IAM Profitable: Get Your Piece of the IAM Market

IAM is Profitable

If you’re an MSP or an IT service provider, then you’re involved in a business model that’s always looking to improve its offerings and increase its bottom line. With the global IAM (Identity and Access Management) market increasing at an explosive rate, being able to offer authentication and password management isn’t just a smart move, it’s also a safe move!

How is offering IAM a safe move?

With stricter security compliance requirements being laid down by nearly every industry, country, and state, and with high-profile security breaches, like Home Depot, seeming to occur every month, businesses everywhere are finally opening their eyes to the risk their outdated password and security protocols pose.

This means that there is a definite need for these solutions, so the investment itself is safe. Also, having such a solution in-house is in itself a “safe” move. The market demand for IAM is due to the risk breaches pose. If you’re going to offer a way to mitigate that risk, why not take advantage of it yourself, and gain the same benefits you provide your clientele.

How is offering IAM a smart move?

If you can capitalize on potential customers’ need to update their security and authentication, then there is a lot of profit to be made. The key to doing so is differentiating yourself from your competition, and to accomplish this, you need to find an IAM solution.

What should you look for in an IAM solution?

There are innumerous small features which are nice to have, however, there are truly five key things you should look for first: comprehensiveness, cloud compatibility, multi-tenancy, vendor support, and the ability to integrate with your existing infrastructure.

Comprehensiveness

It’s not the number of tools you have that matters, it’s how effectively you’re able to use them. Many IAM products on the market these days focus only on a few aspects of the entire process. To find a winner, the IAM solution you decide upon should cover all the aspects your clients are facing, whether they require stronger authentication, password management, or even user auditing. As an added bonus, having fewer moving pieces (programs) decreases the chances of encountering a conflict when you’re setting up the solution, for yourself or your customers.

Cloud Compatibility

Systems that work in the cloud avoid one of the most difficult hurdles faced by service providers trying to provide IAM services: managing the internal servers. Moving to the cloud effectively puts those severs at an equidistant point from both the provider and the client. This makes the whole process that much simpler.

Multi-Tenancy

With multi-tenancy, you can easily separate the data of each client and yourself, while working within a single installation. This is absolutely critical for an MSP or IT professional providing password or security services to multiple clients. Multi-tenancy is designed for MSPs rather than end-users, eliminating the need for multiple installs and making the management process more efficient.

Vendor Support

When your client needs something quickly, you’re going to need some help unless you know everything about the solution you offer. While knowing more is always good, sometimes questions will elude you, and at that point you’ll be glad your vendor is available for some help, support, and insight.

Integration with Existing Systems

If you already have a number of systems in place that do various things, wouldn’t it be ideal if your new IAM solution integrated nicely with them? Whether it’s Kaseya on your network, or Office 365 on your clients, having an IAM solution that works with what you have is great, and if it’s designed to work with those products, then that’s even better.

If your clients (and potential clients) are looking for a solution to their security and authentication problems and you’ve gone with the wrong solution, your clients will be disappointed with the results. You will face an uphill battle of implementing new protocol and dealing with systems that just don’t make sense for you or your client. With the right solution you become the expert, an invaluable resource to your client. You become their solution, and then you’re able to easily resell the software because they will spread the word of how well it works for their needs.

High-profile security breach scandals are hitting the press with alarming frequency, and compliance standards are advancing at a pace that organizations simply can’t keep up with. Companies found in non-compliance could face fines or lose access to valuable industry resources. If your business is able to offer solutions to these problems, then clients will be handing you money to you in an attempt to make their problems go away. Your bottom line will move up just that much higher.

Now, before you go off full of hope for an increased in profit, looking for Identity and Access Management solutions for your business to offer, let me throw another factor into the mix. You’re reading this blog on the Kaseya website, then you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, it is important to ensure that the solution you choose supports a Kaseya integration. Kaseya AuthAnvil is one such solution. Their suite fulfills the requirements set above, and offers single sign-on, password management, multi-factor authentication, and many other useful features. So, if you’re looking for a Kaseya-optimized IAM solution, there’s no better place to start.

For more information on offering IAM to your customers: Click Here
For more details on Kaseya AuthAnvil: Click Here

Author: Harrison Depner

IT Management Community Participation Extends Knowledge and Adds Value

Waltham Community Meetup

This week I attended a Kaseya “Local Meetup” event in Waltham, Massachusetts, and it struck me again just how important it is to have a strong IT community. In the Meetup evaluation forms, virtually everyone who attended said that sharing ideas with like-minded people was a key benefit to attending the event. Without exception, everyone left the meeting with new contacts and friendships in the IT management community.

