Sleeping With the Enemy…

Coming to Grips with Virus Defense

There is clearly nothing sexy about virus defense. I have yet to meet an I.T. person who gets excited about it. Yet most will admit that it is the one issue that consumes the most time and attention.

Fortunately, the science of virus prevention and detection has evolved dramatically over the last few years. New Web-based, “managed” anti-virus services even hold out the promise that I.T. staff may finally be able to turn their attention to other problems.

One of the truly frustrating aspects of virus defense has always been its high overhead. Despite recent system management trends toward “set it, forget it” technologies and “zero administration,” the typical anti-virus regimen continues to keep us hopping.

This is compounded by increasingly ubiquitous “anytime, anywhere connectivity” that only adds to the number of virus entry points into your system – e-mail, portable media, Internet gateways, remote clients (such as home PCs), handheld and wireless devices. On top of that, we now must consider the possibility that international terrorists may target corporate information to disable the U.S. economy.

So how can a small to mid-sized firm secure these entry points, keep virus signatures active and current on everyone’s desktop, and stay one step ahead of new and insidious viruses, without an inordinate investment in manpower and attention? Here are some possibilities based on recent experience.

Most virus security experts recommend a multi-layered approach, especially when it comes to e-mail, the number one carrier of malicious data. By scanning incoming messages at multiple points along their way to a recipient’s mailbox, you stand a better chance of detecting viruses. Consider three levels of filtering:

1. Perimeter Defense: Scan inbound messages before they get anywhere near your network. This is called perimeter (or boundary) defense. One option is a Web-based message filtering service such as EHS from Microsoft (previously FrontBridge). EHS uses anti-virus technology to stop e-mail based viruses before they reach your network. It also can be configured to block specific file-type attachments that are used to deliver virus payloads. (A typical list includes exe, bat. com, vbs, js, asp, scr, pif, chm, vbe.)

EHS is relatively easy to set up and can cost as little as $2.00 per month for each user on your system. A simple message forwarding entry on your DNS server, and all incoming and outgoing e-mail (if you wish to have outbound messages scanned) will pass through the EHS system.

Through an intuitive web interface, system administrators can view real-time quarantine and traffic reports, set up customized notifications, release quarantined messages and even define block lists and additional content filtering options.

Such a service will represent your network’s first line of defense against virus threats, and the good news is that it requires very little administrative attention.

2. Internal System: Next, scan messages as they move through your internal message system by installing one of the many anti-virus packages designed for e-mail servers and\or SMTP gateways. Most of the well-known virus defense companies such as Symantec Corp., Network Associates Technology Inc., and Trend Micro Inc. have products specifically designed for this purpose.

I secure my Microsoft Exchange server with McAfee Groupshield. Each day, the server automatically goes out and checks for the latest virus signatures and downloads them if necessary. Any messages that EHS fails to detect will hopefully be stopped at this point. In more than six months I have had only two viruses infiltrate down to this level.

3. Desktops: Finally, each and every desktop requires some form of virus protection. In addition, any remote access workstations (laptops, home computers) also need to be secured.

This is where life gets tricky. Managing virus signature and engine version updates on individual workstations is definitely a hassle. Sure, there are many ways to simplify this, such as scheduled or login script-based updates, but these are generally only effective for local desktops.

What about users who connect remotely and\or infrequently, or even work on firm data on their home PCs? A recent survey from the data security industry indicated that more than 70 percent of all home PCs have either no virus protection or outdated versions that are effectively useless against current threats.

Enter another Web-based, managed service that addresses these issues. Many of the big players in virus defense offer similar services, but I will mention one from Network Associates called McAfee ASaP. For as little as $60 per PC for a two-year subscription, you can have McAfee protect any PC, local or remote, that integrates with your system. No dealing with local software updates or worrying about where that file has been before being accessed on the firm’s workstation.

Once your account is established, and a small piece of software is downloaded and installed, that computer will check McAfee’s Web site for updates immediately after start-up and at regular 24 hour intervals.

What I love about this is that it accommodates all PCs, regardless of where they are, and automatically detects and removes any previously installed anti-virus software so that there will be no interoperability problems.

To reduce the number of desktops on the local network accessing the Internet, the actual update is downloaded only once to the first PC that accesses the update site. All other desktops then get updated files from that first PC on the local network.

System administrators can view a Web-based report indicating, in real time, what workstations have accessed the McAfee site to check for updates. This includes home-based and physically hard-to-reach PCs.

The bottom line: with “managed” services, it is someone else who is managing them, not me. There is no software to load, update and support, for the most part, and my time can be better employed educating users in the many safe practices regarding exchanging information with other parties.

I have a hunch that most I.T. people truly feel that this is the weakest link in any virus defense system. Getting attorneys and legal professionals to take suitable and necessary precautions when exchanging data is clearly a challenge. In this area, I feel a certain degree of informed neurosis on the part of users is actually productive. Regularly distributed tips, log-in based reminders, and information on just how high the stakes are in this battle, can go a long way in helping people to do what no technology can by itself.

Reprinted with permission from the December 2004  issue of Law Technology News @ 2004 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

No Walls – Rethinking The Business of IT

I must confess that I love the sights, sounds and even smells of the server room. Racks of servers and switches sandwiched together in perfect symmetry; row upon row of green lights indicating that all is well in my world, the melodious roar of fans and equipment, the cool filtered air. Sealed off from the outside like some kind of mechanical womb, it is one of my favorite places to be; and like most IT professionals, I have spent many hours in this isolated and familiar place.

