tag:blogger.com,1999:blog-46462491366454238672024-02-07T23:12:43.041-05:00From Techie to Boss: Transition to LeadershipPromoting a conversation about what works and what doesn't when you manage a technical team.ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.comBlogger81125tag:blogger.com,1999:blog-4646249136645423867.post-84451994021745640862016-12-08T06:21:00.002-05:002016-12-08T06:25:19.197-05:00LISA 2016 Presentation Slides<a href="https://www.usenix.org/conference/lisa16/conference-program" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ_VkETAgn9NoQyES6LzhCuJ8uEC3X8bBiKbQoEXXrPkXRyyI1LTH9n_oR8DDsSouz2Vj75SFvkq5JV2y23t9gZ1wYdxjWNsxKXCkRVPWSH_UUhpDnc3mjVScynMg012Ss730o8vs_vZw/s320/lisa16_logo_plain_neat.png" width="320" height="134" /></a><p>
Here's a link to the <a href="https://drive.google.com/file/d/0B2CdbwmrjX9zc241bkgxV0ZLdFU/view?usp=drive_web">slides for my presentation</a> on <a href="https://www.usenix.org/conference/lisa16/conference-program">Managing Dispersed Teams</a> for the <a href="https://www.usenix.org/conference/lisa16">LISA 2016</a> conference. The training at this conference is top-notch, with focus on both technical and cultural aspects of Information Technology management. It is well worth your time to attend. I hope to see you there!<br>
<a href="https://drive.google.com/file/d/0B2CdbwmrjX9zc241bkgxV0ZLdFU/view?usp=drive_web"><h2>Managing Technical Teams</h2></a><br>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-22280770840229276842015-11-08T06:33:00.000-05:002016-12-08T06:34:11.689-05:00"Survival Guide for the New Manager" at LISA 2015I look forward to seeing folks at my tutorial <a href="https://www.usenix.org/conference/lisa15/training-program/full-training-program#M5">"Survival Guide for the New Manager"</a> at the LISA 2015 conference!ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-70232088816635232262014-07-12T10:55:00.001-04:002014-07-12T10:55:19.365-04:00Leader's Survival Guide Class in Jacksonville, FLThe Leader's Survival Guide class is coming to Jacksonville.
<blockquote>
Leader's Survival Guide<br>
Wednesday, July 16 and 23, 7-9pm<br>
<a href="http://www.bbuuc.org/welcome/directions-to-bbuuc/">8447 Manresa Ave, Jacksonville FL 32244</a>
</blockquote>
This class is a version of the course I taught earlier this year at the LOPSA conference in New Jersey. The class there was well-attended and well-received. We are not charging an entrance fee, but donations to support our hosts are always welcome.
<p>
If you will be attending, please send an email RSVP to pr_communications@bbuuc.org so that we can set the room up properly.
<p>
The main difference between this course and the one I taught in New Jersey (aside from the cost) is that we will have two 2-hour sessions rather than a 3-hour marathon. The more relaxed pace should allow for good discussion and a chance to drill down on topics of interest.
<p>
The course is built around common-sense approaches to problems facing leaders, particularly at a small group level. The main topics are:
<ul>
<li>Characteristics of a good leader</li>
<li>Tools for effective management</li>
<li>Starting off right--transition planning and execution</li>
<li>Building a team</li>
<li>Expectations and relationships</li>
<li>Creating a learning plan</li>
<li>Achieving early wins</li>
<li>Matching strategies to the situation</li>
<li>Time management</li>
<li>Taming the meeting monster</li>
<li>Project management</li>
<li>Documentation, policies and procedures</li>
<li>Managing people</li>
</ul>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-87139880780470141422014-05-04T04:10:00.002-04:002015-09-06T09:46:49.004-04:00"The Technology Manager's Survival Guide" Class at LOPSA East 2014<div class="separator" style="clear: both; text-align: center;"><a href="http://lopsa-east.org/2014/" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtlpfsoofsa7aJdMpT837SvOdQ5nF7P8qapbcMt2O6ixyYeyRt9Srf38t8cegWf9xjkatKCFeRkdjXuTWr944tuYgxGh8kvraKW-KZ52GsRH-izLPUy2oqVUzHwTe160DWaxyyiUhacOA/s320/LOPSA.jpg" /></a></div>
<p>
I had a blast this week teaching <a href="http://lopsa-east.org/2014/lopsa-east-14-training-schedule/#f11">"The Technology Manager's Survival Guide"</a> at LOPSA East 2014. The course was based on significant content out of "From Techie to Boss" and featured a lively conversation about the experiences of the technical managers in the audience.
<p>
If you were in the class, please feel free to contact me with any questions or comments.
<p>
I'll be presenting a similar class <a href="http://www.bbuuc.org/activitie/">"Leader's Survival Guide," in Jacksonville, FL on July 16 and 23.</a> Space for that class is limited; please contact me if you are interested in attending!
<p>
I am pursuing other opportunities to present the course; keep an eye on this space!
<p>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-22826276364867713562014-03-01T08:04:00.003-05:002015-09-06T09:47:29.807-04:00Protection against WiFi Viruses and AttacksSecurity researchers have designed a <a href="http://www.forbes.com/sites/bridaineparnell/2014/02/26/new-virus-spreads-like-the-common-cold-via-wifi/">virus that spreads silently through WiFi networks</a>. The <a href="http://www.v3.co.uk/v3-uk/news/2331294/security-researchers-warn-of-airborne-wifi-virus-that-spreads-like-a-cold">"Chameleon" virus replaces access point firmware and masquerades</a> the settings and administrative credentials, which <a href="http://jis.eurasipjournals.com/content/2013/1/2">makes it very difficult to detect this virus</a>.
<p>
Fortunately, the <a href="http://www.cnet.com.au/researchers-create-a-virus-that-can-spread-via-wi-fi-339346763.htm">virus can be blocked by following good WiFi security practices</a>. Unfortunately, many WiFi networks are not set up in a secure way.