A few things about the meeting really hit home:

Tips and Tricks:

Kirk Feathers, a leader in the Kaseya technical community, led a “Tips and Tricks” session, sharing interesting and innovative approaches to maximize the usage and benefit of IT management tools, both from Kaseya and its partners. Everyone in the room chimed in, asking questions and offering their own insights. Copious notes were being taken. And more than once, two or more people set up follow on conversations on particular topics.

Collaboration Groups:

Establishing collaboration groups is a great way to stay in touch and share information. Chris Anderson, Director of Managed Services for Infranet Solutions in Quincy Massachusetts, shared a great story about collaboration groups. I met Chris earlier this year at “Kaseya Connect,” our annual user conference. During his three days at the event, Chris made it a point to build out his community contacts to the point where he is now part of a formal group which is sharing automation scripts. Using existing scripts and creating new ones is key to efficiently and effectively managing large numbers of endpoints. Chris tells me that the collaboration group’s sharing of ideas and actual scripts is substantially improving their speed-to-automation.

Feedback and Input:

Mads Srinivasan, product manager for Kaseya’s mobility management solution, shared the latest mobility management development work, complete with a demonstration. The purpose was to obtain feedback and input from the group on the features and presentation layer. The session had a good 30 minutes of excellent feedback and suggestions. Mads had an ulterior motive in that he wants 100 beta customers to test out the latest work; virtually everyone in the room signed up.

Time before and after the event was reserved for networking and everyone took advantage. People had a chance to meet the many Kaseya leaders who were present, but more importantly, they built out their IT management community connections. By the end of the event, business cards were swapped, and emails were exchanged all around.

This experience also reinforced the importance of the “Kaseya Community” program, which includes sponsoring these local Meetups, forums for sharing, event postings, etc. All Kaseya users should join to share information and learn about the latest happenings.

Author: Tom Hayes

Product Design in the IT Management Cloud Era

Product Design Image

I think many of us are more aware of the impact of product design than ever before. Recently, you may recall that the rounded edges of the iPhone 6 were widely considered newsworthy; even with mainstream television media! Apple has a long history of setting styles for product design and striking a balance between style and usability.

The advent of smart phones and tablets has resulted in millions of user-friendly apps being made available to the consumer market. As a result, there’s a lot of interest in work applications that are just as easy to use. Software for the IT management market is an area where applying modern product design principles can yield significant productivity and value for the companies using these products.

So what are the design principles that you should watch for as the next generation of IT management tools arrive? From a functional perspective, products need to help you centrally command your infrastructure, manage remote and widely distributed environments with ease, and automate everything. To deliver against these key functions, IT management products need to evolve based on the following four design principles:

Mobile First.

All aspects of the product should be designed so they can be used from a tablet or mobile phone – even if they will be used in a browser. By meeting this goal, it will be easy to deliver them within a web UI on a laptop or desktop. This is often described as Responsive Design. Basically, this means that what is available in the UI and how you interact with it will adapt to the form factor of the device you are using. If you have a laptop or tablet, you can expose more features. On a small device such as a mobile phone, navigation and other information is available, but not in your way. Another important aspect of a mobile first approach is to make sure that the apps have a native feel – so the iOS, Android and Windows apps should look and behave like they are native to the device.

Simplify everything.

You need to leverage powerful, policy driven automation, and be able to implement it simply. You don’t have the time to train your technical staff on highly complex products. Well-designed apps will take highly complex actions, but not expose this complexity to users so that they can be highly productive. For example, you should be able to quickly create policy and apply it reliably and at scale, with just a few clicks. One great way to simplify things is to be consistent in the features provided. For example, always include a Search driven approach to find things and take actions, and have it work the same way in every context.

Use pre-defined content.

Apps should deliver out-of-the-box building blocks to make simplification real. Part of the evolution towards a simpler, easier IT management solution is using content to deliver value quickly. Delivering configuration in the form of pre-packaged settings is an excellent example. Apps can include policy and profile definitions so that you don’t have to construct them before you can start using them. This applies to other app content. Apps can include prepackaged dashboard templates, agent procedures and automation scripts, profiles, and reports to deliver high productivity. Intelligent default values are probably the simplest form of content, and apps can make implementation much simpler by providing recommended choices by default.