Yet I am here to tell you all that this is not fundamentally what information technology is all about. Although for many of us in the field this is where life truly begins, it is not – in fact – where it should end.

Now that I have, literally speaking, painted this picture of a warm and happy place for all you IT folks, I want you to abruptly leave these familiar surroundings and go out and get an MBA.

Yes you read that correctly! An MBA. Not more technical certifications or acronyms after your name on a resume, but a bona-fide business education.

You see, as much as I am a died-in-the-wool geek at heart like many of you, I have discovered something profound over the last dozen or so years in IT leadership, and it is this…

Are you ready, because this may rock your digital world –

Information Technology can never be viewed as an end in itself!

I know, I know. This goes against every instinct and higher truth in all us computer people, but believe me it is true, and until we learn to accept and even embrace this, then our criteria for success will forever be measured only by all those green lights in the back room.

In order for all of our laudable skills and talents to add a penny’s worth of value to the organizations that employ us, we must make a determined effort to learn the business from top to bottom. In short, there should be “no walls” between the server room and the board room!

As frightening as this seems, we must un-grip our clenched fingers from our beloved server racks, and venture out among the uncharted regions – the people and departments, the roles, the internal processes, the nuances of the business cycle, the needs of clients, stakeholders, department heads and end-users. We must boldly go into all of the unfamiliar places, so that we might learn how the information we manage moves and turns to the rhythm of the business.

Here is where we learn where what we do can add real value to the organization. And yes it means ultimately that we have to start swimming in foreign waters and exploring strange new worlds. Green lights are good, but they are only good when we view them in the context of what they mean to all of the various consumers of the information we deliver and manage.

Spend a day or two in the accounting department for example, and watch how the monthly billing process plays out. How can it be improved? How can we better serve our clients with more accurate billing information?

Or pull up a chair alongside a secretary or clerk to experience first-hand how routine administrative functions really unfold. Can improvements be made; efficiencies found? Is there potentially an IT solution, or would enhanced training be in order?

Then stick your nose into the marketing or human resource department, and learn as much as you can about what the information you deliver means to those promoting the organization, or managing human assets on a daily basis. How does the outside world view the organization? What do our customers look like? What are their real needs? What is our competitive edge over the competition? Can more improved or enhanced IT services play a more targeted role in advancing this advantage?

In short, learn or even re-discover the business from every angle and perspective! Its intrinsic routines, processes, customers, challenges, dynamics. Try to get a good read on the heartbeat of the entire operation. Oh yeah, and I wasn’t kidding about the MBA either. A grounding in high-level business principles across all functional areas will be worth its price in gold believe me.

Then, when all this is done, you can return to the old familiar surroundings of the server room. But this time when you look around at all of the cables, equipment, software, services and so forth, it might look a whole lot different. No longer will you go there to be isolated from the rest of the organization. Your home, in essence, will now have many more places and rooms.

In point of fact, this whole intersection of larger business imperatives and information technology has been going on for some time. Yet I am not sure that information professionals in general have truly embraced it as yet. Those who do will certainly be more effective and successful in the long term. And this success will ultimately be measured in purely business terms, as it should be.

Here are some quick-shot points drawing more on this topic -

• Information Technology exists essentially to enhance and improve the customer experience and advance organizational processes. IT can never be viewed as an end in itself!

• Any investment in IT must be justified like any other essential business imperative; it must advance broader organizational objectives and build in quantifiable and measurable outcomes.

• People do not merely ‘use’ information today; it has become an extension of their role within the organization; all information technology must be human friendly.

• In order to serve all people and departments within the broader organization, IT professionals must learn to listen first, then respond effectively to tangible information needs. This means tossing out any presumptions that prove to be disconnected with the reality of everyday business needs and processes.

• IT leaders must be systems thinkers – every element must fit rationally within the larger scope and operation of the organization; it must fit and make sense from every angle and perspective.

• IT professional at all levels must be engaged in the business like never before! Defining end user and stakeholder needs accurately upfront is where all information services should begin and end!

Reprinted with permission from the December 2008  issue of Law Technology News @ 2008 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Coping With Tech Overload

Some vivid metaphors come to mind regarding technology overload – swallowing a tidal wave, dancing through a hailstorm, dodging machine gun fire; you get the picture. The sense here is that the pace of technological change can often seem too much and too fast to handle. It can get downright overwhelming if you let it.

Every day, new products and technologies are storming the market touting the latest and greatest, the next BIG thing, the gotta-have, the one panacea-like device or program that will finally and completely simplify your life. At the risk of sounding cynical, I’ve heard it many times before. In fact, this has quickly become the landscape in which we tech folks operate.

I don’t know about you, but it seems like I just got the latest Microsoft (network) operating system installed and working right, when lo and behold, the folks in Redmond announce the next BIG thing: .NET. Well how about .STOP already – or at least .SLOW DOWN. Digestion is just as important as the act of getting it into your mouth, isn’t it?

As a technology manager, I am routinely inundated with new product information – the latest and greatest, high speed this or that, the next wireless rage, and just about every innovation, adornment and enhancement you can imagine. Keeping one’s sanity and sense of perspective is not easy. You have to learn to be selective, discriminating, discerning even, or else you’ll be seduced, or at the very least you’re head won’t ever stop spinning.

