the corporate LAN, and it's also time for us to consider a sit-down, heart-to-heart talk with our users. Yes, training. Let's haul everyone into class, show them some real examples of phone-based malware attacks and help them learn to recognize the signs. Test them. Heck, make a game show out of it. Here's an e-mail -- is it safe to poke the link with your finger or should you tap the trash can icon instead? Here's a Web site -- what would you do to check its validity?
If users want to be issued a corporate smartphone, or even want to be able to have their personal device access corporate resources, make this half-day class mandatory. Make yearly refreshers mandatory, too. For many organizations, that won't be a problem: Companies that use heavy or specialized machinery, for example, are long-accustomed to periodic re-certifications for their employees. If a smartphone isn't a "specialized device," what is?
Does your company have a plan for helping your users combat mobile malware? What would you suggest for other readers to consider?
- Read more of Don Jones' Mobile Device blog series:
Posted by Don Jones on 10/14/2011 at 9:25 AM0 comments
I can't remember a time when IT decisions were being driven more by users' love of gadgets than is the case with today's smartphone landscape.
Yeah, I guess in the past you'd always have a user or two who wanted a specific Dell laptop because it had a new-fangled DVD burner, a bigger screen, or whatever. But for the most part, users' preferences could be easily accommodated by a corporate standard. Not so with smartphones.
I've never liked the term "PC" when it comes to business computers. It isn't your personal computer, it's the company's computer. Call it a CC or a BC (Business Computer), but it certainly isn't personal. I'm going to configure it, lock it down and do whatever else the business wants me to do with it. You'll take the model you're given, and you'll like it, because you didn't have to pay for it.
Try pulling that off with a smartphone.
Yes, we're getting away with that in the BlackBerry space. Research in Motion was the first to produce business-friendly smartphones, and in a lot of ways it's still doing the best job. But a phone is a bit more personal. Users are carrying it around outside of work, and a lot of them don't want to carry two or more devices. So they're asking to use their iPhones, or asking the company to buy them an Android handset or a Windows Phone 7 device. More and more businesses are finding it difficult -- or even impossible -- to keep those "unofficial" devices out, and plenty of companies are just letting users pick whatever device they want. Increasingly, the "business computer" argument is falling on deaf ears. It's like we live in a free society or something!
Some organizations will find it necessary to fight this trend, and to stick with a single, business-sanctioned device. There are obviously industries and organizations where that makes sense. Others, feeling the pressure form their users to offer cooler gadgets, will decide to open the field a bit and see what happens. It is, if nothing else, an interesting time, as the concept of the "Business Phone" gives way a bit.
What are the policies in your organization? What's coming in your future? Will you stick with a standard, or let users choose? Or do you plan to just stay out of the smartphone market entirely and rely on your BCs to handle your users' official computing needs?
Share your thoughts in the comment section below or reach me at ConcentratedTech.com.
- Read more of Don Jones' Mobile Device blog series:
Posted by Don Jones on 10/11/2011 at 9:24 AM1 comments
More than a decade ago, Microsoft Windows became the best and safest bet for a client operating system. The old "nobody ever got fired for buying IBM" sort of transformed into "nobody ever got fired for putting Windows on the desktop." Today, despite the availability of alternatives, Windows is still the best bet for most business desktops. Yes, we'll probably always have a little Mac or Linux or something running around on the sidelines, but for most organizations there's little downside in not having a homogenous desktop environment.
Not so with mobile devices. Sure, Blackberry remains a popular choice for businesses -- but the company's future is far from assured. The growing consumerization of the mobile device marketplace means that users aren't always satisfied with Blackberry's offerings, and they're increasingly wanting to bring their own smartphones onto the network. Some organizations are evaluating Android handsets, iPhone models, and Windows Phone 7 units to see which one they want to adopt.
That's a mistake.
You can't afford to adopt and support just one. Unfortunately, no matter what you think of any of these devices, the smartphone industry is the furthest thing from stable. Patent wars, hardware fragmentation, a volatile developer market -- everything's playing against a decision maker's instinct to make a decision. Today's "perfect" business smartphone could be tomorrow's lawsuit victim, forcing you to abandon your "corporate standard" phone.
