Education and Mitigation: Improving IT Security Through User Education

School IT Security

Unless your network consists of a room full of users connecting to an unsecured consumer-grade router, the most vulnerable part of your network are your users. Technology is good at following rules consistently, while people are not. You can trust a computer not to install viruses on itself, it can be infected, but that’s not how it was designed to function. Technology may not always work the way it’s supposed to, but it’s not like the technology itself has any control over its actions. People on the other hand…Well, you just can’t trust people not to make bad decisions…

Even the Romans knew it. To err is human: Errare humanum est. -Seneca

Trusting in your users to do everything right is foolhardy; however, it’s quite possible to teach them not to trust themselves! In the field of IT security you should trust no one. Think about how much risk would be mitigated if you could pass that notion on to your users.

Would your average users stop opening random links people send them to featuring “10 cute kitten videos you have to see?” Probably not, but if we change the question a little and ask, “Would your users engage in that sort of risky behavior less often?” Then the answer becomes a definitive “yes.”

When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and relevant. Try having a brownbag lunch and discussing IT security issues that have recently received media coverage. People remember large events like when Sony was hacked, so you could work that into a lesson about why it’s dangerous to recycle passwords across websites. Make your lessons relatable and you will improve the amount of knowledge your employees retain. It’s just that simple.

Maybe this doesn’t apply to your business. Perhaps you work at an MSP where the most computer illiterate employee you have is the janitor from Elbonia who has his CIS degree printed on what looks to be a cereal box. Well, even then there’s still plenty to learn.

Work can be hectic and busy. There are always new patches to install, and break-fix work to do. After a certain point, it gets really easy to just become apathetic to the process. Well, no surprises here but, not embracing life-long learning is one of the worst possible things you can do. IT security isn’t something you can just learn and be done with, it’s a constantly changing and evolving field! You can memorize your ABCs, but the closest things to that I have seen in IT are the four cardinal rules of IT security.

Have you heard of the four cardinal rules? Probably not, because I’m sure my instructor was improvising when he taught us. That would explain why they’re pretty much the same as the four cardinal rules of gun safety. Well, here are those four rules, so read them and see if you pick up anything new!

  1. All guns are always loaded.

    Connecting things to a network is a lot like picking up a gun. It could be loaded (with malware), or be poorly manufactured, which adds the risk of it blowing up in your face. You might want to trust the ergonomic keyboards your techs brought from home, but even that can be risky.

    In short: Assume nothing, and check everything.

  2. Always point the muzzle in a safe direction.

    Patches, updates, hardware installations, this applies to everything. If you’re going to change anything on your network, don’t just plow ahead and do it. Aim those changes in a safe direction (like a test server, or non-critical system) and try things out there first. If things work well on the test server, then safely implement the changes across all systems. You wouldn’t play Russian-Roulette with your life on the line, so why would you do it with your network?

    In short: Test everything before it goes live.

  3. Keep your finger off the trigger until you are on target and ready to shoot.

    It’s good to stay on top of the most recent updates, but there’s a fine line between updating appropriately and excessively. Just because you can update to the newest beta version of Java doesn’t mean you should, and just because there’s a newer version of an OS, that doesn’t mean you need it.

    In short: Don’t change anything on the fly and don’t install anything without considering the results.

  4. Know your target, and what lies beyond.

    When changing anything, make sure you are fully aware of what it is, what it does, and what needs it. Consider what happened with the release of Windows Vista. Many businesses updated to Vista because their hardware supported it; unfortunately, a number of devices which relied on XP’s resources no longer functioned as a result. Users were scrambling to figure out why their printers, webcams, and other gadgets no longer worked, and it caused quite a headache for the people who supported those systems.

    In short: Do your research. Nothing is as modular as it seems, and updating something as innocuous as a printer could bring your network to its knees.

Above all else, always remember that you can never know too much. Keep on learning, keep reading those blogs, and keep reading those forums. You’ll never know if something you learned is relevant until you have to do it yourself.

Now, before you go looking for random lessons to train your coworkers on, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, why not take a look at Kaseya University.

Kaseya University is a state-of-the-art training platform for Kaseya users. It utilizes an innovative blended learning approach to provide both structured and flexible access to technical product training. The Learning Center allows students to build a truly customized learning experience unique to their needs. Kaseya University is kept current with Kaseya product releases, and refreshed multiple times a year. To learn more about Kaseya University: Click here

With that knowledge you can accomplish even more from a single pane of glass.

If you want more information on IT security or just want some topic starters: Click Here

If you want a more direct approach for improving your IT Security: Click Here

Author: Harrison Depner

Haste Prevents Waste. Single Sign-On Can Improve Any MSPs Profit Margin

Single Sign-On Efficiency

As people gain access to more online resources, they need to remember an ever-increasing number of usernames and passwords. Unfortunately, having more usernames and passwords means spending more time spent keeping track of those usernames and passwords.