<p>
Fortunately, the <a href="http://howto.cnet.com/8301-11310_39-57580527-285/home-networking-explained-part-6-keep-your-network-secure/">steps to secure a home WiFi network are not particularly difficult</a>:
<ul>
<li><a href="http://networking.answers.com/wifi/aes-vs-tkip-a-networking-overview">Use AES encryption</a>. WEP encryption and TKIP encryption have <a href="http://www.cs.sjsu.edu/faculty/stamp/CS265/projects/Spr05/ppt/TKIP.ppt">known weaknesses that are easily exploited</a>. (Depending on your router, you would choose WPA2 or WPA encryption and select AES as the standard.)</li>
<li>Use a password that is hard to break. It <a href="http://wifinetnews.com/archives/2003/11/weakness_in_passphrase_choice_in_wpa_interface.html">should have more than 20 characters</a>, and should include a mix of upper and lower case letters, numbers, special characters, and even spaces. Entire sentences may be appropriate, if they are not publicly known.</li>
<li>Change default administrative password and IP address. A <a href="http://www.slate.com/articles/technology/webhead/2004/11/how_to_steal_wifi.html">surprising number of home installations still use the defaults</a>. </li>
<li>Turn off remote administration features. Administration should be required to be done over a wired connection.</li>
<li>Verify that your <a href="http://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/">firmware is updated</a>. There are a <a href="http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/">number of bugs</a> that <a href="http://www.theregister.co.uk/2014/02/20/belkin_on_wemo_bug_get_the_patch/">have been reported</a> against <a href="https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633">WiFi</a> router<a href="http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=4030"> firmware.</a></li>
<li>Log out of your administrative sessions when you are done.</li>
</ul>
<p>
Beyond securing your own routers, you need to keep in mind that public routers may also have been infected. There are some steps you can take to <a href="http://howto.cnet.com/8301-11310_39-20034899-285/6-ways-to-use-public-wi-fi-hot-spots-safely/">protect yourself when connecting to public WiFi routers</a>. Be aware that public networks are by definition insecure, whether WiFi or wired. There is little or nothing to stop a miscreant from trying to snoop your connection.
<ul>
<li>Enable built-in firewall features on your computer, especially software firewalls. Deny all incoming connections.</li>
<li>Make sure file sharing is turned off.</li>
<li>Be aware that passwords may be sniffed by keyboard loggers, pulled from your computer's registry, or simply observed over your shoulder. By using a tool like <a href="http://download.cnet.com/1772-20_4-0.html?query=lastpass&platform=Windows%2CMac%2CiOS%2CAndroid%2CWebware%2CMobile&searchtype=downloads">LastPass</a> or <a href="http://sourceforge.net/projects/passwordsafe/">Password Safe</a>, you can avoid having to type passwords while storing them in a secure, encrypted location.</li>
<li>Use a VPN if possible.</li>
<li>Use https (HTTP over SSL) to connect to vendor sites wherever possible.</li>
</ul>
<p>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-47264379171710769082014-02-24T22:38:00.001-05:002015-09-06T09:48:20.697-04:00Upcoming EventsI look forward to seeing some of you at an upcoming class.
<p>
My class, "Technology Manager's Survival Guide" is on the Friday afternoon training schedule at <a href="http://lopsa-east.org/2014/lopsa-east-14-training-schedule/#f11">LOPSA-East on May 2 in New Brunswick, NJ</a>.
<p>
And I'll be presenting a two-part class, <a href="http://www.bbuuc.org/activitie/">"Leader's Survival Guide," in Jacksonville, FL on July 16 and 23.</a>
<p>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-12171513039642368942014-02-07T19:58:00.000-05:002015-09-06T09:48:57.748-04:00Allowing Outside Vendors on Your Network<a href="http://thoughtsonsecurity.blogspot.com/2014/02/outsourcing-lax-authentication-and.html">Recent revelations about the Target attack</a> have re-focused attention on the dangers associated with allowing an outsider on your internal network. There are a few key lessons we can take from this episode:
<ul>
<li><a href="http://en.wikipedia.org/wiki/2-factor_authentication">Use strong authentication</a>. Passwords just don't cut it in today's environment.</li>
<li>Segment your network properly. It appears that <a href="http://www.computerworld.com/s/article/9246074/Target_breach_happened_because_of_a_basic_network_segmentation_error?taxonomyId=17">Target did not fence off its HVAC vendor from its Point of Sale (POS) systems</a>.</li>
<li>Require background checks. If you require background checks for your own employees before they are on your network, your outsourcing contracts should require the same level of checks from your vendors.</li>
<li>Monitor traffic on your network. Network segmentation errors will occur, but hopefully someone would pick up on <a href="http://www.informationweek.com/security/attacks-and-breaches/target-hackers-tapped-vendor-credentials/d/d-id/1113641">SQL Injection attacks</a> from your HVAC network.
</ul>
<p>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm-na.amazon-adsystem.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-39587099398714631102014-02-06T23:07:00.000-05:002014-02-06T23:08:20.981-05:00Bring Back Net NeutralityIn January, a <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/14/d-c-circuit-court-strikes-down-net-neutrality-rules/">federal appeals court struck down</a> the FCC's regulations regarding <a href="http://www.huffingtonpost.com/timothy-karr/verizons-plan-to-break-th_b_3946907.html">net neutrality.</a> In arguments in that case, Verizon indicated that it wanted to pursue <a href="http://www.freepress.net/blog/2013/09/10/legal-gymnastics-ensue-oral-arguments-verizon-vs-fcc">"different pricing service models."</a>
<p>
(In other words, they want to throttle traffic for content providers who don't pay up. In fact, they want it so badly that they stated it <a href="http://www.cadc.uscourts.gov/recordings/recordings2014.nsf/DCD90B260B5A7E7D85257BE1005C8AFE/$file/11-1355.mp3">five separate times</a> during arguments.)
<p>
In the wake of the ruling, it appears that <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2014/02/05/verizon-denies-using-net-neutrality-victory-to-sabotage-netflix-amazon/">Verizon is doing exactly that.</a> Reportedly, <a href="http://davesblog.com/blog/2014/02/05/verizon-using-recent-net-neutrality-victory-to-wage-war-against-netflix/">Verizon reps are telling customers</a> that the reason that services (such as Netflix) that run on Amazon's AWS platform run so slowly on Verizon's network is that they are being throttled.
<p>
(Verizon is clearly betraying its New Jersey roots. "That's a real nice service you're offering there. It would be a real shame if something happened to it." Who knew that they had hired Tony Soprano to plan their corporate strategy?)
<p>
Earlier this week, House and Senate Democrats <a href="http://davesblog.com/blog/2014/02/05/verizon-using-recent-net-neutrality-victory-to-wage-war-against-netflix/">introduced legislation</a> to re-institute the former net neutrality rules. The legislation is known as the <a href="http://arstechnica.com/tech-policy/2014/02/democrats-try-to-reinstate-net-neutrality-laws-struck-down-by-court/">Open Internet Preservation Act.</a>
<p>
Good luck to them. Given that most people have a very limited selection of broadband providers, I'm not sure how the FCC ever considered them anything other than common carriers.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-29883610280781055792014-01-30T03:00:00.000-05:002014-01-30T03:00:03.732-05:00Interview Tips<a href="http://www.careerbuilder.com/share/aboutus/pressreleasesdetail.aspx?sd=1%2f16%2f2014&siteid=cbpr&sc_cmp1=cb_pr798_&id=pr798&ed=12%2f31%2f2014">Career Builder posted a press release</a> that outlined several major turn-offs during a job interview. It is well worth a read.