Right now, smartphones are a lot like your investment portfolio: You need diversity. Yes, that will cost more to manage, but it's what's best for your business. Look at a variety of devices, and look for cross-platform management tools that will help make managing them easier and more efficient.
I'm curious, what devices does your organization permit? Are any of them "officially" supported, as opposed to being "unofficially tolerated?" Is your organization trying to standardize on a single platform -- and does all the volatility in this marketplace worry you?
Share your thoughts in the comment section below or reach me at ConcentratedTech.com.
- Read more of Don Jones' Mobile Device blog series:
Posted by Don Jones on 10/07/2011 at 9:23 AM0 comments
At TechEd 2011, Microsoft announced that System Center would begin supporting mobile device management, including management of Apple iOS and Google Android devices. I couldn't be happier with that news, and it's an area where IT decision makers should be paying close attention.
Mobile devices represent one of the biggest changes to hit the corporate IT landscape since the personal computer. Even laptops weren't as big of a deal, because they were really transportable more than truly mobile, and because laptops could be managed using pretty much exactly the same techniques as desktops. Mobile devices, on the other hand, are always-on, always in users' hands, and are being used for a wider and wider variety of business tasks.
Mobile devices are harder to manage because, in many cases, they aren't well-built for management yet. iOS and Android, in particular, have pretty minimal enterprise management capabilities; Windows Phone 7 benefits from a decade-long effort in mobile operating systems and Microsoft's experience in the endpoint management space.
s you might, you will not keep mobile devices out, nor will you keep them disconnected from your network and its services. Not for long. The business will demand they be made a part of the landscape. Unfortunately, few major vendors -- until Microsoft's System Center announcement -- have really tackled this space. I'm proud of Microsoft for recognizing that they're not going to own the mobile device space the way they do the desktop space, and for making a strong effort to cement control of the back-end and provide us with the management we need for mobile devices.
But keep an eye on this space. Other smaller vendors (Sophos, Tangoe, Zenprise, Averna, and tons more) are making an effort to lead this space. You don't need to rush out and buy anything right away, unless your business is really experiencing the pain of managing these devices already, but you do need to keep an eye on this space. Future IT decisions -- even those which seem initially unrelated to mobile devices -- need to be made with mobile devices in mind. For example, perhaps you're considering a single sign-on identity management solution -- make sure it supports mobile devices as a logon endpoint.
After years and years of false starts, smartphones and other mobile devices are here to stay. Don't think for a moment that your device inventory will be as homogeneous as your desktop OS; we'll be dealing with a variety of devices to take advantage of their various strengths. Start thinking about what kind of device management your business needs, and let that drive your technology decisions.
Posted by Don Jones on 06/28/2011 at 2:31 PM0 comments
You don't meet a lot of people who think their state's Department of Motor Vehicles (DMV -- or whatever it's called where you live) should be a model for how to run business. Don't get me wrong -- the Nevada DMV, where I live, is pretty awesome as far as DMVs go. But still. Long lines, arbitrary rules, surly employees who delight more in saying "no" than "here's your license, sir/ma'am."
Yet thousands of companies across the world are using a government agency as their model for how to run IT.
Campaign rhetoric aside, governments have a bit of a vested interest in slowing down change in the way government works. Governments are meant to be stable, reliable and predictable -- and change opposes those goals. When governments change, they do so very slowly, after much public and political debate, and after many periods of review and comment. Governments rarely have to worry about being first to market, since they kind of have a monopoly on governing. Governments don't seem to have any motive to maximize their profits or minimize their losses. Governments, in short, can afford to not pursue change too avidly.
Business, on the other hand, needs the ability to change rapidly. A new technology comes along that can double your margins? Use it. A new product offers the ability to reduce IT overhead? Get it. New techniques reduce downtime by half? Adopt them. Businesses -- good ones, at least -- thrive on change.