So what to do? How does one maintain a level head in the midst of rampant change, the ephemeral nature of today’s technology, and the ageless and seductive lure of something better around every corner? How do you maintain stability for your users amidst so much tumult and upheaval? Well, we all have our ways of coping to be sure; but here are some concepts that you may find helpful.

Breathe in and Breathe Out

First – and perhaps most importantly – appreciate the fact that it highly unlikely that the techno landscape will ever truly level out. Thousands of equipment and software companies have a vested interest in trying to one-up their competitors. Far from being a curse, this is actually a blessing for us consumers. Improvement builds upon improvement, and change upon change. The free market economy is merely doing what it is supposed to do. Having a negative attitude about the inevitable is far from productive.

The following quote from Andy Grove (co-founder and chairman of Intel) bears this out beautifully:

“Remember, the PC is not a thing. It’s an organic phenomenon like a river, it flows. It constantly adapts to underlying technology changes, user demands, even market surprises.”

Next, try to perceive technology from the user’s perspective – what it will mean to them in real terms; how it will impact the way they do their jobs. Keep in mind that most human beings resist and dislike change, and anything that disrupts their well-worn routines and work patterns can be viewed as threatening.

Remember that effective IT management is more function driven than product driven. Knowing what your users really need to do is key to offsetting the temptation to upgrade constantly to the latest thing. Also, try to space major deployments out so as to avoid instability and the ‘moving floor’ syndrome for those affected.

Next, test new products or services – then test and test again – so that they work as they are supposed to, and don’t adversely affect user’s morale. I have found that people’s attitudes have as much to do with the success of an implementation as the product itself. By getting it right the first time, they will tend to have more confidence in the process for future deployments.

Another tip: start demanding more from vendors in terms of quality and support. The emphasis in software development over the last few years has been on features, not stability and support. Their goal is to sell you more product; yours is to ensure system stability and compatibility among products; these goals are often at odds. If they are so sure they have a better mousetrap, make them prove it.

Here’s one that I know many of you will appreciate: Quite often the push for new toys comes from attorneys who have seen an ad or had something pitched to them from a colleague in another firm. And many times it turns out to be a true winner. But sometimes it doesn’t. Be sure to communicate clearly the goals and objectives of the information system on a regular basis so that horribly bad ideas can be shelved quickly.

Set clear and well conceived criteria for any new product or service. I have traditionally used a checklist to evaluate potential offerings. If a prospect does not meet certain minimum requirements, then it isn’t short listed. Such a discipline removes any personal sentiment or subjectivity from a decision.

Finally, remember that any technology is merely a tool in your arsenal; nothing more and nothing less. And it is entirely possible to have too many tools in your tool box. Streamline products (and vendors) that overlap. Reduce deployments down to feature-sets that you actually need and can support. It is generally the case that bells and whistles make lots of noise without generating any real value to the firm. Return on investment must be evaluated for any new product or service.

Riding each new technological wave can be a wild ride indeed. And although at times stressful, it is kind of fun when you think about it. Try to enjoy (not just survive) it by keeping your eye squarely on the key business objectives that will endure through each new technological iteration or invention. And through it all…keep breathing in and breathing out.

Reprinted with permission from the February 2003  issue of Law Technology News @ 2003 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Planning For Upgrade Success!

Here on the front lines of legal technology, perpetual change is a nagging fact of life. And the upgrade cycle seems to be escalating like never before. Not only are there constant patches and service packs to install, there is also a dizzying assortment of cool new programs, services and gadgets tempting the marketplace. Then there are the big software giants, with sophisticated schemes for pushing you to adopt the latest version… on their schedule, not yours. The nerve, you say.

Turning upgrade panic into upgrade success in the midsized firm is a tall order indeed. Here is one instance where I truly wish I had the recipe. Yet, there are some proven tips for taming the upgrade monster that should help.

First, try to have a compelling reason for upgrading. As mentioned, many system changes are being forced down on us, whether we like it or not. There are, however, many technology bandwagons out there, and one has to prudently decide which ones to join and which ones to avoid.

Next, do your homework. Extensively researching available options, and how they will integrate with your existing system, enables you to make better upgrade decisions. The best fit isn’t always the cheapest or the one recommended by the managing partner. Research can include website information, trade magazines, evaluation copies, product seminars/shows, and soliciting feedback from existing firms. Try to get as much information from objective sources as possible. It even helps to be a little skeptical when processing all of the claims and marketing hype.

Be sure to get as much input and feedback from all potential stakeholders as possible before deciding on an upgrade. This will ensure that any new implementations will reflect the varied needs and preferences of end users and the firm as a whole. The extent to which you can accurately target real needs, will directly impact the success of the upgrade project.

Another lesson I learned early on is “always get the best.” By choosing industry leaders with proven products and services, you reduce the risk of being left high and dry when your technology partner has gone out of business. This also applies to vendors and consultants who you will rely on throughout the upgrade process. Try to partner with companies that have a reputation for quality products and outstanding support, as well as a commitment to the legal industry.

And not only should you get the best, but you should also get more than you need, especially when it comes to storage and performance. Once you have evaluated current and future needs, add some and then some more. Requirements often grow exponentially, so it is a whole lot better to have more than you need than not enough. Hardware prices have continued to drop over the last few years so there is really no reason to skimp.

Next, try to track what larger firms are doing. Often collaboration with the big boys requires an investment in certain applications or infrastructure that you would not ordinarily consider. An example of this might be litigation support software, where electronic evidence sharing with other firms defines the technology commitment.