If you’re a business owner and you don’t have password management software, then you’re letting your employees manage their passwords on their own. Your users could be setting the stage for every IT security manager’s worst nightmare: an office full of sticky notes with user names and passwords clearly visible around their workstations or cubicles. Without some form of password management solution, your employees are suffering from ongoing frustration as they try to manage their passwords while following your IT security requirements.

If your business is already using password management software, then you should have a solution that manages which resources your employees are able to access, and which credentials they should use to do so. Unfortunately, your password system may not be doing everything it can to provide simple, and secure access for your employees.

What if there was a way for users to have strong passwords without the need to remember them, while also retaining a high degree of security?

Regardless of how you’re managing your passwords today, you can eliminate password frustration, increase your employees’ efficiency, and improve your IT security by implementing a single sign-on password management solution.

What is Single Sign-On?

Single sign-on (SSO) is a system through which users can access multiple applications, websites, and accounts by logging in to a single web portal just once. After the user has logged into the portal, he or she can access those resources without needing to enter additional user names or passwords.

Single sign-on is made possible by a password management system that stores each user’s login ID and password for each resource. When a user navigates from a single sign-on portal to a site or application, the password management system typically provides the user’s login credentials behind the scenes. From the users’ perspective, they appear to be logged in automatically.

High quality SSO solutions are able to provide access to a variety of internal and external resources by utilizing standard protocols such as SAML, WS-Fed, and WS-Trust.

As with any password management application, security is a critical consideration for SSO systems. Single sign-on is often implemented in conjunction with some form multi-factor authentication (MFA) to ensure that only authorized users are able to log into the SSO web portal.

5 Reasons MSPs Benefit from Single Sign-On

  1. SSO can create exceptionally strong password security. When paired with multi-factor authentication (MFA), single sign-on gives you a password management solution that can be both user friendly and extremely secure.
  2. SSO makes enforcing password policies easier. In addition to allowing for strong passwords for critical resources, an SSO system makes it easier to assign and maintain those passwords. In some cases, you can take users out of the password management process entirely—a good SSO system will allow you to can assign them behind the scenes, and change them as needed when your security needs evolve.
  3. Users won’t need or want to save passwords to their unsecure browser. To the average end user, the ability of a web browser like Chrome to remember and submit passwords is a huge bonus; however, while saved passwords offer some of the benefits of single sign-on, web browsers offer none of the security that comes with a true password management solution. When you implement an SSO system, you eliminate the temptation for employees to save their passwords in their browsers, because the SSO portal does that job instead, and often does it better. At that point you could remove that feature from their browsers without the risk of angering your users.
  4. Single sign-on makes your systems easier to secure. Rather than securing dozens or even hundreds of access points to your systems, your security administrators can focus the majority of their efforts on securing just one—the SSO system. If you pair the SSO system with multi-factor authentication, you’re your credentials will be more secure and manageable, than a collection of independently secured websites and systems.
  5. Reduced IT help desk calls. Experts estimate that the average employee calls the IT help desk for password assistance about four times per year. Given that an average IT helpdesk call takes about 20 minutes, that’s 80 minutes per year. That’s 160 minutes of wasted time (IT staff + end user) per year per end user. A good SSO solution will help you put that money back on your bottom line, and free your IT professionals to spend their time on more important projects.

Now, before you go looking for a single sign-on system for your business, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. Scorpion Software was acquired by Kaseya not long ago, and they offer a full Kaseya integration of their user authentication and password management suite. Their suite offers single sign-on, multi-factor authentication, and many other features. So, if you’re looking for a Kaseya-optimized suite, there’s no better place to start. That way you can accomplish even more from a single pane of glass.

If you want more information on what a good single sign-on system should do: Click Here

If you want to know what I would recommend as a single sign-on solution: Click Here

Author: Harrison Depner

Why is it called “Multi-Factor” Authentication? (MFA)

MFA Steps

Why is multi-factor authentication (MFA) “multi-factor” anyways? A simple enough question, right? Well, it’s not as simple as it sounds.

Depending on where you look, you can see references to two-factor authentication, three-factor authentication, strong authentication, advanced authentication. Based on the name, it sounds like these are all just subcategories of multi-factor authentication. Unfortunately, that’s only half true, and that’s also where this question gets complicated.

Which types of authentication are always examples of multi-factor authentication?

Two and three factor authentication are always examples of multi-factor authentication. Multi-factor definition, by definition, is authentication using at least 2 of the 3 possible authentication factors. So yes, two-factor and three-factor authentication are both examples of multi-factor authentication.

What about “strong” and “advanced” authentication?

This is where it gets tricky. Both strong and advanced authentication in use can be considered multi-factor authentication; however, it depends on how the authentication is implemented. To understand what I mean we first need to define what multi-factor authentication is.

What is multi-factor authentication?

The term “authentication” refers to the ability to verify the identity of a person attempting to access a system (presumably someone who is authorized to access that system). The term “factor” then, necessarily refers to the different types of tests someone must successfully complete to identify themselves. For IT security, these factors often filter down into three broad categories:

  • Knowledge: Something you know.

    This is the factor upon which password-only systems rely. To pass a knowledge factor based test, you must prove that you know a secret combination, like a password, PIN, or pattern.

