Archive for the ‘Data Security’ Category

PRIMER: How are Disaster Recovery and Backups Different?

April 16th, 2013
Posted by: Donna Hemmert

So, you are working through your go-forward IT strategy and need to make sure that you have things covered should something go wrong. Pretty quickly, you notice that the terms “Backup” and “Disaster Recovery” are quite often being used interchangeably. But, the truth is, they are different. Related, yes, but different.

Backup

Backup really can be defined very simply. Backup is just a copy of your files on another disk (or tape, cloud, etc.). In fact, if you copied each and every file to a DVD (and we are not sure why you would do that), that would be a backup. Having a full backup that is up-to-date means that when you lose a few files or a whole drive or more, you can take the time it takes to copy those files back once your systems are ready to rock. But, it can be a time-consuming disruption. You will likely need to setup a new server(s), re-install the OS, and reinstall all the applications, etc. There are two ways to backup your systems:

  • Onsite Backup: This is when you backup locally to some kind of physical storage option. These solutions are capable of imaging servers and storing data locally so you can recover from incidents.
  • Offsite Backup: This is when you backup your data to an entirely different location. This, of course, helps protects you in the case of an entire geographic location being affected by a disruption. Also, often organizations need offsite backup to be in line with compliances such as those rules defined by Sarbanes-Oxley, HIPAA, FISMA, NASD and NYSE, etc.

Disaster Recovery

So, what is Disaster Recovery? Disaster recovery is beyond backup. The big benefit of disaster recovery is that rather than taking what may be days or months to recover for an unplanned outage, Disaster Recovery will greatly shorten that time.

With Disaster Recovery, a complete image of your disk drives and servers are mirrored. This is sometimes referred to as a “bare-metal” backup, meaning the backup isn’t just the files, but the OS and everything. For example, with AISN’s Disaster Recovery service, we replicate the “bare-metal” backup image to another geographic site so in the event of a disaster in one geographic location, it can be restored from an entirely different geographic location. This gives you added protection and the image(s) allows you to restore systems more quickly – there is no need to reinstall an OS and copying files. The amount of time it takes to actually continue operations after a disaster also depends on whether you choose “Hot Site” or “Cold Site.” So what is the difference?

  • “Hot Site”: Environments are available at a moments notice. So, in the case of an outage, all data processing can quickly be moved to the “Hot Site” and operations continue.
  • “Cold Site”: Critical applications are available at a secondary location. This is similar but is supplied as basic office space, but with “Cold Site” the customer provides and installs all the equipment needed to continue operations. It is less expensive but will take longer for full operations to continue.

So, that’s really all there is to it from a high level. You really need to understand what your goals and objectives are. Do you need systems available in minutes, hours or would days be just fine? Is backup just fine, or do you need Disaster Recovery? And what level of Disaster Recovery do you need? There are lots to consider, but remember, we are always here to help you think through your IT plans.

TAGS:

CATEGORIES:

No Comments »

10 Dangerous Risks to Your Server Security

February 27th, 2013
Posted by: admin

GUEST BLOG

By Sarah Morris
KirkpatrickPrice

Security.  That’s usually the first thing on the minds of those in the IT world.  To keep up with changing technologies, we are constantly changing and improving our security standards, so that we can remain one step ahead of malicious attackers in defending our confidential information.

Royce Howard, of Global Knowledge, offers some tips about the 10 most dangerous risks to your server.  These tips are important to remember when developing and securing your IT infrastructure.

Physical Attacks. Make sure no one has physical access to your server.  Server rooms should be kept secure, and sensitive data should be encrypted.

Password Policies. Create complex passwords and change passwords every 90 days.

Privileged Accounts and Social Engineering. Vulnerabilities can be mitigated by removing administrator rights.

Email Attacks. Beware of phishing emails.  Never open an email from an untrusted source and avoid clicking on links in emails.

Worms. Worms are self-replicating programs that copy themselves from machine to machine, using up computer processing time and bandwidth.

Increasingly Malicious Malware. Scheduling regular scans can help detect and prevent against malicious malware and spyware.

Unauthorized Network Access. Network Access Control and Network Access Protection can help control network access of a computer host while using a set of protocols to define and implement a security policy.

Not Updating Patches. Automatic updating of patches can help avoid threats.