Once you have decided to proceed with an upgrade, be sure to test and document everything thoroughly. Detailed documentation can be an invaluable resource during the troubleshooting process, and testing new installs in a lab environment is just plain old good sense. Having select users pilot test new software or equipment can also help to isolate problems before they go system wide.

Upgrading your existing system can be a perilous undertaking; but it doesn’t have to be. Play it smart and get as much information at the front end as possible. Explore all your options and listen to what attorneys and staff in your firm are saying. Stick with the best and may your next upgrade project be a rip-roaring success.

Reprinted with permission from the October 2003  issue of Law Technology News @ 2003 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

To Capitalize or Expense

The problem with I.T. folks trying to comprehend accounting matters is that we tend to view things in black and white, when accounting questions are often some shade of gray. Try asking an accounting person a specific question on almost any topic, and then count the many times she says, “It depends.”

The whole business of capitalizing or expensing I.T. purchases is no exception. There are often more questions than answers. (In most cases there is no right  answer and the decision may be guided as much by custom as logic.)

When you spend money on I.T., you must determine if your accounting department will treat it as a capitalized item or an expense item. A capitalized item is one that will generally have a service life of several years-such as a piece of hardware-and will end up on the firm’s balance sheet along with other assets such as furniture and buildout.

Accountants will typically assign I.T. equipment an estimated life of three to five years. Because of the increased administration required for reporting capitalized items, they might capitalize only expenditures above a certain minimum. At my firm, for example, an expense has to be $500 or more to be capitalized. An expense item, on the other hand, is something whose value is assumed to go relatively quickly, or something whose cost is below the minimum amount for capitalized expenses.  For example, a $25 printer cable would probably not be capitalized, because of its low cost and limited value. Would you capitalize this expense if you bought 100 cables, at a total cost of $2,500? Probably not; but it depends. Ask your accounting department how that expenditure would be treated.

It’s nice to be depreciated!

The reported cost of a capitalized expense is spread over the assumed economic life of the item – usually three to five years for I.T. Each year during the item’s useful life, it is depreciated based on an established schedule. For example, a hardware expense totaling $150K, amortized (or depreciated) over a three-year period, would be depreciated at a rate of $50K per year. This is a common approach to depreciation called the straight-line method.

Much I.T., because it becomes obsolete so fast, is depreciated on an accelerated schedule. For example, the same $150K might be written off $75K in the first year, $50K the following year and $25K in the third year.

Straight line depreciation has the effect of spreading the cost of the expense equally over each year of the item’s depreciable life.  In short, it is typically big-ticket items that are capitalized to minimize the one-time impact on the bottom line.  And items subject to depreciation are generally treated and tracked as assets on the firm’s books. Expense items are small purchases needed to support daily operations (such as the electric bill), and precise record keeping is not as critical.

Capital and Expense Budgets

It is customary for businesses to establish both capital and expense budgets to report and control I.T. (and other) spending on an annual or quarterly basis. If you are involved in buying I.T., you probably know how this works. There is typically a budgeted expense account  for both capital costs items and expense costs for the same category or type of items. At my organization, for example, we have two computer equipment accounts, one for purchases that will be capitalized and one for those to be expensed.

Accounting for Software Expenditures

There is great variation in how firms account for software purchases. Some firms choose to capitalize software-related expenses and some don’t. Again, you will need to talk to your accounting folks about how it’s done (and why!). One firm may capitalize only the software that makes the hardware useful, such as the operating system. Another may choose to capitalize only consulting services that are part of the total software expense. This could include customizations to a packaged application. And still another may choose to capitalize software-licensing expenses. Clearly, there is lots of gray here.

As a rule, however, annual support or maintenance costs related to a particular software package, are always expensed, as their useful life only lasts as long as the 12 months of the agreement.

When I asked the C.F.O. at our firm what she thought I should mention on this subject, she said that I.T. purchases are often the most difficult to process, due to incomplete or confusing information on the invoice and supporting documentation. How, for example, are they to know that WD60_7200IDE is a Western Digital 60 GB, 7200-RPM IDE hard drive?

If you want the accounting folks to really love you, try including an accounting-friendly description somewhere. Also, include the cost code or account (capital or expense) information to simplify their lives. If you do most of your I.T. ordering online, many of the big resellers have additional fields where you can enter such information to be included on the printed invoice. Take my word for it: Anything you can do to get on the good side of your accounting department will be well worth it.

Reprinted with permission from the December 2002  issue of Law Technology News @ 2002 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

PDA Security Comes Home!

Any-time, anywhere, any-device access to internal business information is a ‘gotta have’ convenience these days. Beyond notebooks and web-enabled applications, full featured mobile devices now allow you to have it all in the palm of your hand: email, web, contacts, documents, voice messages, and even multimedia.

Smartphone, Blackberry, Palm and Microsoft Mobile devices provide ever-increasing capability, richer applications, and new options for accessing information inside the company’s security perimeter. Today’s handhelds typically come loaded with a variety of connectivity options built in: USB, Bluetooth, Wi-Fi, and even broadband wireless.

While connectivity has never been easier, there is a tendency to think of PDAs as conceptually different than laptops in terms of security and risks to privacy and client confidentiality. Heck, we misplace our cell phones all the time right; what’s the big deal?

The big deal of course, is that, as PDAs become more like notebooks in terms of the ability to access and store firm information, the security risks only increase.

The sheer popularity and portability of such devices make them highly prone to being lost, stolen or compromised.  Stored personal information like name, address, phone number and possibly even bank account numbers, social security number and even private PINs or passwords greatly increases the risk of identity theft.