<p>
The article includes results from a survey of hiring managers. 87% of hiring managers have formed their opinion in the first 15 minutes, mostly based on non-verbal body language cues. Here are some body language pointers from the survey results:
<ul>
<li>Make eye contact. 70%</li>
<li>Smile. 44%</li>
<li>Use good posture. 35%</li>
<li>Don't fidget in your seat. 35%</li>
<li>Don't fiddle with items. 24%</li>
<li>Handshake that is strong enough. 27%</li>
<li>But not too strong. 5%</li>
<li>Crossing arms over chest (<a href="http://en.wikipedia.org/wiki/Posture_(psychology)#Open_and_closed_body_posture">closed body posture</a>). 24%</li>
<li>Touching hair or face. 24%</li>
<li><a href="http://www.psychologytoday.com/blog/brain-wise/201209/your-hand-gestures-are-speaking-you">Appropriate use of hand gestures</a>. 10%</li>
</ul>
<p>
Here are some other pointers from the survey participants:
<ul>
<li>Be engaged and interested in the conversation. 55%</li>
<li><a href="http://career-advice.monster.com/job-interview/interview-appearance/appropriate-interview-dress/article.aspx">Dress appropriately.</a> 53%</li>
<li>Avoid arrogance. (Stick to facts and figures. People know when you're inflating your role.) 53%</li>
<li>Don't speak negatively about others. (This is about you; stay positive.) 50%</li>
<li>Turn off your cell phone during the interview. 49%</li>
<li>Inform yourself about the company and the opening. 39%</li>
<li>Back up your statements with evidence. Use facts and specific examples. 33%</li>
<li><a href="http://www.career.vt.edu/interviewing/askquestions.html">Ask appropriate questions</a> about the opening. 32%</li>
<li>Limit the amount of personal information revealed; this is about your qualifications, not your personality. 20%</li>
<li>Do not ask the hiring manager personal questions. 17%</li>
</ul>
<p>
The survey also revealed some howler mistakes by interviewees. You should steer clear of these.
<ul>
<li>Answered a phone call about an interview with a competitor.</li>
<li>Pulled out teeth while asking about dental benefits.</li>
<li>Crashed car into building.</li>
<li>Interviewee reported that valium was impairing her presentation.</li>
<li>Acted out a role from <I>Star Trek</I></li>
<li>Set fire to interviewer's newspaper.</li>
<li>Kept headphones on during interview.</li>
</ul>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-35114639125544801002014-01-27T23:00:00.000-05:002014-01-27T23:00:04.526-05:00Secure Application Deployment in the CloudThe cloud provides a great way for a company to push infrastructure costs to an external vendor. But things that are minor for a locally hosted application could become a huge security hole when hosted externally.
<p>
Some key issues to look at when moving an application to the cloud include:
<ul>
<li>Communication channels to services and systems the software relies on.</li>
<li>Communication channels used for necessary communications to clients.</li>
<li>Encryption standards for data at rest.</li>
<li>Logging, log reviews, and monitoring.</li>
<li>Authentication and access control.</li>
<li>Privacy policies.</li>
</ul>
<p>
A lot of the security scrutiny surrounding a cloud migration focuses on the security of the cloud provider's infrastructure itself. This is important, but the weaknesses that the software platform brings along with itself are almost certainly a bigger problem.
<h2>Communication Channel Security</h2>
The key considerations here have to do with the nature of this communication. Certain types of data should not be transmitted unencrypted across an external network. This includes information protected by the privacy policy and relevant regulations, but it may also include information that would tell someone how the application works.
<p>
There is really very little incentive not to encrypt all traffic. There is a performance hit, but the only responsible way to avoid it would be do perform a close analysis of all data that would not be encrypted. Even when the analysis was complete, you can't guarantee that the program won't change in a few months (even assuming that nothing was missed in the analysis). There are a number of options for forcing encrypted traffic, including built-in capabilities in both Java and .NET to force use of SSL for web interactions.
<p>
Where programs have incorporated hard-coded IP addresses in code, there is some possibility that traffic would be delivered to entirely the wrong place in a hosted environment. This is especially the case for the standard ranges that are commonly used for internal IP addresses.
<p>
But the use of hostnames can also be problematic, since name lookup infrastructure is usually controlled by the outside vendor. (In any case, references to specific names should be contained within configuration files, not in the actual code source.)
<p>
Where possible, client-side SSL certificates can provide an extra layer of security, by providing assurance that the target side of the connection is actually the system that we are trying to contact.
<h2>Data Encryption</h2>
Data at rest can be secured using several technologies, some of which overlap. SQL Server and Oracle both provide Transparent Data Encryption (TDE), and DB2 provides similar functionality. Make sure key sizes are in line with current best practices recommendations.
<p>
Queries to databases can be encrypted during transmission by specifying SSL as the connection protocol in the JDBC driver or .NET connection.
<p>
Keep in mind that existing hard-coded encryption tokens, keys, etc may cause problems during application migration to the cloud. And if the same key is re-used in several contexts, the compromise of a single component can result in a broader compromise through the entire application or environment. It is important that encryption keys, tokens, etc be maintained outside of the code base itself, where they can be changed or updated as needed.
<h2>Logging Considerations</h2>
Logging streams usually do not use connection-oriented protocols. One concern about logging in the cloud is that logging streams are relatively easy to divert or snoop. Debug-level information might be considered an information leak about how the parts of your application communicate, which could provide the information an attacker needs. While we need to allow an adequate level of logging, we may also want to restrict access that would allow too high a level of logging to be enabled.
<p>
At the same time, it is important that logs be maintained and reviewed, just as they should be on an internal network. Given the potentially greater exposure of the data, log review procedures need a careful review as part of any application cloud deployment.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-48393024374449697572014-01-16T01:00:00.000-05:002014-01-16T01:00:08.072-05:00Effective System MonitoringIn order to maintain a reliable IT environment, every enterprise needs to set up an <a href="http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf">effective monitoring regime</a>.
<p>
A common mistake by new monitoring administrators is to alert on everything. This is an ineffective strategy for several reasons. For starters, it may result in higher telecom charges for passing large numbers of alerts. Passing tons of irrelevant alerts will impact team morale. And, no matter how dedicated your team is, you are guaranteed to reach a state where alerts will start being ignored because "they're all garbage anyway."
<p>
For example, it is common for non-technical managers to want to send alerts to the systems team when system CPU hits 100%. But, from a technical perspective, this is absurd:<br>
<ul>
<li>You are paying for a certain system capacity. Some applications (especially ones with extensive calculations) will use the full capacity of the system. This is a GOOD thing, since it means the calculations will be done sooner.</li>
<li>What is it you are asking the alert recipient to do? Re-start the system? Kill the processes that are keeping the system busy? If there is nothing for a the systems staff to do in the immediate term, it should be reported in a summary report, not alerted.</li>
<li>If there is an indication (beyond a busy CPU) that there is a runaway process of some sort, the alert needs to go to the team that would make that determination and take necessary action.</li>
</ul>
<p>
In order to be effective, a monitoring strategy needs to be thought out. You may end up monitoring a lot of things just to establish baselines or to view growth over time. Some things you monitor will need to be checked out right away. It is important to know which is which.