Provide measurable impact.

You need apps that capture and present metrics demonstrating the positive impact of management apps on your business as part of the design. The whole reason for getting an IT management tool in the first place is to enable your business. It only makes sense that the app should provide the data to demonstrate value too.

By applying these principles, Kaseya is now building a new generation of IT management cloud apps that are really easy to use and maximize productivity, efficiency and quality for you. Our new Enterprise Mobile Management (EMM) app will reflect these principles in its beta release at the end of October. Kaseya customers can sign up to participate in the beta here. And this will be followed by reimagined apps for software delivery, patching, antivirus and antimalware. So stay tuned, we’ll provide you more specifics on these solutions in future blogs.

Author: Don LeClair

Dropbox wasn’t hacked. Some of their users just dropped the box…

Dropbox Security Breach

A mixed metaphor never hurt anyone, but when you mix your passwords into everything it’s not going to go well.

Password mixing (reusing passwords) is what many believe was the cause of the recent Dropbox account “breach.” Using the same passwords for everything is a huge problem. A chain is only as strong as its weakest link, and with passwords the same applies. The more websites you use a password on, the more likely it is to be leaked in a breach, and unfortunately, the reach and potential for damages from that breach also becomes greater.

Reused Password Graph

It’s not a difficult concept if you consider it for long. If one password is used on five websites, then that password is five times as likely to be leaked, as there are five times as many locations where that password is being stored. At the same time, that password provides access to five times as many websites, which means that there’s potentially greater than five times the amount of information available to the person accessing it than one account would have on its own. The more information they have, the easier it becomes to gain access to other accounts. This appears to be what happened with Dropbox.

Think of it this way, if I gain access to your email, then I can reset the passwords of almost every account tied to that email. What are the chances that your email contains information about your choice of banking institution, online shopping account, or PayPal perhaps?

This wasn’t a breach of Dropbox’s systems; it was a failure of their end-users’ password management skills. When users reuse their passwords across so many websites, they sow the seeds of their own ruin.

For system administrators, the source of this problem is painfully apparent. Quite often, a system administrator will have to remember ten or more passwords just for their day-to-day tasks. Add onto that the 20 or so personal accounts that need passwords and the 30 passwords needed for various lesser-used accounts and systems, and you wind up with an obscene amount of passwords to remember. Now consider every end-user that the system administrator manages. How many passwords do you think those end-users each have?

This is why password reuse is such a problem. There are just too many passwords for anyone to handle!

That’s why you need some sort of solution to the password problem. Now, there’s no need to hire some developer to build you a password management system, you just need a password management solution. Let’s throw one more factor into the mix. If you’re reading this blog, there’s a good chance that you’re already a Kaseya customer. If so, then make sure that the solution you choose supports a Kaseya integration. That way you can accomplish even more from a single pane of glass.

Only Kaseya AuthAnvil solves that problem, allowing organizations to secure their most valuable asset – their data – by minimizing the risk of password-related security breaches. Learn more about AuthAnvil.

Author Harrison Depner

Get Your Head Out of the Tech: A Realistic Look at Cloud Computing

Cloud Inspection

To understand new technologies, one must first get past the misinformation and pierce the veil of hype to see the product as it actually is. As you can see from the graph below, tech hype progresses in a fairly typical cycle. Currently, we’re just passing the peak of inflated expectations and are beginning to see the beginning of negative press. The relatively recent iCloud incident and death of Code Spaces are just the tip of the iceberg which soon will plunge cloud computing into trough of disillusionment, where it will remain until people realize what purpose cloud computing actually serves, climb the slope of enlightenment, and set out across the plateau of productivity. This same process happens with every major technology hitting the market. Video killed the radio star, and internet killed the video star, yet we still have radio stations, and television networks. The media simply hypes everything out of proportion.

In spite of the trend set by the media, many technologists try to provide realistic advice to people before they throw out their old technology in preparation for the new. Cloud computing isn’t going to eliminate the need for older systems. If anything, it will just augment their purpose. In the following post, I will outline five key elements of cloud computing in a way that shows their upsides and downsides.