3rd-Party Applications. Check security platforms of 3rd-party vendors and applications from independent developers and manage exploits.

The Human Factor. People are the weakest link in security initiatives.  Develop strong policies and procedures so that people are prepared.

At KirkpatrickPrice, we have years of experience in information assurance by performing assessments, audits, and tests that strengthen information security controls.  Contact us at info@kirkpatrickprice.com for more information on how we can help you in your compliance efforts.

Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit www.kirkpatrickprice.com.

TAGS:

CATEGORIES:

No Comments »

Top 10 Security Risks Found by Your Auditor

February 21st, 2013
Posted by: admin

GUEST BLOG

By Sarah Morris
KirkpatrickPrice

At KirkpatrickPrice, we strive to provide the proper assurance and resources to help our clients maintain security within their organization.  Recently, we held a client webinar focused on the “Top Ten Security Risks” that your auditor finds during your auditing process.  Below is a summary of the most common risks that we find.

1.      No Formal Policies and Procedures

Formal guidelines of policies and procedures help provide your employees with clarity of what’s expected of them.  They define the accountability for each employee and also establish necessary training. Information security policies are mandated by the FTC Safeguards Rule, PCI Data Security Standards, and the HIPAA Security Rule. This means they are mandatory.

2.      Misconfigurations

Standards need to be applied consistently. Organizations should utilize benchmark configuration standards from a recognized entity such as: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, and the National Institute of Standards Technology (NIST).

3.      No Formal Risk Assessment

Assessment should cover assets that are critical to your enterprise to continue business operations for the following: hardware, software, human resources, and processes (automated or manual). Some important things to consider when thinking about risk assessment are the threats to your assets as well as the likelihood of vulnerability being compromised. Threats can be both internal (employees or third party contractors or partners) as well as external (natural events or social engineering). Developing a proper risk assessment can help to mitigate potential risks that you face.

4.      Undefined Incident Response

It is always important to have clear instructions on reporting procedures when determining incident response. It is suggested to build a culture within your work environment that encourages reporting of all incidents the moment they present themselves.

5.      Lack of Disaster Planning

Disaster planning is important in a situation where written plans were available for others to follow in the event that key personnel are not available. A business impact analysis can help quantify what level of redundancy is required for disaster planning. Proactive arrangements should be made to care for the staff and to communicate with third parties. Walkthroughs and training scenarios can benefit organizations so employees are properly prepared in the event of a disaster.

6.      Lack of Testing

The concept of testing applies to all areas of your security. If your security is not tested, there is no way to determine whether or not vulnerabilities are present.

7.      Insecure Code

Developing secure coding is something we find lots of companies struggling with. To develop secure coding, training must be implemented as well as specific development standards and quality assurance.

8.      Lack of Monitoring/Audit Trails

Log Harvesting, parsing, and alerting methods must be determined to efficiently deal with massive event logs. The responsibility for review must be formally assigned as part of daily operations.  Audit trails should be stored in such a way that system administrators cannot modify without alerting someone with and oversight role.

9.      Data Leakage

Some things we often forget are where the data is located and how long should it be retained? How is encryption implemented and verified? How is access to data granted and audited?  These things are all very important, and if not corrected, can keep you from complying with federal and industry standards and regulations.

10.  Lack of Training

A lack of training can prove to be a striking blow to the security of your organization. Employers should recognize the importance of properly training all employees on safety and security best practices. Standards and guidelines should be clearly set and determined in each organization. Several training opportunities are offered through KirkpatrickPrice to properly train you and your company on the basics of security awareness, awareness for managers, awareness for IT professionals, and awareness for credit card handling.

Determining your individual risks is the first step toward the mitigation process.  Maximum security of your sensitive information is KirkpatrickPrice’s number one priority.

If you’re ready to get started with your assurance process, you’ve come to the right place. We’re ready to help. Let’s work together.

Sarah Morris is a technical writer for KirkpatrickPrice, a provider of world-class audit services. Visit www.kirkpatrickprice.com.

 

TAGS:

CATEGORIES:

No Comments »

Cloud Computing Benefits for Accounting Firms

August 19th, 2012
Posted by: Julia Uglietta


By Julia Uglietta
Associate, Marketing and Sales

Accounting firms deal with data day in and day out. The volume of numbers that go through an accounting office each day is unimaginable. The number of emails that go in and out of the offices is inundating.