<p>
<b>Historical information</b> should be logged and retained for examination on an as-needed basis. It is wise to set up automated regular reports (distributed via email or web) to keep an eye on historical system trends, but there is no reason to send alerts on this sort of information.
<p>
<b>Availability information</b> should be characterized and handled in an appropriate way, probably through a tiered system of notifications. Depending on the urgency, it may show up on a monitoring console, be rolled up in a daily summary report, or paged out to the on-call person. Some common types of information in this category include:
<ul>
<li><I>"Unusual" log messages.</I> Defining what is "unusual" usually takes some time to tune whatever reporting system is being used. Some common tools include <a href="http://sourceforge.net/projects/logwatch/files/">logwatch</a>, <a href="http://sourceforge.net/projects/swatch/">swatch</a>, and <a href="http://sourceforge.net/projects/logcheck/">logcheck</a>. Even though it takes time, your team will need to customize this list on their own systems.</li>
<li><I>Hardware faults.</I> Depending on the hardware and software involved, the vendor will have provided monitoring hooks to allow you to identify when hardware is failing.</li>
<li><I>Availability failures.</I> This includes things like ping monitoring or other types of connection monitoring that give a warning when a needed resource is no longer available.</li>
<li><I>Danger signs.</I> Typically, this will include anything that your team has identified that indicates that the system is entering a danger zone. This may mean certain types of performance characteristics, or it may mean certain types of system behavior.</li>
</ul>
<h2>Alerting Strategy</h2>
Alerts can come in different shapes, depending on the requirements of the environment. It is very common for alerts to be configured to be sent to a paging queue, which may include escalations beyond a single on-call person.
<p>
(If possible, configure escalations into your alerting system, so that you are not dependent on a single person's cell phone for the availability of your entire enterprise. A typical escalation procedure would be for an unacknowledged alert to be sent up defined chain of escalation. For example, if the on-call person does not respond in 15 minutes, an alert may go to the entire group. If the alert is not acknowledged 15 minutes after that, the alert may go to the manager.)
<p>
In some environments, alerts are handled by a round-the-clock team that is sometimes called the Network Operations Center (NOC). The NOC will coordinate response to the issue, including an evaluation of the alert and any necessary escalations.
<p>
Before an alert is configured, the monitoring group should first make sure that the alert meets three important criteria. The alert should be:
<ol>
<li><b>Important.</b> If the issue being reported does not have an immediate impact, it should be included in a summary report, not alerted. Prioritize monitoring, alerting, and response by the level of risk to the organization.</li>
<li><b>Urgent.</b> If the issue does not need to have action taken right away, report it as part of a summary report.</li>
<li><b>Actionable.</b> If no action can be taken by the person who receives the alert, it should have been defined to be sent to the right person. (Or perhaps the issue should be reported in a summary report rather than sent through the alerting system.)</li>
</ol>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-65619029925364655132014-01-14T17:30:00.000-05:002014-01-14T17:30:00.527-05:00Courage in a Corporate SettingSometimes leaders need to leave their comfortable "safe zones" in order to be effective. The reality is that the bulk of our jobs can be done by almost anyone. Most decisions we make are of the "no brainer" variety, especially as we become more experienced and comfortable in our role as leaders. But there are a few decisions that we need to make where we really earn the money and privileges that come with a management role.
<p>
When we voluntarily step outside of our comfort zone to do what we know to be right, we demonstrate the courage that distinguishes between someone who is a leader and someone who is merely a boss.
<p>
Battlefield analogies are very common when we speak about courage. <a href="http://iveybusinessjournal.com/topics/leadership/courage-in-leadership-from-the-battlefield-to-the-boardroom#.UtVBkst3ut4">An article by Peter Voyer in Ivey Business Journal</a> suggests some important leadership traits that translate from the battlefield to a corporate setting:<br>
<ul>
<li>Don't ask subordinates to do something you would not do. Not only should you be willing to work alongside your team, you should be seen as someone who engages in the task at hand. (Of course, the way you engage the project will be somewhat different than the tasks you would assign a junior team member, but nobody on your team should feel like you are unwilling to dirty your hands to make the project succeed.)</li>
<li>Demonstrate moral fiber. You can lose years of built-up moral capital in a split second with a morally dubious decision.</li>
<li>React quickly, decisively, and fairly when presented with a moral question.</li>
<li>Maintain dignity and respect within and between groups.</li>
</ul>
<p>
I recently saw an <a href="http://www.theregister.co.uk/2014/01/13/oracle_sued_over_pay_discrimination/">article about a manager</a> who was allegedly fired because he stood up for an Indian employee's right to earn the same salary as American employees with a similar job. This is the sort of courage we need if we want to be leaders and not merely bosses. Who do you want to see when you look in the mirror in the morning?
<p>
Great leaders earn the loyalty of the people who work with them. They earn loyalty by demonstrating loyalty. This doesn't mean that you cover for one of your subordinates who does something wrong; it does not help someone's development to infantilize them. But make sure that the consequences are fair and are implemented with the long-term development of your employee in mind. This may mean that you stand up for someone who has made a mistake and demand fair treatment for that person. Yes, this is uncomfortable, but it is part of how you become the manager you want to be.
<p>
Make sure you stay informed of your team's progress towards goals, and work with them to overcome obstacles. This does not mean that you do your team's work for them; it means that you provide a sounding board. Sometimes a problem is escalated to you if it is something that requires a manager's approval or advice; make sure that you do what you need to do promptly, then return the task to its rightful owner.
<p>
Maintain your integrity. Make the best decisions you can, and abide by the results of those decisions. Don't pass the blame. Instead, identify how to fix the situation and propose solutions.
<p>
Demonstrate courage by making the right decisions, even when they are hard. Anybody can be a great boss when the going is easy. Being a great leader comes from doing the right things even when they are not easy.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-69030038379590994702014-01-13T17:30:00.000-05:002014-01-13T17:30:00.796-05:00The Promise and Peril of Self-Driving CarsThe <a href="http://bngumassd.org/neatstuff/selfdrive%20cars.pdf">research by Google</a> and <a href="http://www.bbc.co.uk/news/technology-25653253">others</a> into <a href="http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4475861&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D4475861">self-driving cars</a> has been intriguing. <a href="http://www.sixwise.com/newsletters/05/07/20/the-6-most-common-causes-of-automobile-crashes.htm">The vast majority of traffic accidents are the fault of drivers</a>, and being able to eliminate human error would be a huge win for traffic safety.
<p>
But if computers are driving cars, we have to take a serious look at information security in the context of a self-driving automobile. Unfortunately, most current automation <a href="http://arstechnica.com/security/2013/07/disabling-a-cars-brakes-and-speed-by-hacking-its-computers-a-new-how-to/">does not have adequate safeguards</a> to protect from malicious inputs.