  • Possession: Something you have.

    To authenticate using this factor, you must prove you possess something that only you should have, like a key, or an ID card.

  • Inherence: Something you are.

    Inherence means something that is inherently yours. That usually means a unique physical or behavioral characteristic, tested through some sort of biometric system.

Multi-factor authentication requires a system use at least two of these authentication factors to authenticate users. That’s why it’s “multi-factor” authentication.

Wait… so what was that about “strong” and “advanced” authentication?

Well, multi-factor authentication requires at least two factors be used. Both advanced and strong authentication can use two or three factors; however, the requirements do not require the use of “tests” from different categories. Strong authentication could be achieved by using a password and a security question, while advanced authentication could established with a password and a challenge question. This means that, while all multi-factor authentication solutions count as strong or advanced authentication, not all strong and advanced authentication solutions count as multi-factor authentication.

Why do businesses need multi-factor authentication?

Many groups feel that single-factor authentication is adequate for their needs, but let’s consider something first. You have a bank account, and tied to that bank account you likely have both a debit and a credit card. To access your money you already use multi-factor authentication. You have a debit/credit card (possession), and a pin code/ password (knowledge). Now, consider how much the damage a breach could cost your business. Does your business’ network deserve the same level of protection as your personal bank account, if not more?

Yes, yes it does.

Many industries already require multi-factor authentication! If you work in law enforcement in the United States, then you’re likely required to be CJIS compliant. CJIS compliance requires advanced authentication. If you work in retail, you’re likely PCI compliant. Again, PCI compliance requires multi-factor authentication. If you work in healthcare, then there’s HIPAA to consider. HIPAA is yet another regulation that requires multi-factor authentication. What this demonstrates is that, for IT security, MFA is becoming mainstream.

What’s my recommendation for a multi-factor authentication solution?

Well, no solution should be a one size fits all response. You should be able to customize and tailor any potential solution so that vital resources are protected, without inconveniencing users who don’t require multi-factor authentication. If you’re interested a solution designed from the ground up with security and usability in mind, then I’d recommend “AuthAnvil Two Factor Auth”.

AuthAnvil Two Factor Auth is a multifactor authentication server capable of adding identity assurance protection to the servers and desktops you need to interact with on a regular basis, and deep integration into many of the tools that you may use day to day. It also works with pretty much anything that supports RADIUS, so along with your Windows logon it can protect things like your VPNs, firewalls and Unix environments. Conveniently enough, it also integrates smoothly with Kaseya. That way you can accomplish even more from that single pane of glass.

For more information on multi-factor authentication: Click Here

For a look at how much AuthAnvil’s Kaseya integration can be used: Click Here

Author: Harrison Depner

Home Depot: Yet another retail breach.
PCI compliance just doesn’t cut it

Home Depot Security Breach

What do Home Depot, UPS, and Target have in common? Well, aside from all providing budget-friendly furniture, all three have been the recent target of data breaches involving Point-Of-Sale (POS) units containing customer financial information.

Now, when a data breach occurs, someone always has to play the blame game. “It’s the stores fault. Their IT security wasn’t compliant. Clearly they should have fixed x and prepared for y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is never infallible and *stuff* happens, so wear a helmet and get used to it or get out of the business.

If you want to blame something, blame the reliance placed on regulations as a means of securing customer information. Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection, yet, in IT security, people throw around the types of compliance they have like that’s something significant. That’s not how it works. If you work in retail IT, then PCI compliance isn’t some sort badge of honor, it’s more like an acknowledgement that you’re not incompetent. If you had a room full of people and you wanted to find the most educated, you wouldn’t start by asking who completed grade-school, so if you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions. Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better. What we need to start asking then is “could this breach have been reasonably avoided?”

These businesses were legally required to be PCI compliant, but there’s so much more to providing IT security than following some paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. That leaves one question remaining, could the Home Depot breach have been reasonably avoided?

I can’t easily answer that. Depending on how you look at it, the breach was both avoidable and unavoidable. It’s impossible to know, because we don’t know if Home Depot did a good job securing their customers data, that information hasn’t been released yet. What I can say, is that if more banks had adopted chip based credit cards, then the breach wouldn’t have been as bad. Chip cards are harder and more expensive to “clone” thus making them less valuable to criminals. Would this have prevented the breach? Probably not. Would it have decreased the damage? Yes, significantly so.

If you think about it though, that’s IT security in a nutshell. There’s no such thing as absolute security. The only absolute in IT security is the absolute chance of any system being breached. P(Breach) ≠ 0 and whatnot. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be. It’s a process of confirming that vulnerabilities are secured as they are discovered.

In summary:

Could more have been done to prevent the Home Depot breach?

Sure, there’s always more that can be done to improve security.

Does the status of their PCI compliance matter?

Not that much, except from a legal standpoint.

Would having stronger security made a difference?

Not necessarily, but it couldn’t have made it worse.