It’s not only the size issue that challenges accounting offices every day.  Rather, it’s also the need to work faster while remaining efficient – in addition to improving better client and interoffice communications. These goals sound fairly standard for a successful business, right?  But in fields such as accounting, where large amounts of data are being received and stored, achieving these goals can be onerous.  The good news is, however, that new technology known as cloud computing is helping accounting firms attain these goals and save money too.

AIS Network accounting

Taking business to the cloud allows accountants to work from anywhere, at any time.

Taking accounting firms to the cloud is a way to reduce costs, improve efficiency and make data more accessible.  Throughout the industry, the discussions about cloud computing and how many accounting practices are moving to an outsourced cloud computing model has people thinking.  Accountants can see clearly that cloud computing is moving up and moving fast.  Now, more firms are looking into cloud solutions before they buy that next new sever.  They’re performing a cost benefit analysis, and in the process, they’re discovering that the operational expenditure associated with implementing an outsourced model is more desirable than the large capital expenditure associated with buying and maintaining all those new servers.

Not only does migrating to a cloud-based, paperless environment cut costs for accounting firms, but it also introduces new efficiencies.  When you put your data and applications in the cloud and entrust a cloud provider to care for them round-the-clock, you’re achieving IT efficiencies such as:

  • Eliminating the need for physical storage (throw out those old filing cabinets!)
  • Upgrading to industrial strength physical security (including partial or full fault tolerance, fire protection, etc.)
  • Improving backup and disaster recovery processes
  • Enhancing data security
  • Increasing availability (through improved power redundancy,  etc.)
  • Extending IT resources with a 24x7x365 team of hosting experts

For many accounting firms, this makes the decision to switch to the cloud even easier.

The most brilliant feature of the cloud is, in my opinion, its “anywhere” accessibility – which is an aspect that most accounting firms will find appealing.  When your data and your applications are in the cloud, they are accessible via any Internet-enabled device whenever you need them and wherever you are.  It just makes life easier.  Allowing the staff to work faster (and, I might add, without necessarily increasing billable rates) allows them more time to focus on the clients’ needs.

Most customers prefer communicating with their accountant via the Internet, and in many ways, the new cloud-based dashboards, reporting applications and unified communications systems that are now available only make this easier.  By enabling better collaboration and communication among geographically diverse staff and clients, accounting firms’ processes and workflows are vastly improved and the work gets done much faster – often with greatly reduced travel costs.

Life in the cloud has changed many industries’ ways of operating.  Slowly but surely, accounting firms will ease into cloud computing and reap benefits that were previously unachievable any other way.

 

 

TAGS:

CATEGORIES:

1 Comment »

Why Email Archiving?

August 3rd, 2012
Posted by: admin

 

By Laurie Head
AIS Network Vice President

Why email archiving?  Well, from the knowledge management perspective, valuable information is contained within our everyday email conversations, and yet that vast knowledge repository is typically not documented or stored using any formal means or framework.  Email archiving solves this problem, especially if it is designed with simple yet robust search capabilities.

email archiving

Email archiving addresses legal readiness and regulatory compliance needs, among other business requirements.

However, information archiving also addresses several key business requirements, particularly for enterprises.  To start, consider:

  • legal discovery readiness
  • regulatory compliance
  • email storage optimization

Being prepared for legal discovery and regulatory events means knowing where data is stored and being able to collect, search, and retrieve that data in a short period of time.

Organizations must also be able to establish and enforce policies, which reflect specific regulatory and geographic market requirements that align with internal information governance strategies. When managed improperly, exposure to legal and compliance risks can be significant and challenge an organization’s ability to defend its processes. This can lead to costly fines, guilty verdicts and damaged reputations.

Also, keep in mind that because regulations mandate that data must remain in its original state (native format), robust search capabilities are needed.  An archive provides a centralized, searchable repository that provides end users with access to historical information.  We believe that this access should be simple and intuitive, with a familiar user experience that fits existing work habits and enables greater productivity.

Finally, an information archive should address all of these requirements while also supporting the dual IT objectives of centralizing email storage and reducing the cost and management complexities of exploding data volumes — both within managed systems as well as in the wild.