So why are so many businesses running themselves like a government agency? Four letters: ITIL.Yes, the Information Technology Infrastructure Library, the IT management framework you've all heard of and may even be using. Created by the United Kingdom's Office of Government Commerce, a department of the UK government.
No, I'm not trying to beat up on ITIL. It's actually a pretty solid, comprehensive framework for managing IT. Given that most of us weren't doing much better of a job, ITIL offers some universal structure. My problem is that ITIL pretty much abhors change. No, not on paper -- on paper, ITIL manages and controls change. In practice, IT organizations use ITIL as a blunt instrument to halt change.
Let's face it, IT loves saying "no." As far back as the earliest days of computers in academia, the robe-wearing dungeon-dwellers known as "sysadmins" reveled in telling people "no." No, you can't have more computer time. No, you can't have more punch cards. No, you can't touch that. We had (and still have) good reasons: Users break things. If it weren't for users, nothing would ever break. Our job is to keep things running, and users are the enemy of that goal. We also hate change, for exactly the same reasons: Change means broken things, and more work for us. With all those users running around, we're not exactly short of things to do, so change is just another unwelcome burden. A new application? No. A new server? No. New domain? No.
ITIL and other IT management frameworks can take our genetic tendency to say "no" and codify it. "You want a new application installed? Well, you're going to have to go through the Change Management Process." Dilbert's pointy-haired boss couldn't have come up with anything better. Users who ask for the simplest things can be told "no," simply because the Rules support that position. Worse, in many companies, admins who step out of the change management framework to help a user with something small are chastised, written up, and put at the bottom of the list for promotions and interesting projects.
Yes, we absolutely need to manage change -- which is what ITIL is all about. We don't need to bury change, which is what too many organizations use ITIL -- and frameworks like it -- to do. Take a few minutes and evaluate your IT team to see if you're using your change management process as a codified way of saying "no." Simple, obviously non-destructive changes should have a way of being expedited in your organization. Remember, IT is there for the business, not just to follow the rules in a framework. Managing change is something we do because it is allegedly good for the business; when the framework isn't helping the business, consider changing the framework a bit.
(For the record, I really do like ITIL -- when it's implemented with common sense and an eye toward what the business really needs).
Posted by Don Jones on 06/21/2011 at 2:30 PM16 comments
In early June, Citigroup acknowledged yet another major breach of confidential customer data. It was the 251st such public notification this year, and could put us on track to exceed the 597 improper disclosures from schools, government agencies, and businesses in 2010.
According to an article in USA Today, cybercriminals are now "actively probing corporate networks for weaknesses," and businesses face particular pressure to let the public know when they've been hacked. Citigroup, in fact, was criticized by US Representative Jim Langevin for taking a month to notify customers after noticing the most recent breach, which was discovered during routine monitoring. Customers' names, account numbers, and e-mail addresses were all compromised.
Citigroup joins major global companies like Sony, Epsilon, Nasdaq, PBS, Google, RSA, Lockheed Martin, L-3 Communications, and Northrop Grumman in being the victim of a cyberattack. Companies are more forthcoming about breaches due in part to data-loss-disclosure laws that are now in force in 46 US states. Public companies must be especially up-front with such disclosures: Data breaches can obviously create a negative impact on business, and failure to disclose such impacts can be a violation of SEC rules and invite shareholder lawsuits.
A recent survey by Ponemon Institute and Symantec estimates that data breaches cost, on average, $7.2 million to put right – and those costs continue to climb. They're in addition to fines and fees imposed by industry groups and government legislation, making data breaches tremendously expensive.
Let's face it: We tend to give a lot of lip service to security, but you and I both know that most organizations' security, under the hood, can be pretty haphazard. Are all the permissions on your files and folders truly accurate? Group memberships all up to date? Are you sure? Is your firewall configured properly – no unnecessary holes? Is the software up-to-date?