Now I’m not the kind of guy to self-promote in the aftermath of a major breach, but we have a free eBook on how AuthAnvil can help secure Retail IT. It covers how many of our features can help to meet and surpass the requirements of PCI DSS. So, if you’re interested in what PCI compliance actually requires or are looking to beef up your systems security, just Click Here.

Author: Harrison Depner

3 Things Your Password Management Solution Must Provide

Password Requirements

When was the last time an employee left your company?
Was it one month ago? Two?

Gone are the days of the lifelong career. Sure, if you work in education there’s the possibility of tenured professors, but for the average MSP there’s no such thing, and as such there is a significant amount of employee turnover. No matter how hard you try to retain your employees, some are going to be taken from you, and some of those employees are bound to be technicians.

It’s always sad whenever a technician leaves a company, but the IT security risk their departure leaves behind can linger even longer. You can lock their personal accounts after they leave and have them return their keycards, but you can’t remove all knowledge of you and your clients systems, applications, networks, and the associated usernames and passwords from their minds.

Now consider the ever increasing risk of a data breach, and the value of your clients’ data.

Your clients expect that, along with whatever other services you provide, you will help protect them from the risk of a breach, yet every time a technician leaves your company a set of keys to unlock your clients’ secured systems is being released into the world. Many businesses would be bankrupted by even a single breach, and your ex-employees have the means of walking casually past their security and into their systems. How do you think your clients would feel if they knew that?

As a business working in IT, the security of all systems, your clients’ and your own, must be at the forefront of your focus. When it comes to passwords, you need to have a plan in place which accounts for technicians leaving your company. Many MSPs I’ve seen lack such a plan, and that runs afoul of the oldest IT truism “always be prepared”. To be well prepared, there are three critical features your plan needs to work successfully…

Auditing

Your system, no matter how it’s set up, absolutely needs some auditing functionality. This allows you to check:

  • Who has accessed certain passwords, and when.
  • If the stored passwords are on par with any complexity or compliance requirements.
  • If the stored passwords are accurate and actually match the ones being used.
  • Who the contact with authority is, should something go wrong.

Access control

No technician should ever need to know every single password at any given time. Access control allows you to restrict that access to need-to-know only. The most common way of accomplishing this is be enacting a role-based access model, where users in certain roles have access to certain passwords. At the minimum your system should allow you to:

  • Control who can access certain passwords.
  • Control what access a user has to passwords (read-only, write-only, hidden, etc.)
  • Securely store the passwords in a central location, while providing access to virtually everywhere.

Automation

An excel spreadsheet just won’t cut it for this requirement. Your system needs to be capable of doing most of these tasks automatically. If you tried to do this all manually, the work required would likely be a full-time job of its own. Your system should be able to automate all of the requirements for auditing and access control, while simultaneously being able to:

  • Automatically change and update passwords on a set schedule.
  • Inform those in authority when a password needs changing that cannot be automated.
  • Automatically enter passwords for users who only need it to log in.

Now, a lot of these requirements sound hard to fulfill. And they are, should you try to set this up yourself. That’s just the thing though, if you were solving for the problem of malware, you wouldn’t design your own in-house antivirus. I mean, you might rebrand some open source solution, but that never ends well.

The same method you use to solve for viruses, email, or any other software requirement, can be applied to password management. Let someone else build the tools, so you don’t have to. You don’t need to invent your own password management system, you just need a password management solution.

While you’re looking for a password management solution, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. That way you can accomplish even more from a single pane of glass.

If you want more information on what you need from a password management system: Click Here

If you want to know what I would recommend as a password management system: Click Here

Author: Harrison Depner

Security and Healthcare IT: A HIPAA Compliance Questionnaire

Healthcare Security

As an MSP in the modern market you’ve likely heard the acronym “HIPAA” thrown about. If any of your customers are healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) then you have almost certainly heard of HIPAA compliance.

HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.

This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.

This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?

Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.

Security Policies and Procedures

Policies must be established to handle and manage all security violations. You can ask your clients questions like:

  • Are your employees aware of the penalties that will ensue from security violations?
  • Are internal penalties in place for employees who violate security procedures?
  • Do all your users know what to do in the event of security incidents or issues?
  • Is there a process in place to document, track, and address security issues or incidents?
  • Is there someone tasked with checking all security logs, reports, and records?
  • Do you have a security official in charge of a password and smart security policy?
  • Have you ever undertaken a risk analysis?

Access Management

Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:

  • Do you have measures in place to authorize or supervise access to ePHI?
  • Are there processes for determining the validity of access to ePHI?
  • In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:

  • Are employees regularly reminded about security concerns?
  • Do you hold meetings about the importance of password, software, and IT security?
  • Are your employees aware of the process surrounding malicious software?
  • Do you have procedures for regular review of login attempts?
  • Do those procedures check for any discrepancies or issues?
  • Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:

  • Are there tested and revised plans in place for an emergency?
  • Have the applications and data needed for these emergency plans been analyzed?
  • In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
  • I.T.E.O.A.D… Can all ePHI be restored or recovered?>
  • I.T.E.O.A.D… Will your ePHI be protected?
  • I.T.E.O.A.D… Can critical ePHI related business functions be completed?

