Embracing the “Bring Your Own Device” (BYOD) culture?

Quite a few people I speak to tell me that BYOD is next “big thing”, and we need to embrace it as it will be a way of life for all IT environments.  The argument is that it will reduce capital expenditure (CAPEX) and it makes for happier employees by giving them choice, allowing them to use a variety of devices, such as laptops and tablets, as well as a variety of operating systems, including Windows, Apple and Android.  Much as I understand these statements, I don’t necessarily agree with them

Network Infrastructure

The common assumption will be that a majority of your machines are desktops, but with a BYOD policy, a majority of the devices will be laptops.  One of the major technologies driven from a domestic to commercial environments is wireless, so the expectation will be the requirement for wireless at work with their new BYOD.

Anyone who has felt the pain with a badly configured or deployed wireless solution will know there will be a struggle with either getting a large number of devices on the same wireless network, bandwidth and throughput issues, as well as struggling with coverage in a large or distributed building.

Security must be considered, ensuring the wireless network has the appropriate level of encryption and access.

This can be solved with solutions such as Xirrus, which uses innovative ways to solve the capacity, coverage and throughput issues, while coupling this with coverage guarantee.

Endpoint Security

I’ve read a number of comments from the big AV companies, suggesting that AV alone will not secure your system from malware.  It should be a layered approach, with a number of solutions working in conjunction to tackle all the possible threat vectors.

As minimum anti-virus software should be on the device, but how do you ensure this on a BYOD.  There are several AV solutions that can be managed centrally, but a number of employees will not agree to this as it is “their device” and don’t want the company controlling it.  The company policy may stipulate that anti-virus software must be installed, updated and running, but how do you check?

Network access

Having implemented a wireless network, a consideration is to ensure that only the trusted devices can access the network.  A Network Access Control (NAC) solution will be required to ensure that the devices can be checked, and then either quarantined or allowed access. 

These checks may be the type of device, the software installed, the software running, or the MAC address, then allowing the appropriate access, be it full access to the network, or only internet access to allow the device to update the anti-virus software.

IT Support

What happens to the IT Support function within your organisation with a BYOD policy?  Do they now have to support a vast array of devices?  Do you get rid of them and move the onus of the support function to the user and their chosen solution provider?  Who will ensure that the applications used by the organisation will function on the BYODs?

The cost saving efficiencies from the BYOD policy may be lost several fold, if the IT Support team now have to support devices they are not familiar with.  Although getting rid of the team will not help as they are the team who have ensured that the company applications work on the devices.

Compliancy

We have read in the news about organisations losing personal data and run the risk of up to a £500,000 fine from the Information Commissioners’ Office (ICO).  The onus is on the organisation to prove either the data was not on the device, that the data was wiped or that the device is encrypted. 

As the company is responsible for the data, the “it’s my device” attitude will not work with ensuring information security.  The viable options will be to ensure the data is not stored on the device, effectively making the device a “dumb terminal” or to ensure the device is encrypted.

Device Compatibility

What devices will your users choose?  It shouldn’t matter as long as it enables them to do their job.  So the device will probably be a Windows laptop, an Apple laptop, a Linux laptop, a Windows tablet, an Apple tablet or an Android tablet.

The issue you will have is whether the operating system or form factor selected by your users is compatible with the applications run by your organisation.  Although there has is much talk about cloud solutions and web-based applications, there will still be a number of applications that will only work with Windows devices.

The only way to make some of these Window solutions work, is to either use Terminal/Citrix server or VDI solution.  With these solutions the application will run on the server, and the device will have a view to either the application or a full operating system.  Something to bear in mind is that these solutions will require client software to be installed, so ensure that the solution you use is supported by the devices that your users are using.

Conclusion

The initial thoughts about reducing CAPEX are quickly removed, when considerations around the network and security are taken into account.  I don’t believe that BYOD is a pipedream, but there must be a level of understanding and planning before embarking on a BYOD policy.

Children and Internet Safety... do they mix?