<p>
In particular, components do not do checking or validation to make sure that commands are being issued from an appropriate source. Security <a href="http://www.today.com/video/today/52609500#52609500">researchers have demonstrated</a> that they are able to issue commands to a Prius to control steering, braking, acceleration, and dashboard displays. They were also able to disable an Escape's brakes at slow speed.
<p>
Ford and Toyota both point out that the researchers were connecting directly to the car's CAN (Controller Area Network), which limits the impact of some of their demonstrations. But keep in mind that <a href="http://www.autosec.org/faq.html">wireless controllers on on-board systems</a> such as Bluetooth controllers on sound systems and telematics units on satellite roadside assistance services may provide an entry point into the automobile. Anywhere a wireless connection allows access to a component connected to a CAN is a possible entry point for malicious code.
<p>
The sorts of security measures we use for other network-connected items would still work inside a car. Provide air gaps between components that don't need to be connected. And provide for validation and authentication of commands from components that do need to be connected.
<p>
I remember discussions about PC security in the early days of the Internet, when most computer viruses were still spread by injudicious insertion of floppy disks. Way back when, we were told that PCs didn't need to have security programmed in from the ground up. I'm hoping we learn from the history of those poor decisions. A Blue Screen of Death is one thing, but a traffic fatality is another.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-49835385058856221482013-06-24T04:00:00.000-04:002013-06-24T04:00:11.149-04:00The Risk from InsidersThere has been a lot of coverage of the <a href="http://livewire.talkingpointsmemo.com/entry/nsa-chief-says-nsa-has-1-000-system">role of a system administrator</a> in the recent release of information about the National Security Administration's intelligence gathering methods. Regardless what you think about the methods that were revealed, information <a href="http://www.zdnet.com/insider-threats-evolving-still-main-risk-7000003491/">security professionals need to take a hard look</a> at the sorts of <a href="http://www.sei.cmu.edu/reports/06tn041.pdf">exposures that exist</a> due to organizational insiders.
<p>
Snowden's position as a system administrator is just the most recent high-profile insider who betrayed his employer's trust. His removal of documents <a href="http://www.wired.com/threatlevel/2013/06/snowden-thumb-drive/">on a thumb drive</a> was viewed as unsuspicious precisely because of his job function.
<p>
As long as we have an IT infrastructure, the people who manage it will be in a privileged position. IT professionals recognize the risk; four of five professionals in a <a href="http://www.algosec.com/resources/files/Specials/Survey%20files/120404_Survey%20Report.pdf">recent survey</a> list insiders as the greatest source of risk to the environment.
<p>
The same methods that are used elsewhere in the security landscape will help to control and mitigate the risk from insiders. At a high level, there are three steps that need to be taken:<br>
<ol>
<li><b>Data Classification:</b> Identify the types of data in your environment, and what the confidentiality, integrity and availability requirements are for each type of data. <a href="http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf">NIST 800-60</a> can provide some guidance here.</li>
<li><b>Establish Control Standards:</b> For the different types of data, we need to describe the measures that are taken to protect the data.</li>
<li><b>Audit:</b> The controls need to be evaluated for effectiveness, and the organization's compliance with the the controls must be verified on a regular basis.</li>
</ol>
<p>
<h3>Controls</h3>
There are several publicly available documents outlining control best practices and standards. Here are a few:<br>
<ul>
<li><a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">NIST 800-53</a></li>
<li><a href="https://www.pcisecuritystandards.org/security_standards/documents.php">PCI Security Standards</a></li>
</ul>
<p>
Some <a href="http://www.sei.cmu.edu/reports/12tr012.pdf">common controls</a> include:<br>
<ul>
<li><b>Physical access controls:</b> Things like security guards, mantraps, proximity card systems, and combination locks on doors control physical access to sensitive areas and systems.</li>
<li><b>Logical access controls:</b> In general, people should only have the level of access required for their jobs. Access controls should be as granular as possible, and high-level access should require extra levels of approval and scrutiny. Two-factor authentication should be in place for access to sensitive facilities.</li>
<li><b>Personnel management:</b> Some common measures include criminal background checks, periodic security awareness training, contractual attestations, and organizational communications.</li>
<li><b>Separation of duties:</b> Where possible, access should be limited to particular functions, and functions should be defined to limit access to sensitive data. In general, developers should not have access to production, system administrators don't need database access, application administrators don't need system-level access, and only the people who manage the hardware and network need physical access to the systems.</li>
<li><b>Network security:</b> The network should be segmented appropriately, and firewall rules should be in place to restrict traffic between different security zones.</li>
<li><b>Workstations and laptops:</b> Hard drives should have robust encryption and strong password policies should be in place. The types of data that are permitted for local storage should be established and monitored. The ability of end users to install applications needs to be restricted. Patches, anti-virus updates, and security workarounds need to be applied regularly.</li>
<li><b>Backups and continuity:</b> Data needs to be protected by a combination of archival backups, long-distance replication, and local disk mirroring/RAID-ing.</li>
<li><b>Logging and auditing:</b> Logs need to be collected to measure the effectiveness of these controls, and the logs need to be reviewed on a regular basis.</li>
</ul>
<p>
Some controls should get <a href="http://www.gideonrasmussen.com/article-13.html">particular attention</a> as directly addressing the issue of <a href="http://www.raytheon.com/capabilities/rtnwcm/groups/iis/documents/content/rtn_iiswhitepaper-insiderrisk.pdf">insider-led breaches</a>.
<p>
It is bad enough that the <a href="http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-95_Jun13.pdf">security training level</a> of such government employees is not monitored by the DHS. (Most parts of the private sector also don't track administrator security training, for that matter). Beyond carelessness or incompetence, employers need to consider the <a href="http://www.techrepublic.com/blog/security/manage-insider-threats-knowing-where-the-risks-are/9077 ">direct risks</a> posed by their most <a href="http://www.cs.ucdavis.edu/~peisert/research/insiderthreat-chapter-final-prepress.pdf">trusted employees</a>.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com1tag:blogger.com,1999:blog-4646249136645423867.post-29167048355993019742013-06-20T04:00:00.000-04:002013-06-20T04:00:04.601-04:00Using Email EffectivelyEmail is mis-used and over-used in most organizations that I have worked in. Some organizations are going so far as to ban email in the workplace. That would be unwise; email is over-used precisely because it is such a useful tool that can be adapted to almost any purpose.
<p>
The trick is to use your email effectively and efficiently. Your team's effectiveness will increase if you can create a culture where email is used appropriately.