There’s also the threat that sensitive client information can  be exposed, including email and voice messages, contact lists, appointment information, and even electronic documents stored either in memory or on storage cards as more of the company’s information assets travel outside the walls Clients need to know that their private information remains safe and secure, wherever it goes, and business leaders have a responsibility to ensure that this is so.

Many industry analysts agree that PDAs represent some of the most significant challenges today in corporate security, as handhelds act as a virtual moving target beyond the security perimeter of the company’s information system. The challenge of keeping viruses, spyware, hackers and potential data pirates from infiltrating the PDA space only grows as current and next generation handhelds become the new mainstream in mobile computing.

So what should you do? Thankfully, there are some practical things that company administrators and handheld users can do to address these risks.

First, company leadership should determine if there are certain types of information that should never find its way on to a handheld device. This could include such things as social security numbers, passwords, and other types of sensitive information connected to either the handheld user or clients. Take steps to prevent this information from either being sync’d to the handheld or stored by other means.

Next, institute a policy that all supported handheld devices are secured with a power-on password, and also adhere to prescribed device-locking settings. Although some offer more robust auto-locking features, the good news is that all current device platforms provide the ability to secure access to the device itself in some form or another. My company’s  current Blackberry policy sets a password on all devices and locks the device after 10 incorrect login attempts, whenever it is holstered, and after 15 minutes of inactivity. The device password is required when a user connects with his/her desktop to sync.

Companies, both large and small, should also standardize on a PDA platform, as much as possible, so that security issues can be addressed in a concerted manner without the added complexity of dealing with disparate systems. It’s also a good idea to requite that only company-provided devices connect to information assets.

Protecting wireless and Wi-Fi capable handhelds from external threats and attacks is also essential. Although viruses targeted specifically at PDAs are rare, under certain circumstances, they can act as carriers that can wreak havoc on connected systems. All of the major anti-virus vendors now have products designed for mobile platforms. In addition, all desktops that are used to sync with devices should certainly have active and up-to-date anti-virus systems.

Finally, if you really need to go a step beyond in securing access to company handhelds, and the information stored inside, then you may want to consider some form of biometric utility that takes user authentication to the next level.

Clearly the handheld revolution is at hand, and there is certainly a lot of excitement over the potential to stay connected and productive. Yet, as any cab driver in any major city will attest, it is also the age of the lost and ‘pocketless’ PDA. Securing such devices may never be as cool as the devices themselves, yet in the interest of privacy and confidentiality, it certainly demands attention.

Reprinted with permission from the May 2006  issue of Law Technology News @ 2006 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Patch Management Simplified

With so many external attacks targeting client computers these days, a virtual Pandora’s Box has been opened, calling for entirely new approaches to securing systems end to end. Yet, securing end-points on the company network is clearly one of the most challenging issues facing IT professionals today. And the stakes have never been higher, with ever-increasing threats targeting company data and systems. According to industry analysts, there has been a steady rise in all forms of malicious software – viruses, worms, spyware, phishing schemes – you name it. A recent estimate, for example, indicates that an unpatched Windows system connected to the Internet would last barely 20 minutes before falling prey to some form of malware. And according to Gartner Inc., approximately 90% of all security threats target vulnerabilities for which an existing patch already exists.

Although the last few years have seen the trend of large enterprises incorporating sophisticated patch management systems into their security framework, smaller organizations have tended to handle things the conventional way – either by manually updating individual machines, pushing out patches and updates via login scripts, relying on the typical client upgrade cycle, or doing nothing and hoping the worst will never come. Clearly this is no longer a viable option, owing to a number of converging factors: the increasing reliance on remote connectivity and web-based applications, the severity and frequency of known exploits, more stringent privacy and confidentiality requirements (such as HIPPA and Sarbanes-Oxley) and the sheer logistics of monitoring and rolling out numerous patches to servers and clients.

Keeping up with the steady stream of security patches, hot fixes, browser updates and application updates in today’s hostile environment is a tremendous challenge for IT departments. So many patches and so little time it seems. Most security professionals recommend a more centralized and coherent approach; one that integrates all of the various security assets – vendors, partners, products, services – into a manageable process that effectively anticipates the current risk landscape. This requires thinking smarter about security and threat response as it pertains to all aspects of system planning and administration – from configuration and change management, to standardization and compliance, to policy enforcement and end-user awareness. Ultimately, it requires being able to distribute urgent security fixes to affected network hosts faster and smarter than ever before.

For smaller firms, this is definitely asking a lot, as the challenge in effectively securing client devices where users routinely interact with an increasingly hostile web is enormous. For one thing, IT departments in small to mid-size firms are typically stretched thin already. Adding to this is the fact that most network administrators and support staff are more likely to be systems generalists than dedicated security professionals. For these and other reasons, smaller IT departments have tended in the past to take a more ad hoc or piecemeal approach to end-point security. Yet – “the times,” they say “are a changing.” Clearly the current threat environment, as it impacts smaller to medium size operations, is driving the impetus for a more sophisticated patch management framework that enables those in the IT trenches to more effectively leverage available assets and resources.

Before considering some of the patch management solutions available, it is important that your information system adheres to some overall best practices in terms of planning and architecture. This will make the deployment of any form of automated client updating system even more successful.

First, implement some form of asset management so that you know precisely what you have out there. Although centralized and automated patch management offers the capability to gain control of your client environment, you cannot control what you don’t know you have. Carefully documenting and monitoring all system assets, including hardware, installed applications, system configurations, network schema, connection information and relevant change issues, will make securing clients on your network a whole lot easier.