As an IT Security professional and a father, I'm often asked how to filter the internet for their children.  I would suggest there are three elements that need to be looked at including IT security, education and computer location.

My children use a Windows 7 computer, but in order to secure the system, I run Avira Internet Security 2012, which is a lightweight, low footprint but highly effective anti-virus software.  It offers anti-malware, a software firewall and a basic level of web filtering.  I ensure all these components are enabled, updated and running.  I have created limited access Windows user accounts for the children, where no administrative rights are available.

Everyone assumes that controlling the computer or access to the internet is the answer, but your children need to understand why they are in place.  We have spoken to the children that if they encounter anything that they did not expect, then they should make us aware of it.  We have also spoken about password security to them, to ensure that the passwords they use are not shared with anyone beyond the family.

Some people are surprised with the final piece of advice, but I suggest putting the computer, or using the laptop in a high traffic area of the house.  Some recent research has shown that paedophiles are less likely to engage in a webcam chat, if it is in a family area of the house, compared to a bedroom.  We have situated the desktop computer in the kitchen, where the children are rarely using the computer unsupervised.

Some think this attitude may be a little paranoid, but the key component is education and for your children to understand why.

Thanks to Jason Jones for pointing out this Ofsted report, which makes for some interesting further reading.

“To The Cloud…”

For the last year or so, it seems marketing people have moved away from terms such as “... as a Service”, and replaced the words with Cloud.

We are seeing hosted applications, hosted infrastructure, hosted servers, hosted platforms, managed services, VPNs, MPLS networks, distributed networks, hosted virtual servers, remote VDI solutions, all termed with the phrase Cloud.

I understand the drivers that are used to move services out of your own server room, by lowering infrastructure costs, moving capital expenditure to operational expenditure, upgrading or downsizing by modifying your service plan, removing running costs (such as air conditioning, trained server administrators, etc.), having your systems monitored and changing applications on the fly.

I have a few issues with Cloud offerings, which include:

Authentication

• How do users connect to the solution? 
• Are they using a username and password?  

There are many issues around authentication, such as weak or insecure passwords, using common words, using easy to guess words (such as favourite bands, football teams, children’s names, car, etc.) and that’s before the fact the password can be told to someone else. 

People often talk about multi-factor authentication, but to surmise it, the factors are “something you know” such as passwords and PINs, “something you’re given” such as a one time passwords from a token, or “Something you are” where biometric devices are used to read fingerprints or iris scanners.

A combination of two of these will be known as two factor authentication, where passwords are coupled with a token generated one time password, offering much improved security.

Encryption

• How is your data protected?
• Who has access to your data?

With the Information Commissioner’s Office issuing fines of up to £500,000 for the loss of personal data, it is more critical than ever data is encrypted. 

I would expect the data to be encrypted with to a minimum level of 256-bit AES, although another consideration who has access to your data.  It may be encrypted, but if the key is held by the service provider, then they will have the ability to decrypt your data.

Backup and Archive

• Is the data backed up?
• Is the data archived?

Your data should be backed up regularly, giving a point in time that the data can be restored to.  The issue with back up is that it will back up current data, but the ability to roll back and restore can be more destructive and time consuming than working round the missing/lost/corrupted data.

If your data was archived, then it would offer the ability to manage and archive all versions of the data.  Archiving is driven by compliancy and traceability, rather than disaster recovery.

Access to the service

• Where can you access the data from?

It would be great to be able to access your service from anywhere in the world, wouldn’t it?  A concern is that although this great for remote users, should everyone be able to have access?  Data security may dictate that the service or data should not be access from non-trusted IP addresses, or by specific users or during specific times.  If this level of control is required, ensure your provider is able to deliver this.

Disaster Recovery

• Are there multiple servers hosting your service?
• Are there multiple datacentres hosting your service?

One of the draws with a Cloud offering include having your applications and services available from anywhere, so there perfect disaster recovery solution.

The issue will be when the provider has a server failure.  Will they be able to move your service to a new server in a timely fashion?  Whether the services are being run on virtual or physical servers, ensuring your service up time is vital. 