AISN has recently introduced a new cloud-based offering for enterprise email archiving — one that has a variety of attractive features, especially if you need to meet high compliance standards.  AISN’s next generation email archiving, Proofpoint Enterprise Archive™, offers a proven email archiving solution architected explicitly for the cloud.  It features ultra-rapid parallel email search capabilities for discovery, DoubleBlind Encryption™ as the industry’s only email archiving solution to secure against hacking or legal challenges, and unlimited storage with straightforward flat-fee pricing.

Read more about our new email archiving solution on our site’s email archiving page; it’s also briefly highlighted in our disaster recovery section.  Because we price email archiving on a case-by-case basis, you won’t find a pricing guide, so please be sure to contact us for a free quote.

TAGS:

CATEGORIES:

2 Comments »

AISN’s Redundant Power and Connectivity Protect Customers From Power Outages in Aftermath of Massive DC Storm

June 30th, 2012
Posted by: admin

By Jay Atkinson
AIS Network CEO

data center reliability

Unplanned outages are costly. Redundant power and connectivity are critical values that managed hosting providers offer.

Can the AIS Network data center reliably maintain data availability when a massive storm hits?  Yes!

Last night, the Washington, DC, metropolitan area suffered a massive, highly destructive storm replete with high winds, thunder, lightning and heavy rains.  This afternoon, more than 1.3 million households and businesses across the area are still without power.  In fact, power company officials are predicting a “multi-day outage.”  All this bad news comes in the middle of a heat wave when weather forecasters are calling for dangerous heat levels and still more storms.  We sympathize with those who are still without power and who have suffered property loss.

Last night’s storm, which crippled many businesses with a primary utility power outage, underscores why it’s tremendously advantageous to host your mission critical data in an SSAE 16 Type II-compliant data center.  Outages are costly.  Customers don’t really care if there was a storm, an earthquake, a rolling blackout or some other issue responsible for an outage.  They  simply expect perfect availability of and connectivity to their data, and that is understandable.

Reliable, redundant power and redundant IP connectivity are two of the most important safeguards that a managed hosting provider can offer its customers, especially when a natural disaster strikes.  Yet, what many hosting providers offer falls short of that.  AIS Network’s Tier III data center in Virginia came through with flying colors and kept our customers’ data up and running.  No hiccups, just solid availability.

Choosing to move your mission critical applications and data from an on-premise hosted environment to a fully managed hosted environment within a secure data center definitely makes good economic sense but it’s also a decision that provides for more reliable protection against power and Internet connection outages.  That’s a critical value proposition.

Managed hosting support systems must be predictably available, and system availability is only as predictable as the availability of power to those systems.  When you host your data in AISN’s data center, you are choosing to add a level of built-in redundancy for failover protection during common and extreme conditions.  AISN facilities are designed for redundancy and high availability of power to our clients’ critical server systems, and high density Internet connections.  Clearly, to build this sort of environment for your data on-premise would be cost-prohibitive.

Some data centers promise redundant/ backup systems, but nonetheless, it’s still very important for a prospective customer to confirm precisely what that promise entails.  In some cases, a physical inspection may be necessary or advisable.  If you’d like to learn more about AISN’s data centers or take a technical tour, please contact us.

TAGS:

CATEGORIES:

5 Comments »

Cloud Security and Privacy for eGov

June 14th, 2012
Posted by: admin

 

By Laurie Head
AIS Network Vice President

As we embark on a path toward cloud hosting for state government, I’ve been in search of solid resources that will help inform our new role as a contracted hosting provider to support Virginia’s eGov Services.

The National Association of State Chief Information Officers has been very helpful in this regard.  If you haven’t seen their site, take a look now.  NASCIO is an excellent resource for information about state government and technology, and they have made available a wide range of publications for download.

I particularly like NASCIO’s series of reports about leveraging cloud technology.  These reports — four so far — are designed for state chief information officers (CIOs) and other senior IT decision makers, and they highlight the cloud’s potential for reducing costs, optimizing system efficiencies, and enhancing overall service delivery.  They are as follows:

For a discussion of issues related to cloud privacy and security, last month’s report (May 2012) is excellent in its examination of how individual agencies within the state infrastructure are coming together and how “all of this activity is converging on a developing government strategy for maturing and harvesting the value of cloud computing.”  The authors use Delaware and Michigan as examples.