Next, actively implement and maintain consistency from end to end. This should be a key planning consideration when approaching the usual upgrade cycle for client assets. Where possible, standardize on a uniform make and model of equipment throughout device lifecycles, including desktops, laptops, wireless devices, etc. This will make driver and configuration updates a lot easier to manage. Uniform desktops, for example, will also allow you to use baseline hard drive images when rolling out new clients. Also ensure that clients are consistent in terms of operating system and application versions. Again, if all of your desktops are running Windows XP SP1, then managing the patching process with some an automated updating system will be many times more efficient and effective. A basic rule is that the more homogeneous your client environment, the more effective will be your patch management solution, regardless of which vendor you choose.

Another helpful prerequisite is a well-defined security policy that advances client security and resiliency amidst an ever-changing risk landscape. Such a policy should be revisited as often as necessary and enforceable, either through group policy or third-party configuration tools. Ideally, your security policy will also mitigate risk, as well as greatly enhance your team’s ability to respond effectively once an attack is circulated. Common access rights, restrictions regarding application installation and configuration, routine monitoring and alerting – all of these will advance the effectiveness of your patch management system from day one. For example – preventing users from installing unapproved applications, such as peer-to-peer or instant messaging programs, will limit the introduction of malicious software into your corporate environment.

The good news for those looking to introduce some form of patch management software into their environment is that these products have come a long way in the last few years. The majority of the solutions on the market today offer sophisticated and effective ways to gain control over the client update process and enhance security at the outer edges of your network. Here are some key features worth considering:

Directory integration: A patch management system that actively integrates with your account directory and accesses select objects, such as user and device groups or organizational units, will allow you to configure patch distribution based on some form of validation logic. This will greatly simplify the configuration process as it will allow you to leverage your existing network schema. One practical benefit of this might be to set up a patch pilot test group, where updates would be tested in a localized manner prior to system-wide deployment.

Support for non-Microsoft products: This may or may not be an essential feature, depending on your current environment. Although most security patches circulated will update various iterations of Windows, Internet Explorer and Microsoft Office, you may have other platforms that need to be accessible to your patch management system. You may also need to design custom deployment routines based on non-standard variables. In this case, you will need to ensure that this is a supported feature.

Web Server and DB platform support: Most patch management systems will run on top of some form of database such as MSDE or SQL Server. They may also require the availability of a web server, such as IIS. If you have particular requirements in this area, then this may be a qualifying feature.

Centralized management console: As this is where you as the patch administrator will be spending the bulk of your time, it is essential that the management console is logically designed, simple to use, consistent, easy to navigate and offers a full range of viewing and configuration options.

Patch distribution options: What patches to install? What client systems to update? When to deploy updates? The ability to roll back patches that have unintended consequences. The capacity to remove spyware and/or malware? These and more are some of the key determinations you will need to make in managing the update process. Whatever system you employ will by necessity have to support this level of granularity and control.

Real-time monitoring, alerting and reporting options: As the key benefit of any patch management system is the ability to configure, manage and control the client update process in a centralized and automated fashion, it is vital that you be able to see real-time status information, as well as meaningful reports on your environment as a whole.

Scalability and support for low bandwidth connections: If you have multiple physical locations or clients connected via low-speed connections, then you will want to ensure that your patch management system offers support for multiple distribution servers and low bandwidth connections to optimize the update process. Agent-based systems, in which a small software footprint is created on the client itself, will be more appropriate for distributed, low bandwidth conditions. Most patch management systems on the market employ client-side agents to enable and optimize the updating process.

Integration with other security or change management frameworks: If a key criterion is the ability to integrate with an existing security framework, such as an anti-virus update framework or an existing desktop management infrastructure, then you will need to determine whether the patch management solution under consideration meets this criterion. Although there are some exceptions, the majority will utilize their own framework and database.

The number of patch management offerings on the market today is impressive and growing. Here is just a quick snapshot of some of them. Since the majority incorporate most, if not all, of the essential features mentioned above, we have highlighted significant features only.

HFNetChk Pro (Shavlik Technologies) is an impressive package for a number of reasons. As a pioneer in the area of vulnerability scanning and analysis, it was Shavlik who designed MBSA for Microsoft and continues to be an innovator in updating those hard-to-reach places at the edge of your network. In addition to many of the key features mentioned above, HFNetChk Pro offers an accurate and powerful scanning engine, an intuitive web-based interface, support for mobile computers and Linux, customized machine grouping and scheduling options and employs industry standards such as HTTP and SSL. Whether you have a single or multiple physical locations, 15 or 500 clients, HFNetChk Pro will definitely help you keep them up-to-date.

LiveState Patch Manager (Symantec) offers an attractive option for those currently invested in Symantec’s client management framework or others seeking a stand-alone patch deployment product. LiveState Patch Manager’s ‘persistent delivery’ and ‘checkpoint restart’ features helps ensure that all security updates are successfully delivered and applied, even if a client connection is interrupted during transmission.

ZENworks (Novell) has been around longer than most of the others and provides a complete platform for automating patch management and ensuring system compliance in a Windows, NetWare or Linux environment. ZENworks’ tried, tested and policy-driven model is one many network administrators have relied on for years for distributing resources throughout their network.