Another concern will be if the provider only has one datacentre or one WAN connection, so if there service is delivered well I would expect multiple datacentres, with multiple links running an active/active configuration, along with an active/active or active/passive server configuration.

Conclusion

My concern with Cloud solutions is the number of providers who are “jumping on the bandwagon” offering cloud services as quickly as possible.  The issue is that some providers offer very favourable pricing, but the infrastructure may not be in place until there is some uptake.  This can only be a bad thing for the early adopter, especially if it is not making money and they stop the service or become bankrupt.

My advice is to proceed with caution, check the provider thoroughly and try not to be price driven.

VMWare View on IAG & UAG - Borrowing Advice!

Good to see that my advice from this blog post is of use:
http://blog.andytang.com/2010/05/vmware-view-on-microsoft-iag.html

Spot the differences:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1025861

http://www.nappliance.com/blog/uag-publishing-vmware-view-using-forefront-unified-access-gateway

I don't have issue with my advice being used, but at least show credit from where it was from!

Drobo Dashboard v2.0.2 is now available

The new Drobo dashboard is available, which has a much slicker look and feel compared to the previous version.  The image below is taken from the Drobo.com website:

The new dashboard allows you to manage multiple Drobo devices, rather than just one device with the previous version.  The only shortcoming is that from my netbook, the whole interface can't be displayed on my 1024 x 600 screen, as the bottom is cropped.  This has been reported to Drobo and I expect this to be resolved in a future release of the dashboard.

The downloads are available here: http://www.drobo.com/support/updates.php

DroboApps and Firefly iTunes server

After following the instructions on the DroboApps website: (http://www.drobo.com/droboapps), I installed Apache and the DroboApps Admin Utility.

Using the DroboApps Admin Utility, I installed the Firefly application. I then changed the server name and the default password, and I was up and running.  Browsing to the DroboApps share, I dropped my music into the media folder within the Firefly folder.

The only issue was that my iTunes could not see the shared library!  A bit of searching found this Apple support article: http://support.apple.com/kb/TS2972

It seems that my software firewall was not allowing TCP port 3689 and UDP port 5353. Once opened up, iTunes instantly found the shared library.

All my music is currently being moved off my netbook, into the secure and resilient environment of the Drobo.

- Posted using BlogPress from my iPhone

Introduction to DroboApps

There is a strong community of developers, creating applications for the Drobo devices.  The applications are called DroboApps, and the download files can be found here: http://www.drobo.com/droboapps/

Being new to DroboApps, I went against my technical gut instinct, and read the manual!  There is a very useful document highlighting how to install DroboApps, along with some installation examples: http://support.datarobotics.com/app/answers/detail/a_id/468

Having enable the DroboApps functionality on the appliance, I had a look through to see what I need to download, along with what I wanted to download.

Going through the DroboApps, I downloaded the following:

• DroboApps Admin Utility
• Apache (required for the admin utility)
• Firefly (iTunes library)
• Fuppes (Media server with DLNA support)
• Lighttpd (HTTP server)
• Pure-ftpd (FTP server)

As mentioned previously, the reason Drobo caught my attention previously, was the fact I could have more just two hard drives in an appliance, and that it could be my iTunes library.

DroboApps Admin Utility, Apache and Firefly will be installed soon.  I will document and review the features then.

Introduction to the Drobo Dashboard and Configuration

The hardware was very easy to put together, and the software was just as simple to set up.  There are a lot of screenshots here, but you can see it was pretty much a case of "next, next, next" to get the dashboard installed.  Once installed, you will have the dashboard up and running.

1. Once the Drobo Dashboard software is installed and running, it is looking for Drobo devices.

2. The Drobo device is detected, but at this point my device was still starting up.

3. Clicking on the "Advanced controls" and looking at the "Data" tab, I can see what is in the device and it has correctly identified my four 1TB 3.5" SATA hard drives.