<p>
<h3>Email rules of thumb</h3>
<ul>
<li>Any email you write should be concise and to the point. Don't use two sentences where one will do. </li>
<li>Use proper grammar, capitalization, and spelling. Errors are distractions from the purpose of the email.</li>
<li>Make sure that the email's subject line is brief, but relevant to the discussion.</li>
<li>If you are requesting action (such as a reply), be specific about what you need, what form you need it in, and when you need it. Email is strongest when it can be used to dispose of an issue efficiently, in one exchange.</li>
<li>Be courteous, even formal. Email and humor don't go together.</li>
<li>Use the bcc field if the recipients should not necessarily have each others' email addresses.</li>
<li>Use web links rather than large file attachments.</li>
</ul>
<p>
<h3>Email's strengths</h3>
Email has some strengths as a tool:<br>
<ul>
<li><b>It is asynchronous.</b> You can write the email when you have time, and the recipient can read it as he or she has time.</li>
<li><b>It is fast.</b> Email is delivered almost instantaneously. (That is why it has almost completely replaced the old-fashioned snailmail letter.)</li>
<li><b>It can be directed to a specific audience.</b> The sender can define who will receive the email. (Keep in mind that it may be forwarded by those recipients!)</li>
<li><b>It can be used to reference other information.</b> The email itself may act as a summary or notification about other information that may be attached as a separate document, or that may be referenced as a web link in the body of the email.</li>
</ul>
<p>
<h3>Email's weaknesses</h3>
But email also has its weaknesses:<br>
<ul>
<li><b>It may not be read immediately.</b> The recipient may not read or even see the email right away. Unlike a phone call or in-person communication, you may not know that the recipient has received the message right away.</li>
<li><b>It cannot carry feeling.</b> Even if you attach cute emoticons to your message, there is no good way to convey emotional context the way that body language or tone of voice is able to do.</li>
<li><b>Communication can drag on.</b> If the email goes through a couple of rounds of replies, one recipient or the other may not read or reply to the message right away, lengthening out the conversation.</li>
</ul>
<p>
<h3>When to use email</h3>
With these characteristics in mind, it is important to use email in a way that leverages its strengths and avoids its weaknesses. Email should only be a part of your communications plan.
<p>
Some topics are well-suited for email. These include:<br>
<ul>
<li><b>Pointers to documentation or resources.</b> The written record of an email allows people to reference the resources later. This sort of communication is best used with links to the resources rather than attachments, since it is nearly impossible to keep everyone up to date with the latest version of a document.</li>
<li><b>Discussions of strategy or architecture.</b> The asynchronous nature of email may be an advantage, as each participant is able to think things through before responding. The written record of an email trail can also be useful to trace the evolution of an idea or reference concerns that were raised in the conversation.</li>
<li><b>Updates about the organization.</b> Email provides a way to communicate to multiple recipients at the same time, and allows people to digest changes before responding to them.</li>
<li><b>News updates.</b> These can be read at a time convenient for the recipient.</li>
</ul>
<h3>When not to use email</h3>
<p>
Conversely, some types of communications should not be handled by email:<br>
<ul>
<li><b>Discussions about expectations.</b> Unless you are trying to create a written record as part of a disciplinary process, this will come across as cold. People want to be able to ask clarifying questions in the moment and get immediate feedback. Use a phone or an in-person conversation.</li>
<li><b>Personal matters.</b> These are best addressed in an environment where the emotional context of the conversation can be communicated clearly.</li>
<li><b>Bad news.</b> People perceive email delivery of bad news as being cowardly. Schedule a meeting or conference call, or set up an in-person conversation with the affected people.</li>
<li><b>Instruction.</b> If you are communicating something complex, like instructions for a complicated task, do so in a way that allows for immediate questions and feedback.</li>
</ul>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-87013835123820088742013-06-19T04:00:00.000-04:002013-06-19T04:00:05.765-04:00The Price of InsecurityA <a href="http://www.sans.org/security-trends/2013/05/30/analyzing-the-cost-of-a-hipaa-related-breach-through-the-lens-of-the-critical-security-controls">recent article on the SANS web site</a> investigated the costs associated with a security breach at Idaho State University.
<p>
John Pescatore reports that a breach at ISU's Pocatello Family Medicine Clinic is likely to cost the university $1 million over a 2-year period.
<p>
By comparison, implementing best practices in the infrastructure is likely to have defeated the attack, and would have cost around $75k. Even an aggressive security posture is estimated by Pescatore to have cost about $500k total.
<p>
Many organizations look at the costs of security breaches, but few consider the TCO related to avoiding a major breach.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-17741859743946336792013-06-12T23:25:00.000-04:002013-06-12T23:26:23.942-04:00Recovery StrategiesBesides cost, the key business continuity drivers for a recovery solution are the Recovery Point Objective and the
Recovery Time Objective.
<h3>Recovery Point Objective</h3>
The Recovery Point Objective (RPO) refers to the recovery point in time. Another way to think of this is that the
RPO specifies the maximum allowable time delay between a data commit on the production side and the replication
of this data to the recovery site.
<p>
It is probably easiest to think of RPO in terms of the amount of allowable data loss. The RPO is frequently
expressed in terms of its relation to the time at which replication stops, as in “less than 5 minutes of data loss.”
<h3>Recovery Time Objective</h3>
The second major business driver is the Recovery Time Objective (RTO). This is the amount of time it will take us
to recover from a disaster. Depending on the context, this may refer only to the technical steps required to bring up
services on the recovery system. Usually, however, it refers to the amount of time that the service will be
unavailable, including time to discover that an outage has occurred, the time required to decide to fail over, the time
to get staff in place to perform the recovery, and then the amount of time to bring up services at the recovery site.
<p>
The costs associated with different RPO and RTO values will be determined by the type of application and its
business purpose. Some applications may be able to tolerate unplanned outages of up to days without incurring
substantial costs. Other applications may cause significant business-side problems with even minor amounts of
unscheduled downtime.
<p>
Different applications and environments have different tolerances for RPO and RTO. Some applications might be
able to tolerate a potential data loss of days or even weeks; some may not be able to tolerate any data loss at all.
Some applications can remain unavailable long enough for us to purchase a new system and restore from tape; some
cannot.
<h3>Recovery Strategies</h3>
There are several different strategies for recovering an application. Choosing a strategy will almost always involve
an investment in hardware, software, and implementation time. If a strategy is chosen that does not support the
business RPO and RTO requirements, an expensive re-tooling may be necessary.
<p>
Many types of replication solutions can be implemented at a server, disk storage, or storage network level. Each has
unique advantages and disadvantages. Server replication tends to be cheapest, but also involves using server cycles
to manage the replication. Storage network replication is extremely flexible, but can be more difficult to configure.
Disk storage replication tends to be rock solid, but is usually limited in terms of supported hardware for the
replication target.
<p>
Regardless where we choose to implement our data replication solution, we will still face a lot of the same issues.