Hype Cycle

Accessibility: Boon and Bane

If a user is on a business trip, they can access the same resources that they can at work. The simple ability to access resources from anywhere within the same network is a boon, as it removes much of the need for an internal infrastructure. Unfortunately, as was noted by a French Philosopher, British PM, and a man dressed up as a spider, “with great power comes great responsibility.” Accessibility without appropriate restriction is a highly dangerous risk. A cloud-based system on its own cannot know that your users should not be attempting to log in from Elbonia. If your system is made more accessible to your end-users, then it’s also being made more accessible to everyone else.

In a nutshell, IF your access security is well developed, then you can reap the benefits of increased availability, otherwise you’re going to have a bad time.

Maintenance: Can’t Someone Else Do IT?

This entry would have suited a different article entirely, but it works extremely well for the purpose of realistically portraying cloud computing.

There are two ways this scenario typically plays out. Your cloud-based service provider could be amazing — handling updates, resolving issues, and generally fixing everything before you even notice something has gone wrong. If that’s the case, then you’ve reduced the need for the services of your IT department and in-house infrastructure, thus significantly reducing overhead.

Unfortunately, such a result is not guaranteed, and if your provider leaves a lot to be desired, then your experience is going to be less than positive. Rather than staying ahead of new issues as your in-house techs did, your provider may instead do the bare minimum, only completing tasks when they’re specifically told to do so. Micromanagement is expensive, and the potential service outages resulting from poor service can be costlier than maintaining your old in-house IT infrastructure ever was.

In a nutshell, it all comes down to quality of service. If you move to the cloud and your provider is great, then things will run smoothly. If they’re less than stellar, then your experiences will reflect that.

Reliability: Now With More Points of Failure!

The reliability of a system can always be judged by the number of potential points of failure, and the redundancy (or lack thereof) surrounding those points. Cloud computing is very interesting in how it shifts the reliability of a system from hardware functionality, to relying on the availability of services.

Consider the following, if cloud based systems and in-house systems were both types of vehicles, then in-house would be some sort of SUV, while cloud-based would be some type of high-performance car. This means that their relative performance comes down to the presence of a well maintained road (internet connection). If the road is always going to be available, then the high-performance car will outright win; however, the moment they need to go off-road the SUV has a clear advantage.

I explain it this way, because it’s effective at pointing out the shortcoming of the cloud based model. If you have no internet, then you have no access. If you have an in-house infrastructure and the internet goes out, then work can still be done across the internal network. The high-performance cloud-mobile may be significantly less likely to break down, but without the internet providing access it will just sit idle during those periods.

Security: Something Old, Something New…

Security in the cloud is one of those hot-button topics, so let’s keep this as concise as possible. Companies like Code Spaces, which were bankrupted due to poor cloud security practices, provide a generous justification for their systems to be top-of-the-line. This means that cloud services and cloud service providers are often extremely focused on security. At the same time, there is no action without a cause. The reason why they are so security minded, is because they are aware that, in addition to the usual risks an in-house system may encounter, the new features which the cloud is built upon (such as multi-tenancy, shared resources, and availability) open up new vectors for attack which previously could only be theorized. This means that, while the security in the cloud is often quite strong, there are also new weaknesses which can or may circumvent those defenses.

Costs: You Get What You Pay For

In many instances, cloud service providers offer pay-for-usage models of pricing. This means that you pay based on the resources you are using, and the duration of the time they’re in use. In many cases, this is more cost effective than having the same systems in-house. This adaptability and scalability can be great for any business. On the flip-side, consider cloud based infrastructure the same way you would consider leasing a property. It can be more affordable and ideal to lease an office; however, in some cases it’s more cost effective and practical to buy the property. Whether or not you get a good cost-effective deal for your cloud-based infrastructure comes down to planning for your needs.

Whether you’re planning on migrating to the cloud, are remaining in-house, or are deciding on which you would prefer, the first step to building a strong IT infrastructure is finding the right platform to build upon. Kaseya was designed and built with security as the fundamental building block to its core architecture. To learn more: Click Here.

If you’re interested in some ways to protect your cloud-based IT infrastructure: Click Here.

Author Harrison Depner

IT Security Compliance Requirements and State Laws

State laws have always been a tricky subject when the internet gets involved. Unless your business is large enough to hire a squadron of legal representatives, you just have to accommodate for them. In this article, I’m going to outline three of these state laws which may apply to your business. Fair warning: This article should in no way be construed as legal advice. I’m not a lawyer and I don’t even play one on TV.

California Compliance Law

State: California

Law: CalOPPA (California Online Privacy Protection Act)

Who it applies to: Any commercial website or online service that collects personal information about “individual consumers residing in California who use or visit its commercial Web site or online service.”