Contracts for Business Associate

Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.

Technological and Physical Protection

Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.

As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.

One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.

For a helpful HIPAA security checklist: Click Here
For more information on Multi-Factor Authentication: Click Here
For more information on Single Sign-On: Click Here

Author: Harrison Depner

Kaseya Acquires Scorpion Software for Identity and Access Management

Scorpion Software

Last week Russian criminals stole 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history- CNNMoney. The credentials gathered appear to be from over 420,000 websites — both small and large. Which specific websites were impacted is yet to be disclosed but it’s likely that some “household names” are on the list and will have to deal with the resulting publicity.

Today, companies need to manage access to a growing number of websites and applications. Unauthorized access to sensitive information can cause financial losses, reputation damage, and expose companies to regulatory penalties for privacy violations. According to the Ponemon Institute Research Finding, the US per record cost of a data breach is $201. Multiply the 1.2 billion records stolen by the Russian criminals by the $201 and it is a shockingly high number. A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — this represents a tax by criminals of almost 1 percent on global incomes.

To reduce these exposures, protecting access with the highest levels of security is crucial for IT organizations. But developing strong security requires a balance between making access difficult for hackers and easy to comply with and use for bona fide users. According to Verizon’s Data Breach Investigations Report, “The easiest and least detectable way to gain unauthorized access is to leverage someone’s authorized access”, which means passwords need to be properly managed and protected. Accordingly, IT organizations are faced with several challenges:

  • Recognizing the relentless attempts to acquire security credentials through hacking, phishing and other techniques, preventing unauthorized system access requires more than just password-based access.
  • Passwords are easily shared, guessed and stolen. Managing password access is challenging for employees and IT organizations as the number of systems requiring password access grows.
  • Managing passwords and system access requires significant IT time and resources, so a highly efficient and easy to use administration solution is necessary.
  • Solutions chosen must comply with all prevailing industry standards.

Today, Kaseya took an important step to help its customers address these challenges, with its acquisition of Scorpion Software. The Scorpion Software AuthAnvil product set provides an important addition to the Kaseya IT management solution, offering two factor authentication, single sign-on and password management capabilities.

The solution provides IT groups with:

  • An advanced multi-factor authentication solution which provides a level of security which passwords alone cannot deliver.
  • An effective single sign-on solution with easy access to all systems for employees which avoids the need for sharing or writing down of passwords.
  • Powerful and easy-to-use password management capabilities to drive efficiencies in administering password access.
  • Support for industry standards compliance and auditing including PCI, HIPPA, SOX, CJIS and other standards.

These capabilities are aimed directly at the security and efficiency challenges above, and are essential for MSPs and IT organizations to be able to effectively manage secure access to applications and ensure standards compliance.

Scorpion Software is a longtime partner of Kaseya and has already implemented an integration with Kaseya Virtual System Administrator (VSA), making it easy for existing Kaseya customers to add Scorpion Software’s unique security capabilities to their solutions. Kaseya VSA is an integrated IT Systems Management platform that is used across IT disciplines to streamline and automate IT services, and the integration of Kaseya with Scorpion Software’s AuthAnvil technologies creates an IT management and security solution unmatched in the industry.

Scorpion Software’s AuthAnvil is currently in use by over 500 MSPs around the globe, and is the only identity and access solution to provide two factor user authentication integrated with password management and single sign-on. It allows IT organizations and MSPs to quickly and easily enable and manage secure access to all applications, delivering the highest levels of security and efficiency.

With the acquisition of Scorpion Software, Kaseya continues its work to deliver a complete, integrated IT management and security solution for MSPs and mid-sized enterprises around the world. The combined solution will help IT organizations:

  • Command Centrally: See and manage everything from a single integrated dashboard.
  • Manage Remotely: Discover, manage, and secure widely distributed environments.
  • Automate Everything: Deploy software, manage patches, manage passwords, and proactively remediate issues across your entire environment with the push of a button.

I know that many Kaseya customers who are reading this blog are already Scorpion Software customers. For those who are not, I invite you to visit the Scorpion Software website to learn more and see the product for yourself at www.scorpionsoft.com. Also, for more information, don’t hesitate to reach out to your Kaseya sales representative or email AuthAnvilSales@Kaseya.com.

Author: Tom Hayes

 

Optimizing Mid-Market Virtualized Environments for Performance and ROI

Like their larger enterprise counterparts mid-market organizations have taken extensive advantage of virtualization and server consolidation. Yet despite their increasing investment in virtual server, storage and networking capabilities, they frequently fail to invest in the tools needed to truly optimize their virtualized environments for performance and ROI.

virtualized environment

Many mid-market IT operations groups find that optimizing their infrastructure to get the best returns on their investments, while simultaneously maximizing availability, is a significant challenge. Most have implemented virtualization over the past few years to reduce the number of physical servers they need, along with the associated office space, energy usage and IT staff resources. However, they frequently underutilize the virtual machines (VMs) created to avoid overloading the hosts*.