Look, having security flaws is almost unavoidable, simply because most products' native tools do a very poor job of letting us manage security. Go through every object in Active Directory and tell me if it has the correct permissions. Go ahead, I'll wait. You'll be a while if you're using Active Directory Users and Computers to check. Even Windows PowerShell offers fairly primitive tools for monitoring and modifying permissions, in part due to the highly-distributed and extremely-complex permissions structures that Windows products tend to use.
But the newspaper headlines make it clear that we'd better get on the ball. In general, you're going to need to implement three broad capabilities:
- Protect. You need to be able to apply the proper permissions to resources, proper configuration to security elements of their infrastructures, and maintain those settings over time.
- Inspect. You need the ability to continuously monitor and audit your environment to ensure that the proper permissions and configurations are in place.
- Detect. You need proactive monitoring and alerting to let you know when a problem does occur, so that you can take remediation steps and make the proper disclosures.
In many cases this is going to require the use of third-party tools from independent software vendors (ISVs). I know, nobody likes to spend money on those things. But you're not going to be able to write a PowerShell script that does it all – much as I wish that were the case. In many cases, you'll need software that gathers distributed permissions and configuration information into a single place, analyzes that to produce reports, and uses that to generate automated alerts when necessary.
Yes, I realize that "you've never been hit." I'm sure Citigroup, Sony, and PBS felt the same way – and they got hit. Hard. Sony along lost millions by having to take their network offline for weeks, not to mention the public relations disaster. And that was one attack. Oh, "you're not a big company, so you're not a target?" Sure, not yet. But you will be, once attackers figure out that you too have a few thousand bits of interesting information on your network and that you're a much easier target than Citigroup or Lockheed Martin.
It's probably time to give your security an quick review. Take your honest opinion to your executive team, along with a proposed plan to put things right. Have your numbers in place: This is what it's going to cost us, and this is what we stand to lose if we don't. Be able to explain why you can't fix it on your own – including, if necessary, a brief demo of why permissions and configurations are difficult to monitor and manage using the in-the-box tools. Most executives simply don't realize how difficult it is, so you'll need to educate them.
Be a security leader.
Posted by Don Jones on 06/13/2011 at 10:22 AM1 comments
There are two ways to judge the value of an IT professional -- specifically, administrators, network engineers and so forth.
The first way is to watch how they handle crises. Anytime something goes wrong is an opportunity to see how well an admin knows the technologies they're working with. In order to troubleshoot and fix something, you need to know how it works, and you need to know how (and from where) to collect diagnostic information. Admins who jump right into the job, start running diagnostic tools and quickly start eliminating possible causes are the ones you want to retain. Pay them a lot, because they're hard to find. Notice that I didn't emphasize how quickly they solve the problem. That's important, but it's largely a function of how quickly they can eliminate potential causes of the problem and narrow in on the one that's causing the issue.
The second way is to see how they handle day-to-day tasks, especially boring and repetitive tasks. Do you have admins who are still clicking next-next-finish in a wizard, for a task they've completed thousands of times before? If so, carefully consider something: Are you actually paying someone to run through a wizard in order to complete day-to-day tasks? Really? Button-clicking is the value they bring to the team? Only in the Microsoft IT world would someone even considering answering "yes" to those questions. I'm not talking about unusual, once-in-a-while tasks. Even in the Cisco world, the Unix world, the Linux world or the AS/400 world, administrators have to look up syntax or use a GUI for tasks that they perform only rarely. That's the benefit of a GUI: It can walk you through unfamiliar tasks. But for the everyday tasks, you'll find Unix admins in a Bash shell, Linux admins in a Bourne shell, Cisco admins at the IOS command-line and AS/400 operators running CL commands. The value of an admin for day-to-day tasks isn't that they can complete them by clicking a few buttons. The value is in an admin who can automate those tasks from the command-line. Wizards are for end-users, not for experienced IT professionals.