Further, the report outlines 12 recommendations for state CIOs moving toward the cloud.  According to NASCIO, state IT leaders must:

  1. Mobilize internal support for cloud adoption through education and awareness, while clearly articulating the new security and privacy risks.
  2. Weigh the benefits and risks of cloud computing in terms of cost versus security and privacy concerns.
  3. Continue to temper expectations about savings opportunities and to examine risks and requirements.
  4. Educate policy makers on the differences between consumer cloud requirements versus the industrial-strength requirements of state government.
  5. Examine the state’s standard terms and conditions for procurement and consider modifications to address cloud computing.
  6. Communicate and educate government officials on the terms of service presented and assumed for third-party cloud services.
  7. Start with a private cloud solution first, particularly where state data is highly sensitive.
  8. Develop an enterprise security policy that controls unauthorized use of cloud services while enabling legitimate business needs.
  9. Expect compliance issues and scan network traffic continually to uncover the use of unauthorized cloud services.
  10. Consider a cloud broker approach (i.e., develop roles specific for cloud management, like “broker” and “service portfolio manager” in ways that will enhance security/ efficiency).
  11. Work with the federal government to develop a common interpretation of security requirements so that comprehensive cloud requirements can be identified and relied upon.
  12. Stay tuned to the Federal Risk and Authorization Management Program (FedRAMP) as it evolves and leverage approved vendors (i.e., the program will provide a list of approved cloud providers for states beginning their cloud strategy).

Thanks to NASCIO for offering some very valuable research.  I encourage you to read the report.  Let me know what you think by commenting here.

TAGS:

CATEGORIES:

3 Comments »

SharePoint 2010 Security: Adding an SSL Certificate to Your Hosted SharePoint Site

June 11th, 2012
Posted by: admin

By Bill Peters
AIS Network Director of Sales

SSL certificates create secure (HTTPS) connectivity between your Web server and your visitors’ browsers.  If you are transmitting sensitive information via a Web site, such as Social Security numbers, credit card numbers or other personal information, you should secure it with SSL encryption to safeguard against others seeing your data.  If you do not use an SSL certificate, then you are vulnerable.

SharePoint Security

SSL certificates aid in ensuring data security for your hosted SharePoint site.

In a SharePoint environment, SSL certificates can easily be added to a hosted site in order to secure it.  There are different kinds of SSL certificates but I won’t address that in this blog.  Rather, this is about SharePoint 2010 security and the recent request by one client that we add an SSL certificate to his existing hosted SharePoint site with us.

In preparation, I asked him what domain name he wanted on the SSL certificate.   Unsure of my question, he responded, “Doesn’t the domain name have to match the domain of the (AISN) network?”

Here’s how I explained it to him.   In his case, the server hosting his SharePoint is a member server in the Active Directory domain called aisn.local.  Web sites which serve Web pages from this server (SharePoint included) can be addressed by either an IP address or a domain name.  This Web site domain is not the same type of domain as the Active Directory domain in which the server resides.  And actually, Active Directory domains such as aisn.local cannot be present on the Internet.  The ‘.local’ indicates to the Internet that it is a private, not a public, domain name.

That said, it is possible to have an SSL Certificate for either type of domain.  The real question is what are you going to use it for?  That was for my client to decide.

As I explained to him, if you intend to use the SSL Certificate for Server Identification, then we can get a certificate for you for “yournamehere.aisn.local”.  You would use this type of certificate when, for example, you remote desktop to the server.  It would guarantee that you are connecting to the right server.

If, however, you want to use the SSL Certificate for identification of your SharePoint Site, then you can pick any public name you want.  In this case, the domain must be registered publicly in order to get a public SSL Certificate.

So, for example, if you chose to address your SharePoint Site by the name “sp.yournamehere.com”, you would need to make sure that the domain name “yournamehere.com” is registered to you.  Then, you can define “sp.yournamehere.com” in IIS on your SharePoint server. You would also need to configure the public DNS for yournamehere.com such that the “host” known as “sp” points to the IP address on the server.

That explanation seemed clarify things for him.  I told him that I thought he was looking for the latter, but we do not know what his host and domain names are.  It appeared to me that he was addressing his SP site by IP address currently.  In order to assign an SSL certificate, it needs to have a full name.  We cannot register it to an IP.

Have more questions about hosted SharePoint 2010 and hosted SharePoint security?  Send me an email and I’d be happy to help.

TAGS:

CATEGORIES:

5 Comments »