One issue that needs to be addressed is re-silvering of a replication solution that has been partitioned for some
amount of time. Ideally, only the changed sections of the disks will need to be re-replicated. Some less sophisticated
solutions require a re-silvering of the entire storage area, which can take a long time and soak up a lot of bandwidth.
Re-silvering is an issue that needs to be investigaged during the product evaluation.
<h3>Continuity Planning</h3>
Continuity planning should be done during the initial architecture and design phases for each service. If the service
is not designed to accommodate a natural recovery, it will be expensive and difficult to retrofit a recovery
mechanism.
<p>
The type of recovery that is appropriate for each service will depend on the importance of the service and what the
tolerance for downtime is for that service.
<p>
There are five generally-recognized approaches to recovery architecture:<br>
<ul>
<li>Server Replacement: Some services are run on standard server images with very little local customization.
Such servers may most easily be recovered by replacing them with standard hardware and standard server
images.</li>
<li>Backup and Restore: Where there is a fair amount of tolerance for downtime on a service, it may be
acceptable to rely on hardware replacement combined with restores from backups.</li>
<li>Shared Nothing Failover: Some services are largely data-independent and do not require frequent data
replication. In such cases, it might make sense to have an appropriately configured replacement at a recovery
site. (One example may be an application server that pulls its data from a database. Aside from copying
configuration changes, replication of the main server may not be necessary.)</li>
<li>Replication and Failover: Several different replication technologies exist, each with different strengths and
weaknesses. Array-based, SAN-based, file system-based or file-based technologies allow replication of data on
a targeted basis. Synchronous replication techniques prevent data loss at the cost of performance and
geographic dispersion. Asynchronous replication techniques permit relatively small amounts of data loss in
order to preserve performance or allow replication across large distances. Failover techniques range from nearly
instantaneous automated solutions to administrator-invoked scripts to involved manual checklists.</li>
<li>Live Active-Active Stretch Clusters: Some services can be provided by active servers in multiple locations,
where failover happens by client configurations. Some examples include DNS services (failover by resolv.conf
lists), SMTP gateway servers (failover by MX record), web servers (failover by DNS load balancing), and some
market data services (failover by client configuration). Such services should almost never be down. (Stretch
clusters are clusters where the members are located at geographically dispersed locations.)</li>
</ul>
Which of these recovery approaches is appropriate to a given situation will depend on the cost of downtime on the
service, as well as the particular characteristics of the service's architecture.
<h3>Causes of Recovery Failure</h3>
<a href="http://www.e-janco.com/Articles/201209-top-10-recovery-failure-causes.html">Janco released a study</a> outlining the most frequent causes of a recovery failure:<br>
<ul>
<li><b>Failure of the backup or replication solution.</b> If the a copy of the data is not available, we will not be able to recover.</li>
<li><b>Unidentified failure modes.</b> The recovery plan does not cover a type of failure.</li>
<li><b>Failure to train staff in recovery procedure.</b> If people don't know how to carry out the plan, the work is wasted.</li>
<li><b>Lack of a communication plan.</b> How do you communicate when your usual infrastructure is not available?</li>
<li><b>Insufficient backup power.</b> Do you have enough capacity? How long will it run?</li>
<li><b>Failure to prioritize.</b> What needs to be restored first? If you don't lay that out in advance, you will waste valuable time on recovering less critical services.</li>
<li><b>Unavailable disaster documentation.</b> If your documentation is only available on the systems that have failed, you are stuck. Keep physical copies available in recovery locations.</li>
<li><b>Inadequate testing.</b> Tests reveal weaknesses in the plan and also train staff to deal with a recovery situation in a timely way.</li>
<li><b>Unavailable passwords or access.</b> If the recovery team does not have the permissions necessary to carry out the recovery, it will fail.</li>
<li><b>Plan is out of date.</b> If the plan is not updated to reflect changes in the environment, the recovery will not succeed.</li>
</ul>
<h3>Recovery Business Practices</h3>
<a href="http://blog.e-janco.com/2013/03/29/10-commandments-of-disaster-recovery-and-business-continuity/">Janco also suggested several key business practices</a> to improve the likelihood that you will survive a recovery:<br>
<ul>
<li>Eliminate single points of failure.</li>
<li>Regularly update staff contact information, including assigned responsibilities.</li>
<li>Stay abreast of current events, such as weather and other emergency situations.</li>
<li>Plan for the worst case.</li>
<li>Document your plans and keep updated copies available in well-known, available locations.</li>
<li>Script what you can, and test your scripts.</li>
<li>Define priorities and thresholds.</li>
<li>Perform regular tests and make sure you can meet your RTO and RPO requirements.</li>
</ul>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com1tag:blogger.com,1999:blog-4646249136645423867.post-74410002940777076012013-06-11T21:03:00.001-04:002013-06-11T21:04:59.586-04:00Insourcing Picks Up SteamI recently read an <a href="http://www.paceharmon.com/images/stories/white-papers/ph_advisory_29may13.pdf">interesting report on insourcing by Pace Harmon</a>. We have previously discussed some of the elements that should go into a decision whether or not <a href="http://fromtechietoboss.blogspot.com/2013/05/using-contractors-intelligently.html">to outsource</a> or to <a href="http://fromtechietoboss.blogspot.com/2013/03/advantages-and-disadvantages-of.html">offshore.</a> Some major companies such as GM are re-insourcing operations that had previously been outsourced offshore.
<p>
Outsourcing typically works best with commodity IT activities. If complex activities are outsourced over the long run, an organization runs the risk of losing the insight and expertise needed to leverage new opportunities as the technology landscape evolves.
<p>
Pace Harmon report on several facts that are driving the insourcing trend:<br>
<ul>
<li>Wage inflation in India and other prime offshoring locations have led to an erosion in the wage differential between onshore and offshore talent</li>
<li>Management costs associated with maintaining an offshore or outsourced relationship. Tracking and resolving quality issues can be especially expensive.</li>
<li>Lack of provider agility and flexibility. When you purchase an offering from another company, you are limited to either purchasing their standard offering or paying a premium for premium service.</li>
</ul>
<p>
Organizations that are considering insourcing need to keep several factors in mind:
<ul>
<li>Make sure that you have accounted for all of the costs of the re-insourcing operation. This will include direct costs, such staffing costs and termination penalties, as well as indirect costs such as those associated with reduced stability during the migration</li>
<li>Does your outsourcing contract specify that the vendor is required to provide you assistance with the insourcing, including training and process documentation? If not, find out what it will cost to get that assistance from your vendor.</li>
<li>Is your organization up to handling the level of complexity that your environment demands?</li>
<li>Will you be able to attract and retain the right staff? You may be able to re-badge some of your vendor's staff, but would you be able to retain them?</li>
<li>Are your organization's processes mature enough to be able to manage your team's technical responsibilities properly? If your organization does not have the maturity to collect requirements and track progress properly, you may not be ready for this transition.</li>
</ul>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-68286123546978931642013-06-07T18:38:00.000-04:002013-06-07T18:42:01.973-04:00Book SigningThanks to everyone who came to the book signing last night. I look forward to doing more events going forward!