Tool sophistication and coverage

The problem doesn’t seem to be a lack of tools but rather a lack of tool sophistication and coverage. Each hypervisor, storage and network vendor offers tools for managing and optimizing the capabilities of their own technologies. While these tools provide real-time monitoring, they are not usually able to correlate information across different domains, cannot filter derivative conditions effectively and provide little information about expected norms and predictable variations. This leaves manpower strapped IT organizations the task of manually reviewing and evaluating monitoring results in order to do configuration design, capacity planning or to determine the root-cause of performance issues.

The complexity of today’s hybrid-cloud IT environments and the ever increasing demands placed on IT make it difficult for small IT teams to dedicate sufficient time to monitoring and managing activities. So despite the underutilization of server capacity, agreed to service levels are hard to maintain and IT, in fact, relies on end-users for poor performance notification! The net result for many groups is a lower virtualization ROI than anticipated, lower IT service availability and sometimes, a less than stellar IT reputation.

Advanced application monitoring

One approach to dealing with this issue is to adopt a more advanced service level monitoring solution. By aggregating individual managed elements into collections of applications, VMs, storage, networking devices and rules that represent complete IT services, it becomes possible to take a more holistic approach to performance management and ROI improvement. Such monitoring solutions not only monitor the individual components and their associated parameters, they also correlate data from all of the service components as a whole and are able to undertake trending and baselining to help proactively identify forthcoming issues as well as to eliminate predictable parameter variations as causes of concern.

By monitoring applications through virtualized servers or from cloud services while keeping track of network, storage and other infrastructure components, advanced service level monitoring solutions are also far better at preventing those complex performance issues where nothing seems to be broken, no alerts have been sent, yet users are complaining. The wide and deep purview of such solutions also allows a more comprehensive approach to root-cause analysis. Here five areas where advanced service level monitoring tools can take the hard work out of monitoring virtualized environments and help improve both performance and ROI.

  • Server over utilization and/or underutilization. Time constraints often limit the ability of mid-market IT services groups to monitor virtual and physical server utilization and the associated storage and networking resources. Examining utilization even on a weekly basis can be totally inadequate. What’s needed is a continuous monitoring capability that correlates results between different VMs running on the same server so that CPU capacity-related performance issues can be diagnosed. Application performance can also be affected by networking and storage constraints, which in turn may be caused by applications running on adjacent VMs. Server and performance optimization requires understanding not simply the peak load requirements of individual applications but also workload patterns and system demands created by multiple applications. Reports can be viewed on a weekly basis, but data should be collected continuously and saved for later analysis and review.
  • Server versus infrastructure optimization. Monitoring server compute and storage capacity is very important but performance issues are frequently associated with the volume of network traffic or of data to be processed. Typically there are trends and patterns around these that, if identified proactively, can be used to overcome performance issues before they have impact. Identifying such trends can signal the need for additional network bandwidth, improved internet connectivity, greater or faster storage capacity, more processing power etc. – investments that are far easier to justify when related to their impact on service level agreements.
  • Static versus dynamic workloads. Another challenge is to track business application performance across dynamic server environments. When system applications such as VMware’s vMotion or Storage vMotion are used, VMs can migrate dynamically from one physical server to another without service interruption, for example when DRS or maintenance modes are enabled. In simple environments it may be easy to determine where VMs (and hence applications) have migrated but in more complex environments this becomes problematic. The advantage of vMotion is that when activated it automatically preserves virtual machine network identities and network connections, updating routers to ensure they are aware of new VM locations. The challenge from the perspective of application end-to-end performance is to know which physical server is now hosting the application – particularly as the address hasn’t changed. Advanced monitoring solutions follow these migrations and, by containerizing all the infrastructure elements that make up a particular IT service, can take account of the dynamic changes occurring in hosting, storage and networking components.
  • Cyclical, erratic and variable workloads and traffic patterns. Optimizing server consolidation is relatively straightforward when application workloads are consistent over time. However many applications place highly variable, cyclical or erratic demands on server, storage and networking components making it more likely that resources are sub-optimized in favor of simplicity and time. Advanced service level monitoring solutions are able to analyze the patters of usage and baseline the results to provide a more granular view which can be used to better take advantage of available resources and avoid unnecessary alerts. For example, a payroll application that requires significant resources prior to the end of each pay period might be pared with a finance application that needs to run after orders have been taken at the end of each month. Similarly it may make sense to pair development related activities with test activities, assuming that development and testing are done in series not in parallel. Advanced monitoring can help identify not only the processing capacity requirements and patterns but also those of storage and bandwidth so that all factors can be taken into account when optimizing resource allocation and setting thresholds.

virtualized environment

  • Root-cause analytics and meeting/reporting on SLAs. Optimization is an important goal to maximize the virtualization ROI but what most users care about is IT service availability and performance. As with all things complex, problems will occur. The challenge is to be able to resolve them as quickly as possible. Advanced service level monitoring solutions help because they are able to pin-point problem areas and then drill-down, through dashboard screens, to rapidly identify root-causes. Because they are able to look across every element of the infrastructure, they can identify interactions between different components to determine cause in ways that discrete management systems cannot. In addition, the ability to track and trend parameters of components that make up each IT service provides a proactive mechanism able to predict likely performance issues or SLA violations in advance. This provides IT Ops with reports that can be shared with management and users to justify any changes or additional investments needed.