What the law requires: CalOPPA can seem to be a fairly complicated law, so let’s break it down into a simpler form. This law focuses on how you handle personal information, and more specifically how your website or service responds to “Do Not Track” messages. This sounds like it could become difficult, but fortunately the law doesn’t require you to respond to “Do Not Track” messages. Instead it only requires that you disclose whether you do or don’t respond to those messages. In other words, you can ignore “Do Not Track” messages and collect personal information despite them; however, if you do that you will need to say so in your privacy policy.

If you decide instead to respond to “Do Not Track” messages, you will need to disclose how you respond, and while CalOPPA doesn’t specifically define how detailed your disclosure must be, it’s safe to assume that such disclosure should be accurate.

Fortunately most websites already have privacy policies, and adding a few lines that state you don’t respond to those messages, or alternately do and your practices around that, isn’t too difficult a task.

Nevada Compliance Law

State: Nevada

Law: NRS 603A (Security of Personal information)

Who it applies to: This law applies to “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information” of Nevada residents.

What the law requires: This security law sets forth a number of legal obligations for those to whom the law applies. In a nutshell, these obligations include:

  • Protocols surrounding the destruction of records containing personal information. (603A.200)
  • The maintenance of “reasonable security measures to protect” those records. (603A.210)
  • The disclosure of breaches which affected the stored personal information of NV residents. (603A.220)
  • Mandatory PCI Compliance for organizations that accept payment cards. (603A.227)
  • The encryption of Nevada residents PI in transmission, and during the movement of storage devices. (603A.227)

What does this mean in a general sense? Well, if this law applies to you or your clients’ businesses, then you have a lot of work to do. Fortunately, these compliance requirements are fairly typical and you may not have to make any changes at all if you’re already PCI compliant. If you do business with residents of Nevada and you’re not following these practices… well, I highly recommend you start working to follow these practices immediately. Some sources point out that this law technically has a national and international reach for any group handling the personal information of Nevada residents.

Massachusetts Compliance Law

State: Massachusetts

Law: 201 CMR 17.00

Who it applies to: Every person or organization that owns or licenses personal information about a resident of Massachusetts and electronically stores or transmits such information.

What the law requires: Fortunately this law is written in a fairly comprehensive way, so it is quite easy to explain. For those to whom this law applies, it is required that a comprehensive information security program exist, and that said program cover all computers and networks to the extent which is technically feasible. This security program, when feasible, is required to…

Have secure user authentication protocols which provide:

  • Control over user IDs and other identifiers.
  • Reasonably secure assignment and selection of passwords, or use of unique identifier technologies, such as multi-factor authentication.
  • Control of passwords to ensure they are kept in a location and/or format that does not compromise the security of the data they protect.
  • Restriction of access to active users and active user accounts only.
  • The ability to block access after multiple unsuccessful access attempts, or limitation placed for the particular system.

Secure access control measures that:

  • Restrict access to records and files containing personal information to those who need such information for their job.
  • Assign unique identifications and passwords, which are not the vendor supplied default to any person with access.

As well, the security program must include:

  • Encryption of all transmitted records and files containing PI which will travel across public networks or wirelessly.
  • Reasonable monitoring of systems for unauthorized use of or access to personal information.
  • Encryption of all personal information stored on laptops or other portable devices.
  • Require a reasonably up-to-date firewall protection and operating system security patches for systems containing personal information which are connected to the Internet.
  • Reasonably up-to-date versions of system security software which must include malware protection with reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
  • Education of employees on the proper use of the computer security system and personal information security.

As you can see, I saved the best for last. This law, just like the one from the state of Nevada, can have a national or international reach. Now I didn’t write all of this for you to panic about. I feel that these three laws serve as a good motivation for any business to improve their IT security and IT policies in general. Additionally, these three laws in combination provide a great framework that any business could build their IT security upon. Security is not the job of a single person, nor is it the job of a single business, instead it is a task for everyone.

The first step to building a good home is laying down a strong foundation. Similarly, the first step to building a strong and compliant IT infrastructure is finding the right platform to build upon. Kaseya was designed and built with security as the fundamental building block to its core architecture. To learn more: Click Here.

If you’re interested in learning more about PCI compliance: Click Here.

If you’re interested in another interesting compliance requirement for Law Enforcement: Click Here.