Things are going to start getting harder for "wizard jockeys." While Microsoft isn't going to eliminate GUIs by any stretch of the imagination, those GUIs are going to be less-emphasized, especially for day-to-day tasks. As organizations move select IT assets into hosted platforms (okay, call it "the cloud"), being able to manage via command-line, and able to automate repetitive tasks, is going to become a more crucial skill. I'm betting that Microsoft will eventually drop the GUI on the server OS entirely, making us rely on client-side GUIs and on the command line. Much of Microsoft's future directions are clearly indicated by technologies like Windows Remote Management (WinRM) and Windows PowerShell, which further emphasize the command-line.
It's time to start evaluating your team, educating them on new management techniques (well, new to the Windows world -- everyone else has been using them for decades), and letting them know that "next-next-finish" isn't going to be considered a value-add for very much longer.
Posted by Don Jones on 06/07/2011 at 9:04 AM2 comments
I'm finally back from TechEd North America 2011, following a brief stop in Denver and Seattle to promote my new book. My final session at TechEd was a Birds of a Feather discussion on Active Directory change auditing. There were around 50 IT pros and managers in the room, and there were some revelations that, to me, were truly astounding.
One gent said his company pretty much had auditing figured out. They consolidated their event logs into a single database, knew how to report from that database, generated near-real-time alerts from it, and so forth. This was all done using a home-grown solution, too – zero cost! Well, not zero. That solution has been under development and maintenance for 10 years. A decade. In terms of manpower, that has to have cost that company something like a million dollars (literally) in total.
Other folks aren't so fortunate: They don't have the resources for that kind of home-grown solution, so they're cobbling something together themselves.We talked about using Microsoft Audit Collection Service (ACS; hardly free since it requires you to buy System Center Operations Manager, but if you already have SCOM then ACS is at least bundled). We talked about Windows Server 2008 R2's event log forwarding capability (which nobody was using in production). We talked about third-party solutions, too, and the one common thread is that almost nobody in the room could buy a third-party solution. Images ran through my head of IT pros bounding away at stone tablets using stone hammers, huddled around a campfire in front of their cave. I mean, the sheer primitiveness of what these folks were being asked to do – all so the company could save a few bucks.
The highlight of the hour was when one fellow mentioned that his company wanted him and his team to provide auditing details about some specific event. "We couldn't do it," he said, "because we hadn't been capturing that information." I asked if they subsequently started capturing that information. "No," he told me, "we didn't. Cranking up that level of auditing on our domain controllers was a performance nightmare. We would have needed more DCs to spread the load, and nobody wanted to pay for them. So they just can't have what they want."
Finally, some reality: Everything in IT costs something. It either costs time, or it costs software, or it costs hardware. Sometimes, you can only purchase something in hardware or software – simply throwing time at the problem won't help. The fellow's situation was a perfect example: They knew how to capture what the company wanted, but the cost would have been more domain controllers. Weirdly, companies are often hesitant to buy hardware or software, but they're willing to spend time as if it springs from a never-ending supply.
Here's a little IT truth for you: Time, hardware, and software all cost about the same thing. That is, having your own on-staff developer produce a solution will cost about the same, in the long run, as buying something ready-made (provided what you bought will fill your need in the same way a custom solution would). If your developer has nothing better to be doing, then you spend time and have the developer write the solution. If your developer could be working on something that isn't available prepackaged, then that's a better use of that time – since buying software isn't an option in that case.
Here's another little IT truth: Admins aren't developers. You cannot have an IT pro produce something that would otherwise be available as third-party software without spending a lot more in the long run. You'll spend it in time, but you'll spend more.
I don't know of a single major company that would rather than their administrators custom-build servers using white-box parts from NewEgg or TigerDirect. Servers come from HP, or Dell, or IBM, or someone like that – even though that hardware costs more than the home-built version would, and even though that high-end hardware might have the same specs on paper as the DIY version. Why is this? Because the pro-made hardware is usually a better value in the long run. It's better-made, better-configured, and better-supported. So why do those same companies ask their IT Pros to build hacked-together, DIY, scripted "solutions" to things like change auditing, rather than buying pro-made software that's well-made, supported, and so forth? It boggles my mind.
Posted by Don Jones on 05/31/2011 at 3:21 PM1 comments