Advanced service level performance management tools have affordable starting prices and offer significant ROI themselves by increasing the return from virtualization and allowing SLAs to be met and maintained. Add speeding mean time to problem resolution and freeing IT resources to undertake more productive activities and their value is very significant.

By helping the IT departments of mid-sized companies optimize their virtualized environments, Kaseya’s advanced monitoring solution, Traverse, supports SLA mandates and frees in-house IT staff to better respond to business requests. It also provides detailed intelligence that IT can use to add strong value in conversations regarding business innovation.

Learn more about how Kaseya technology can help. Read our whitepaper, Solving the Virtualized Infrastructure and Private Cloud Monitoring Challenge.

References:

* Expand Your Virtual Infrastructure With Confidence And Control

Author: Ray Wright

IT Automation: Basic, Advanced, and Downright Creative

Automation Graphic

My last blog post discussed IT complexity and new challenges from cloud, mobility and big data which are key drivers of IT Automation. These new challenges make it hard for IT administrators to do their jobs, without increasing the level of automation. The post identified the key requirements for an automation solution, from out-of-the box functionality to policy-based management to community sharing of innovative implementations, noting that not all automaton solutions are created equal. To help crystalize the differences and the possibilities, this post provides a set of examples of each type provided by Ben Lavalley, our automation expert here at Kaseya.

Basic Automation:

In a strong automation tool, basic automation capabilities should come out-of-the-box ready to deploy. IT administrators can obtain immediate time saving and efficiency with little configuration effort. Examples include:

  • Automate actions based on monitoring of specific workstations. Monitor and create a dashboard view to identify workstations and their status. Then apply policy management to automate routine maintenance. Maintenance may include disk defrag, disk cleanup, browser history cleaning, and other actions.
  • Automate patch management with server/workstation policies for Windows patching. Configure automated patch approval and reboot settings for servers and workstations, using policy management for set-and-forget patching.
  • Automate third party application updates. Configure application deploy and update policies to keep third party applications up-to-date. IT administrators don’t need to create scripts to update Adobe, browsers, etc.
  • Automate Auditing. Run reports on machines with low memory, or open network file shares, or other characteristics, so that corrective action can be taken.

Advanced Automation:

IT administrators can deploy more advanced automation based on common agent and other procedures. Examples include:

  • Configure Service Desk for automated remediation of monitoring alerts. Run service or machine restarts to try to resolve a reported issue. In addition, collect diagnostic information from the offending system and add the results of the diagnosis directly into the notes of the ticket, so technicians have the valuable information they need to address the root cause of the problem more quickly.
  • Use policy-based automation for select servers. Audit server roles, e.g., Exchange, Sequel, Controller, etc., with dashboard views that have been filtered for location and server type, then create a policy (using policy management) that applies on-going monitoring and reporting based on system attributes.
  • Automate the end-user portal. Customize and automate the end-user portal (via the management agent), to help end users deal with basic issues. Publish bulletins, “how-to” information, etc., and provide procedures for end-users to run on their own machines for self-help.
  • Establish policy-based automation for application management. Set a policy for applications that start-up automatically, then detect for non-compliance to policy. Non-compliant applications can also be removed automatically, if desired, to improve workstation performance and remove potential security issues.

Creative Automation:

Talented IT administrators like to get creative, and good automation solutions provide the tools to do so. Creative solutions are usually built using some combination of out-of-the-box capabilities along with light scripting. Examples include:

  • Stolen laptop recovery. Automate the capture of desktop screenshots and even pinpoint the geographic location of the laptop with wireless network collection (using Google location APIs). It can result in a very surprised thief being apprehended in a coffee shop, for example.
  • Automate email, e.g., Exchange server, Quality of Service (QoS) monitoring. Run a regular email test to proactively test that a mail server can send and/or receive mail.
  • Clean up the “bloatware”. Establish an approved workstation configuration, detect deviations, and automatically clean-up the “bloatware”. Patrick Magee, from Howard Hughes Corporation, has reduced help desk tickets by 50% with this automation solution.

Regardless of the size of your business, you can improve operational efficiency and productivity through IT automation. Moreover, reducing human involvement wherever possible frees up the IT team to deal with the new challenges posed by cloud, mobility and big data. In harnessing these new technologies, the IT team becomes a partner to the organization, helping to drive business success.

For more information on Kaseya automation capabilities, visit our IT Automation website: http://www.kaseya.com/features/kaseya-platform/it-automation.

Authors:

Tom Hayes, VP Product Marketing, Kaseya

Ben Lavalley, Product Management, Kaseya

Does the Math for BYOD Add Up?