Author Harrison Depner

Why Your IT Monitoring System Must be Part of Your Security Defense

Security Monitoring

Whether you are a managed service provider using a remote monitoring and management (RMM) system to monitor client infrastructures, or an IT Operations group monitoring your company’s internal infrastructure, your IT management system is an important infrastructure component that needs to be secured. It’s also a key tool that you can use as part of your security apparatus to help protect the remaining infrastructure. Without strong security capabilities, your RMM system can easily become a tool for hackers and cyber criminals instead of serving its intended purpose.

PCI DSS Compliance

This is particularly important for businesses where industry security compliance is required. For retail and financial businesses, the Payment Card Industry Data Security Standards (PCI DSS) require that cardholder data be protected behind a firewall, yet the monitoring system, especially if it’s remote, is likely to operate through the firewall. Hackers gaining access to the system can have an immediate entry to the core of your infrastructure – or to your end devices such as POS terminals and self-service kiosks. Beyond direct access, remote management systems can obviously be used to change configurations and security settings on communications devices and firewalls, to download software (or malware) to end devices, and patch (or to indicate as patched) existing applications any or all of which can be used to open further vulnerabilities.

To further protect against communication with “untrusted networks” (the term used for any network not under direct control), the PCI DSS standards also require the securing of infrastructure information, the maintenance of an accurate and up-to-date inventory of all components that are in scope for PCI DSS requirements, and the development and maintenance of standard configurations for those components, along with many other factors. Your RMM system is likely to be a significant help in meeting these expectations and in helping with ongoing audits. For example, policy management can be used to ensure configuration standards are maintained and that only approved applications are able to be run on protected end devices. It can also be used to periodically ensure that mobile laptop computers have encryption technology installed and enabled to protect health records from disclosure in the event of theft.

HIPAA Compliance

For IT professionals in the healthcare field, securing protected healthcare information (PHI) is a major issue. While HIPAA and its related regulations do not spell out how patient data should be protected, it goes beyond technical recommendations to legally mandate that it must be protected. Both healthcare organizations (HIPAA’s “covered entities”) and their business associates (organizations supplying healthcare-related services that require access to patient data) are subject to HIPAA regulations. From an IT perspective this certainly means that the IT Operations personnel of both covered entities and any business associate organizations must take every precaution to maintain security and patient privacy when managing electronic systems that contain or process PHI.

Perhaps more interesting is the case of MSPs who provide managed services to healthcare organizations. It can be argued that, by the letter of the law, they are not considered business associates for the purposes of HIPAA on the ground that they do not require access to patient data to do their work. However, in practice, it’s unlikely that a healthcare provider would contract for their managed services without the requisite guarantees of security and data protection. Certainly it’s been a common Kaseya experience that when raising the need for strong security capabilities and processes, MSPs who service healthcare clients have immediately recognized the need.

So in either case, whether you are an internal or an external IT service provider, you should be taking all necessary steps to secure your monitoring capabilities and to use them, appropriately, to ensure the security of the systems you monitor and manage. And it’s our belief that MSP’s seeking healthcare clients will find that strong security capabilities and processes are the price of entry into that market.

Beyond securing their technology, those providing IT services must also ensure that their own policies and procedures support their (internal or external) customer needs. The use of strong passwords, single sign-on, multi-factor authentication, cyclical password updates, regular threat assessments, defined device configurations, test-before-going-live reviews, frequent security education etc., should be documented and adhered to requirements for all systems and personnel.

Kaseya is the leader in cloud-based remote monitoring and management and offers a comprehensive monitoring solution used by MSPs and SMBs worldwide. To find out more about what you can accomplish from a single pane of glass and how your monitoring solution can help protect your infrastructure click here.

To find out how best to control access to your secure assets and applications and how you can log who can access what, then click here.

If you’re looking for even more ways to improve the efficiency of your IT staff, why not take a look at a system which offers innumerable utilities from a single pane of glass.

Are you using your IT monitoring systems to enhance the security of your IT infrastructure?

Author: Ray Wright

Building the World’s Fastest Remote Desktop Management – Part 4

Fastest Remote Control

Building the world’s fastest remote desktop management solution is a bit like building a high performance car. The first things to worry about are how fast does it go from zero to 60 and how well does it perform on the road. Once these are ensured, designers can then add the bells and whistles which make the high end experience complete.