Desktop Authority Patch Deployment for Desktops (ScriptLogic) is a modular add-in for those already committed to ScriptLogic’s award-winning desktop management platform. Desktop Authority’s advanced ‘validation logic’ allows the targeted deployment of updates with a level of granularity and control that is almost staggering.

PatchLink Update (PatchLink) employs its patented ‘Patch Fingerprint’ technology to scan existing networks for security holes wherever it finds them – Windows, NetWare, Macintosh, Linux, Solaris, AIX and HP-UX. In addition, PatchLink Update fully integrates with all LDAP directories, making it easy to target delivery destinations by familiar objects and groups.

GFiLANguard Network Security Scanner (GFI) is a full-featured network security portal that incorporates patch management for Windows environments. The advantage of this is that the network administrator is afforded a global view of all security matters on the network, including the update status of connected devices. Those familiar with GFI products will appreciate the quality and value of GFiLANguard Network Security Scanner.

Clearly, patch management is not just for enterprise-size organizations with thousands of network clients. Smaller to mid-size organizations are quickly realizing the benefits of centralizing and automating the process of keeping clients patched and compliant with system standards. The fact that there are currently so many excellent products on the market supports the idea that patch management is now for everyone.

Copyright W.E. Smith @ 2008 AVI Media Ltd. Further duplication without permission is prohibited. All rights reserved.

Remote Access – Striking the Right Balance

In today’s 24/7 society, more and more companies are looking at providing employees with remote access to files and documents.  If your company is one of them, then you already know that much has changed since the days of dial-up networks. Broadband and wireless in the home, an increasingly hostile Internet, the mounting virus and spyware menace, ‘September 11, 2001’…all this makes one hanker for the old days when all you needed was a modem and an analog phone line.

While employee access to e-mail via the web has become more commonplace, providing anytime, anywhere, any-device access to company documents and applications can be daunting. In our firm, attorneys wanted external access to internal firm information and our challenge came down to a lack of dedicated networking personnel and a sophisticated security infrastructure. We needed to offer remote data access in a size and shape that we could afford and effectively support.

If your company is considering the prospect of  “any device” connecting directly to your private network, then allowing users to connect to your private network over an increasingly hostile Internet should be a primary concern. A recent AOL and NCSA (National Cyber Security Alliance) survey revealed that up to 80% of home computers have been infiltrated with some sort of computer virus or spyware. Other studies indicate that many, if not most, home computer users with broadband do not implement a firewall or even update Microsoft Windows (security and application patches) on a regular basis. And don’t forget to consider the growing prevalence of wireless networks in homes; most of which are unencrypted or unsecured.

A few other questions for you to consider, include:

•    How can you ensure that computers connected to the company’s private network are secure in terms of viruses, security patches and settings, spyware, key loggers, etc.?

•    Can you rely on your employees to keep their systems up-to-date?  If not, how will you handle patch/update management?

•    Does your company supply computers for employees’ home use?  If not, to what degree will you support their home computers?

•    To what degree can you dictate and enforce software and security policies on remote computers that you don’t own?

•    Will you support remote printing on employees’ home printers?

•    Will you supply and pay for remote Internet access?

•    Will system support for remote users extend beyond office hours?

•    How will you handle remote support requests during business hours, when onsite support is required?

•    How will you ensure that client information (files and documents saved to the user’s home computer) is confidential? Can you rely on users to routinely delete offsite data?

As if these weren’t enough, you’ll also need to determine whether remote access makes good business sense.  For example, in our case, we had to ask ourselves whether we could put in place a mechanism to capture hours billed through remote legal work.

In the end, the key issues in our decision came down to our risk tolerance related to security and client confidentiality, additional support overhead, the cost of deployment and administration, and usability and access. We also had to consider the firm’s culture regarding laptops as at that time we did not supply laptop computers for attorneys and many didn’t want to take them home every night anyway.

Although we danced around key issues for some time, we kept coming back to our core remote access needs. It had to be highly secure and ideally, the security infrastructure would be outsourced and managed. It had to be cost effective and supportable. We needed report features that would tell us who was using it and how off-site work was impacting our bottom line. It had to be user-friendly and allow access from home computers, firm laptops and handhelds. And it had to provide robust and scalable administrative features so we could manage access and feature availability on a granular level.

After much consideration and testing, we decided that it was impractical, from a cost and staffing perspective, to support home computers much beyond giving them a web-based tool to access firm information.

In the end, we found a remote access service with many of the features and benefits we deemed essential for a firm our size. It provides a secure and ready-to-go architecture with minimal up-front investment, allowing our attorneys to use any device to connect, including PocketPC-based handhelds. It is surprisingly fast on a broadband Internet connection, and even functional at dial-up speeds. Thankfully, it is also easy to use as logged-in users are greeted to a familiar desktop and applications, just like they are sitting in front of a computer at the office. Most importantly, it offers industry-leading security.

Getting remote access exactly right in today’s hostile and shifting Internet environment is clearly not easy, or probably even possible. But with careful planning and consideration of all the factors, it is possible to identify the right approach for your company that fits with your business goals and employee needs.

Reprinted with permission from the January 2005  issue of Law Technology News @ 2005 Incisive Media US Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Software-as-a-Service – Too Easy!

OK folks, humor me for a bit won’t you -

Imagine for a moment a world without software, or servers, or perpetual maintenance and upgrades; where your web browser magically becomes a gateway to unimagined possibilities. Now envision a reality whereby your IT infrastructure actually grows smaller and easier to manage; where you could have the latest, greatest technology without the cost or complexity of on-premise systems. Sound incredible? Not really. SaaS delivers on all these promises, and the good news is that such offerings are available right now and getting better every day.