BYOD and ROI Graphic

The Bring-Your-Own-Device (BYOD) program has several benefits from an IT administration and general business perspective, such as improving employee job satisfaction and productivity, costs savings on company owned devices, and increasing employee availability across the company

But CompTIA’s recent survey suggests that 51 percent of large enterprise firms have not jumped on to the BYOD bandwagon – only three percent of medium and large firms and nine percent of small firms have adopted a full BYOD policy. According to the survey respondents, in addition to security concerns, the math for BYOD investment apparently fails due to hidden indirect costs such as the complexity of supporting a wide array of devices, investments in building the mobility management skills of IT staff and the overhead of balancing the needs of end users and IT. Make no mistake, all these enterprises have also acknowledged the growing importance of mobility management and are making investments in that direction. They seem to be more comfortable with the idea of having complete control of the devices – just like they do on employees’ laptops and PCs. The natural tendency to extend this deep entrenched IT management philosophy to mobile devices and that is precisely the reason why many BYOD initiatives fail.

The math for BYOD adds up if you adopt a simple philosophy in your BYOD mobile strategy: Manage Data Not the Device. With this philosophy you can realize the value of BYOD program that enables your employees to use their personal devices securely for work.

Now let’s address the challenges that can potentially drain the savings from BYOD program. Note that the capabilities discussed below aren’t theoretical. They are currently provided by some of the robust BYOD management solutions available in the market.

  • Security: BYOD programs amplify security concerns owing to the rapid proliferation of mobile endpoints accessing corporate network and assets. Instead of the entrenched IT view of controlling device features and capabilities, a viable and practical alternative is to ensure complete protection of company data at rest (on the device) as well as in flight (during transmission), and not worry about the device itself. For this, the BYOD management solution must provide robust encryption, on top of SSL, and isolate corporate data from the rest of the mobile device using “encrypted containerized apps” to deliver business data, documents and applications on personal devices. The solution should also enable pin locks on these apps independent of device pin lock, protecting the data in the apps against casual perusal.
  • Integrating a wide array of diverse devices: From 2012 to 2013, the number of distinct Android devices grew from 3,997 to 11,868. This is an overwhelming growth of devices for IT admins to support on their company network. A robust BYOD management solution will keep all the mobile devices outside the network and process the mobile requests using an intermediary “gateway-behind-a-firewall” that makes only outgoing connections to exchange data with the devices. Using this gateway, IT admins can further control what company resources are accessible on these personal mobile devices. Such solution architecture ensures virtually no changes to network VPN and firewall settings.
  • Balancing the needs of end users and IT: A successful BYOD implementation is all about striking the happy balance between corporate data protection and employee’s personal freedom. This is possible by the use of “containerized” apps for accessing company emails, documents and intranet sites. When required, the IT admins can just remote wipe the data within these “containerized” apps without impacting the personal data on the device.
  • Determining ROI: The benefits of a BYOD program are clear: employee flexibility, savings on company-owned device costs, productivity gains, higher employee availability, and competitive differentiation. Some of these benefits can be easily quantified such as savings on device costs. But the qualitative benefits such as employee productivity gains and greater employee availability are more difficult to quantify. Additionally, to realize these qualitative benefits, you will have to look for opportunities throughout your workforce and business applications to identify where mobility could drive substantial efficiency and innovation. Determining the ROI of a BYOD management solution is possible with thorough internal review of processes, building activity-based costing and identifying potential areas of savings and additional revenues.
  • Enforcing mobility policy: IT organizations have painstakingly developed IT policies for their companies, keeping laptops, desktops and servers in mind. Mobile devices, by the very nature of their design and use cases, have greater exposure to vulnerabilities. A BYOD management solution should allow IT admins to easily extend existing IT policies and authentication systems to the mobile devices with further refinement to what information can be accessed on the mobile devices by specific users. The aforementioned gateway-based architecture that integrates with existing security and authentication systems enables single sign-on to back-end systems with NTLM.
  • Building mobility management skills of IT staff: IT staffs have to be knowledgeable about mobile technologies in order to support mobile business users. This need is accentuated in company-owned device scenarios where the IT staff needs to be able to troubleshoot the devices that they control and manage. BYOD management solutions typically use a suite of apps to deliver emails, documents and business applications, which rarely differ from device to device. These apps may only vary between mobile platforms like iOS, Android and Windows 8. So the focus of IT staff’s training, in a BYOD context, is the suite of apps on a handful of mobile platforms instead of features and capabilities of numerous devices.

In conclusion, the BYOD trend is compelling and inevitable. It is, however, not devoid of challenges. Often these challenges are exacerbated by IT admins adopting traditional methods to manage and control devices in a BYOD context, which is a misfit. BYOD has tangible benefits of which some are easy to quantify while others require more detailed analysis. If one focuses on managing just corporate data in BYOD scenario, using a comprehensive mobility management solution, the BYOD challenges can be easily addressed without compromising security. This helps to minimize indirect costs and increase the ROI from your BYOD investment, making the math for BYOD add up.

Author: Varun Taware

Page 1 of 4412345»102030...Last »