In our first three installments in this series (Part 1, Part 2 and Part 3), we talked about the remote management technology being used to deliver speed and performance, and now we are ready to talk about remote management bells and whistles to deliver the high end experience IT administrators’ need. Kaseya Remote Control R8, which became available on September 30, adds 6 new enhancements to ensure greater security and compliance and help IT administrators resolve issues more quickly on both servers and workstations:

  1. Private Remote Control sessions:

    In many industries, such as healthcare, finance, retail, education, etc., security during a remote control session is crucial. Administrators cannot risk having the person next to the server or workstation view sensitive information on the remote screen. Kaseya Remote Control R8 allows IT administrators to establish private Remote Control sessions for Windows so that administrators can work on servers or workstations securely and discreetly.

  2. Track and report on Remote Control sessions:

    These same industries have strict compliance requirements. Remote Control R8 allows IT organizations to track and report on Remote Control sessions by admin, by machine, per month, week, day, etc., with a history of access to meet compliance requirements.

  3. Shadow end user terminal server sessions:

    Many users run terminal server sessions for which they may need assistance. Remote Control R8 lets IT administrators shadow end user terminal server sessions to more easily identify and resolve user issues.

  4. See session latency stats:

    Poor performance is often hard to diagnose. Remote Control R8 shows session latency stats during the remote control session so administrators are aware of the connection strength and can determine it’s relevance to an end user’s issues.

  5. Support for Windows Display Scaling:

    HiDPI displays are quickly becoming the norm for new devices. Remote Control R8 includes support for these display types (i.e. Retina) to allow IT administrators to remotely view the latest, high definition displays.

  6. Hardware acceleration:

    Remote management becomes much easier if one can clearly see the remote machine’s screen. Remote Control R8 enables hardware acceleration, leveraging the video card for image processing, for a sharper remote window picture while reducing the CPU overhead by 25%-50% depending on the admin’s computer hardware – “sharper” image screenshot.

Just like your favorite high-performance car, Kaseya Remote Control R8 is delivering the speed, performance and features IT administers need to obtain a high-end management experience.

Let Us Know What You Think

The new Desktop Remote Control became available with VSA R8 on September 30.

We’re looking forward to receiving feedback on the new capabilities. To learn more about Kaseya and our plans please take a look at our roadmap to see what we have in store for future releases of our products.

Author: Tom Hayes

Multi-Factor Authentication on Mobile Devices

Multi-Factor Authentication

My friend Tony loves electronics and gadgets and probably owns every type of man toy – iPads, home theatre system, Xbox, GoPro, Quadcopter with Wifi camera, etc. He travels a lot for work and is always connected to the internet via his phone and wireless HotSpots. He is a technophile, which makes work and life convenient for everyone associated with him. Or does it?

In my opinion, Tony is a perfect embodiment of the statement, “Employees are the biggest vulnerabilities for a company’s information security.”Tony’s work emails have been setup on every tablet he has owned. He never cared about removing email settings and data from the old devices when he bought a new one (Who does that anyways?). His kids have access to his old mobile devices and most of them do not have passcode locks because, for end users, ease of use often trumps security concerns. This gives Tony little to no control over who else can use those old devices for casual browsing. And he not only compromises his personal data, but his work data as well. While he is no Jennifer Lawrence(trust me, his personal photos are not in demand!), he still makes his personal information vulnerable and exposes his work email to casual browsing by others, inadvertently compromising his company’s information security. And he is not an exception. There are lots of folks like Tony. Not too long ago we had this news:

Iowa State DHS Data Breach – Two workers used personal email accounts, personal online storage and personal electronic devices for work purposes

Furthermore, what happens when Tony quits his job? All that data on his mobile devices is the company data/IP walking out of the door unchecked.

So the obvious solution that comes to mind is, “I will have my IT admin setup, manage and control access to company data on my phone.” Great! That addresses the device management aspects of ability to remote wipe data, track lost phone, manage apps, etc. But what about access management on the mobile server itself, ensuring that only authorized admins are managing your mobile devices remotely to protect against insider threats such as these:

Enter multi-factor authentication – which authenticates users based on verification of at least two of the following:

  • something they know
  • something they own/possess
  • someone they are (biometric)

In the context of mobile, this needs to be applied at both ends – mobile end user as well as the mobile admin.

Multi-factor authentication has been around for some time (remember the physical security tokens that people carried with their laptops?). Mobile admins follow the same multi-factor authentication as the regular IT admin to gain access to the mobile server to manage your mobile devices remotely. See AuthAnvil’s Two Factor Authentication to understand how insider threats and security breaches can be mitigated for the servers that mobile admins use.