So what exactly is SaaS? In short, it is a way of delivering robust feature-rich applications and services over the web. This delivery model essentially replaces traditional client-server systems installed and supported on hardware residing in your office. Client software is replaced by a web browser, with full access to most of the features and functionality users have come to expect from the latest software.
Some examples of applications and services now available include: document\content management, e-faxing, perimeter services (email filtering and security, for example), meeting-room collaboration, remote access, staff time entry for payroll, hosted email servers, online archiving/backup, and even traditional accounting services.  Also available are first generation office productivity applications, such as word processing, spreadsheets and presentations. Clearly, this represents the final frontier of SaaS, as it boldly seeks to supplant even core desktop software.

The benefits of SaaS for smaller and mid-size organizations is immediate and compelling. As these services reside on the external provider’s system, there is no hardware or software to own, manage or maintain. Try to think of SaaS as a way of outsourcing infrastructure to reduce management and support overhead. In addition, many of these services are offered on a subscription model, which frees up capital for other projects and opportunities in the organization.

Another key advantage is that you always have access to cutting-edge technology without all of the incumbent risks and challenges of making it work. Smaller organizations with limited manpower and expertise, no longer need to remain in the shadow of larger firms in terms of serving clients. Two key areas where this is true are security and universal access. SaaS, with its built-in security and online-anywhere accessibility, offers staff and clients of smaller firms the same level of service as firms with greater resources. In fact, it is certainly true that such services are tailored-made for smaller shops seeking to narrow the gap between them and the big boys.

SaaS appears to be where the future of personal computing is headed, and the future is now. Each iteration brings improvements in key areas, such as performance, security, integration with local desktops and systems, customization options, reporting, web-based administrative tools, improved APIs (application programming interface), and feature-rich user interfaces. Thinking of updating your local system? Check online before you purchase that next server of box of software.

Copyright W.E. Smith @ 2008 AVI Media Ltd. Further duplication without permission is prohibited. All rights reserved.

So Why Can’t We Get Training Right?

Optimizing Training Outcomes in Small to Medium Companies

Everyone agrees that offering some form of application training is a good idea. Ongoing and consistent training can build technical skills, enhance productivity and even boost employee morale. So why then, does this subject cause so many sleepless nights for business leaders?  Well, it may be because getting the training thing right is a tricky business.

Once a commitment to provide training is made, then follows all of the questions: What to train? Who to train? What format to use – small group, individualized, CBT? Will the training be outsourced or in-house? And how will you know that the investment was worth it after the training is completed?

Answers to such questions come relatively easy if the training is accompanying some kind of system rollout or application upgrade. But what about training on existing systems, to help people become more productive and confident with their skills? Here is where life gets interesting.

The following tips and considerations may prove helpful in untangling some of these issues:

First, all training initiatives should be fostered in an environment where excellence and professionalism are perceived as core values in the company. This places individual improvement in its broader context. As an organization you are saying that we value excellence in all we do, and therefore will support you in every way we can to contribute to this end. People will generally be more motivated to improve and extend themselves if they can view their performance in the meaningful context of the organizational culture.

Next, remember that training is never an end in itself. As much as possible, training outcomes should be measurable so that you can weigh the value derived from the investment. Feedback from students is important, but comments such as “the food was delightful” should never register in your list of key success factors.

Next, be flexible. Not everyone learns exactly the same way. Some thrive in a classroom setting while others shrink. Some learn best one-on-one, with a trainer they already know and trust. For still others, give them a manual or CBT program and get out of their way. Training offerings should reflect the varied learning styles of individuals and respond effectively to the particular needs of adult learners.

Sometimes it is appropriate to hire professional trainers like the big companies do. But quite often, similar (or even better) results can be achieved by supporting individuals in sharing their skills and reinforcing their role as mentors. People tend to learn more from those they know and are comfortable with, especially when the training is situational or one-on-one at their desk.

Training books and multimedia resources can be used effectively but often managers fail to adequately support employees in using them, then fail to follow up afterwards. Most people are too busy during the average work day to slip in a couple hours of uninterrupted training time, so accommodation must be made for them to go “offline”.

Next, training should be targeted to the needs of each student. It makes no sense, for example, to send Betty to a full-day workshop on Microsoft PowerPoint if she only does one or two presentations a year. Different departments within the organization do use many of the same programs, but often different features and functionality. Accounting employees must hold vastly different spreadsheet skills than their marketing or HR counterparts.

The ability to accurately identify individual or departmental learning needs is critical. This is best achieved by getting as much information as possible, from the individual and others – managers, supervisors, stakeholders – who are well positioned to provide meaningful feedback. Individual learning objectives can also be incorporated into an employee’s performance plan, further validating individual training outcomes.

Quite often in small to mid-size businesses, training is more of a reflex or afterthought, than a fully integrated and active part of the organizational culture. Employees tend to be keenly aware of this in such cases, and it is reflected in their attitude whenever the subject is mentioned. By providing consistent and practical opportunities for individuals to improve themselves and the company, you are reinforcing the message that excellence can never be anything less than an asset.

Without question, software training can add value to your business in many ways. Yet getting it right requires some careful thought and planning. Knowing your business and where you want to be so many years from now is an essential first step.

Copyright W.E. Smith @ 2008 AVI Media Ltd. Further duplication without permission is prohibited. All rights reserved.