4. The "Tools" tab, offers a number of commands, alert settings, device settings and updates.

5. The dashboard shows how much free space I have and the shares available.

6. Expanding the "How is my storage being used?" shows more drive information.

7. As I selected the option to check for updates, this box somes up.

8. Clicking on the highlighted option to change the Admin password, shown in images 6 & 7 above, brings up the "Admin" under the settings.  There is also an option to enable DroboApps (which I plan to investigate more in the future)

9. By default, the Drobo device will protect your data in the event of one hard drive failing.  There is a option to enable dual disk redundancy, which will protect the data in the event of two drives failing.  It does use more hard disk space, but I guess it depends how important you data is.  As my device will be holding family photos and my MP3s, I will be enabling the dual drive redundancy.

10. On the "Network" tab, the network settings can be configured.  I will be setting this to match my internal network.

11. On the "Shares" tab, shares and users can be created.  By default, you have one share called "Public" and the administrative user called "Admin" by default.

13. On the "Email Alerts" tab, the email server information can be configured.

As you can see, the software interface is clear and concise.  Lots of features are available and seems much easier to configure that my existing NAS device.  Now the device is on my network, I will be investigating more about DroboApps.

Introduction to the Drobo FS

I had a surprise at work today, as a box was left on my desk.  Drobo kindly shipped a Drobo FS to me to test and use.

At e92plus, we have just started distributing the Drobo range of products and like any technical person, the technology interested me, but hands on experience with a product is much more fun!

A number of things drew my attention to the Data Robotics (Drobo) range of drive enclosures, even before we signed them up to distribute their products.  I was aware that different makes and sizes of hard drives could be used within one enclosure.  This goes against the things that I have learnt about RAID technology and have been using for over 17 years, but then again RAID is over 25 years old!!

I was also aware that some of the Drobo range would allow applications (Drobo Apps) to be run on the device, so it could be a web server, FTP server, iTunes server, etc.

There was a boast that it was easy to set up without the complex configuration normally associated with RAID systems.  I think I had a head start as I have worked with RAID for a number of years, as well as already owning a Netgear NAS appliance at home.  I've been looking to replace this with a device that support the storage of an iTunes library, which my current device does not do.

After plenty of research, I came to the conclusion that I need a Drobo FS at home, and all of this was decided before I was even aware of it at work.  It was good to see that something I had researched a while ago was not only good enough for home, but have a number of devices suitable for business uses.

Here's the box that arrived today:

The box contained a number of items:

• Drobo FS Device
• Drobo FS User Guide
• Drobo Resource CD
• Straight Ethernet Cable
• AC Adapter
• Power Cords (UK & European)

The device is very attractive, metal chassis and a plastic front bezel, held on with magnets.  It has a very good blend of aesthetics with a quality/sturdy build quality.  It felt very solid compared to the my existing NAS appliance.

The instructions on the box were very straight forward:

1. Install Drobo Dashboard from the Drobo Resource CD
2. Insert at least two 3.5" SATA hard drives, metal side up (Note: Any data on the drives would be wiped)
3. Connect an Ethernet cable and the AC adapter, then follow the dashboard instructions

I had four 1TB SATA hard drives spare, so this is what I'm using as part of this test.

Software installation to follow in the next post:

UAG Registry Keys

Found this TechNet section when looking for something else and it may be very useful to you.

Here are the registry keys used by UAG:
http://technet.microsoft.com/en-us/library/ee809087.aspx

The one that is the most use, especially carrying out proof of concepts and "real" certificates are not being used:

HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL


By default Forefront UAG validates both the certificate and the revocation list of each SSL backend server during the TLS handshake procedure. In the event where the certificate or the CRL are not valid, backend users are denied access to that given backend server. If a Forefront UAG administrator wishes to disable those validation tests, set the ValidateRwsCert and ValidateRwsCertCRL key values to 0, and then restart the IIS service on the Forefront UAG server.

As UAG checks certificates and CRL, where IAG really didn't this can be new to most people who have experienced IAG.