But multi-factor authentication for mobile end users is tricky. Picture yourself holding your phone in one hand and a physical security token in other hand to check work email. How will you scroll/click on the screen?

There is a smarter way to handle multi-factor authentication on mobile devices. In a BYOD context, IT admins’ control of the user’s personal device is limited compared to a company-provided device. Hence multi-factor authentication is very critical in BYOD context. Multi-factor authentication for mobile users can be easily done by pairing users with specific device(s) and enforcing secure PIN entry on the apps which access company emails, documents and other IPs (not the device level PIN). So the mobile users can access company data only if they:

  • Enter the correct security PIN for the apps (something they know)
  • Use the approved device paired with them(something they own/possess)

The use of Active Directory / LDAP system at the backend will extend the user’s access privileges to the mobile devices. It is very important to note that all this is a very streamlined process – users just have to open the app the usual way and enter the security PIN for the app.

Multi-factor authentication on mobile devices is very important as these devices move company data outside the organization boundary very easily. But the multi-factor authentication on mobile cannot follow the physical security token model. By pairing users with devices and enforcing PIN at app level, multi-factor authentication can be streamlined and transparent to the mobile user, ensuring ease of use and security at the same time. There are innovative solutions in the market that implement such multi-factor authentication on mobile devices and if you are enabling an “anytime anywhere available” mobile workforce then you should seriously consider having this capability.

Author: Varun Taware

Don’t Let the “Bash Bug” Bash Your Business

Bash Bug

The Bash Bug, also known as “Shellshock,” is in a commonly used piece of Unix system software called Bash, which has been around since 1989. It is a command shell that provides instructions to your computer. Exploiting a security hole in Bash means hackers could instruct your computer to do things you would prefer it not do! For example, the Bash Bug could be used to seize control of a vulnerable web server to collect online passwords stored in databases, download identities, or take other undesirable actions.

Exposure is rather broad, as Bash is used on a variety of Unix-based systems, including Linux and Mac OS X. Servers, routers, Android phones, Mac computers, and medical devices are some of the devices that use Unix. Even systems running power plants and municipal water systems could be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks.

So what steps can you take to minimize the risk that the Bash Bug does harm to your business?

Consider the following four steps:

Step 1:

Identify all devices that can be affected, which will likely include network devices (such as routers, switches, etc.), servers, workstations, computers, appliances, etc. Anything connected to your network that is UNIX-derived, whether that be an appliance-based system or a computer running Linux, OS X, or BSD, could be exposed. To make this first step easier, you should use a strong discovery, inventory and audit management tool to help with the identification.

Step 2:

Create scripts to test whether or not those systems are vulnerable. Companies such as Red Hat are creating advisories which detail the exact commands you’ll want to include in the script along with the expected responses. The scripts should be created in a management tool to make it easier to create, document and manage the script.

Step 3:

Run the scripts to create a list of vulnerable systems. The systems you identified now need to be listed in way that makes it easy to take action. You could simply list them in a spreadsheet in preparation for a long day of manually trying to complete repairs. Or, you could again leverage a management tool, one which can capture the results from the testing and make it easier to implement the fix.

Step 4:

Patch any affected devices. In the case of Linux this will involve using package managers like Yum (Yellowdog Updater, Modified), an open-source command-line package-management utility for Linux, or YaST (Yet another Setup Tool), a Linux operating system setup and configuration tool. When Apple releases security fixes for OS X, it can be deployed in scripted fashion with the Apple command-line process ‘softwareupdate.’ These tools can be used in conjunction with a management automation tool that will automatically patch the affected devices and document their updated status, eliminating the need to manually fix and track every device.

Kaseya’s management and automation solution can help you move through these four steps with greater ease, speed, and efficiency, while minimizing the human error factor. More specific information on the Kaseya approach using Agent Procedure can be found on the Kaseya Community Forum. Managed Service Providers using the Kaseya solution, such as Upstream, can also help you resolve the issue. And once you have used the Kaseya solution to address the Bash Bug, you then have a leading management and automation solution in place to help you address the next, unfortunately inevitable security and compliance issue (which at current course and speed might be just days away!).

Authors:

Tom Hayes, VP Product Marketing, Kaseya

Ben Lavalley, Product Management, Kaseya

Page 1 of 4512345»102030...Last »
-->