<p>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHmFqM0gfupNuvKOCBzjxDm4aiH84HJOMyuSlMi8fNzUVJP6iPyLNrqaTrLjcEBw9aRrAGJlBoencLGk3CinVOTs0Rt5Ni88O30sth58M8p4jEUeP_p087r8Viq_qgu1divRVwYBOUS9E/s1600/IMG_0860.JPG" imageanchor="1" ><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHmFqM0gfupNuvKOCBzjxDm4aiH84HJOMyuSlMi8fNzUVJP6iPyLNrqaTrLjcEBw9aRrAGJlBoencLGk3CinVOTs0Rt5Ni88O30sth58M8p4jEUeP_p087r8Viq_qgu1divRVwYBOUS9E/s320/IMG_0860.JPG" /></a>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-59782944015713765972013-05-27T04:00:00.000-04:002013-05-27T04:00:06.510-04:00When Does Third Party Support Make Sense?The sales pitch by third party support vendors is compelling. The up-front cost savings are enough to make anyone pay attention. But <a href="http://www.baselinemag.com/it-services/third-party-software-support-pros-and-cons/">can they deliver?</a>
<p>
In some ways, the answer has to be no. They do not have direct access to new updates or the expertise of the engineers that produce them. When you go with third-party support, make sure that you have a way to get needed security and functionality upgrades, and make sure that you have a path forward.
<p>
License compliance, and compliance with regulatory and contractual requirements are your responsibility, not the responsibility of the support provider. If you have not worked around those issues, you have more work to do before making the leap to third party support.
<p>
Some vendors have fee requirements to re-establish a relationship if you need to upgrade to a new version or pull in the primary vendor's expertise. Make sure you are looking at the total cost picture, not just the pretty up-front cost picture the sales rep is showing you.
<p>
<a href="http://www.baselinemag.com/it-services/third-party-software-support-pros-and-cons/">Scott Rosenberg</a> suggests some situations that may be ripe for third party support:<br>
<ul>
<li>You have a highly customized environment that is several updates behind and may never be able to be updated.</li>
<li>You are pulling in extra expertise outside of the basic maintenance agreement, for tuning or design support.</li>
<li>No updates or upgrades are expected to be needed.</li>
</ul>
<p>
If you do go with a third-party vendor, make sure to protect yourself with a <a href="http://fromtechietoboss.blogspot.com/2013/05/negotiating-service-level-agreements.html">well-written contract and guarantees</a>. Understand what the vendor will do, and how they will handle issues that are beyond their expertise. What timelines, deadlines, and service levels are guaranteed by the vendor?
<p>
As with any other business decision, make sure you have the facts before you proceed.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-37553607397578528812013-05-24T04:00:00.000-04:002013-05-24T04:00:00.807-04:00Tips for a Successful InterviewI've posted a few pointers recently in answer to some questions I have fielded from people who are preparing for interviews. I thought it might be useful to have a quick list of a few ideas that I have found useful in interviews:<br>
<ol>
<li><b>Be <a href="http://fromtechietoboss.blogspot.com/2013/04/enthusiasm-and-job-interviews.html">enthusiastic, positive, and pleasant.</a></b> Employers are looking for someone who is going to bring positive energy into their workplace. This is the time to explain what you like about the new position, as well as to catalog the <a href="http://www.careerbliss.com/advice/job-interview-cast-yourself-as-the-hero-in-your-career-story/">positive aspects of your current and former positions.</a> Be likable and friendly throughout.</li>
<li><b>Bring <a href="http://fromtechietoboss.blogspot.com/2013/05/selling-yourself-in-interview.html">solutions to the employer's problems.</a></b> Do your research, ask questions, and listen to the answer. <a href="http://fromtechietoboss.blogspot.com/2013/05/emphasizing-value-of-your-experience-in.html">Apply your experience and expertise</a> to the employer's problems, and engage in a dialog about how to solve them. Show your prospective employer what you bring to the table, and set a solid tone for your future relationship.</a></li>
<li><b>Bring your <a href="http://www.business2community.com/human-resources/the-mentality-of-a-great-interview-10-tips-0471287?goback=%2Egde_4466073_member_236368255">full attention</a> to the interview</b>. Whatever is happening at home or your current job, it needs to stay outside the room. Listen to what your prospective boss is saying--and listen to what is not being said. Your full attention needs to be here, now, in the moment.</li>
<li><b>Be strong</b>. Don't allow yourself to get discouraged. Be relentlessly positive, even when the interview hits rough patches. Some interviewers deliberately inject difficult questions or sections into their interviews to see how you react to adversity.</li>
<li><b>Prepare good answers</b>. Examine the job listing for clues about what the hiring manager is looking for. Research common interview questions as well as guessing what questions you will be asked, and <a href="http://www.careerbliss.com/advice/job-interview-cast-yourself-as-the-hero-in-your-career-story/">prepare good answers</a>. Practice them with a coach who can suggest how to improve your answers.</li>
<li><b>Prepare good questions</b>. When the interviewer invites you to ask questions, know what you are going to ask, and ask it in a positive way. Your questions should be on point and professional.</li>
</ol>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-74650946267657390872013-05-23T04:00:00.000-04:002013-05-24T13:58:11.727-04:00Critical ThinkingOne of the most important characteristics of a good IT professional is an ability to <a href="http://www.cioinsight.com/it-management/expert-voices/the-five-skills-of-the-quantum-it-professional-2/">think critically</a>.
<p>
Mature IT professionals will understand industry best practices, but will also understand why those practices are widely adopted. Professionals will discover the needs of their organization, and will analyze the available tools and practices to adapt them to the current situation.
<p>
Cookbooking an IT environment is easy. Analyzing the challenges in the environment and creatively applying solid structures and processes is the mark of a mature IT professional.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-57181949463336962382013-05-22T18:00:00.000-04:002013-05-22T18:00:01.999-04:00Is It a Quantum Computer?I ran across <a href="http://www.npr.org/2013/05/22/185532608/quantum-or-not-new-supercomputer-is-certainly-something-else">an article</a> on the new <a href="http://www.dwavesys.com/en/dw_homepage.html">Dwave 2</a> "quantum" computer.
<p>
<a href="http://www.iontrap.umd.edu/">Some specialists</a> are expressing skepticism about whether or not what is happening in the box is truly "quantum" in nature or not, but it does seem clear that something unusual is happening. The issue is that direct examination of a quantum system leads to a collapse of the wave function, at which point quantum effects are no longer observable.
<p>
As these machines are <a href="http://googleresearch.blogspot.com/2013/05/launching-quantum-artificial.html">built and tested</a>, it will be interesting to see <a href="http://arxiv.org/abs/1304.4595">what types of problems</a> are <a href="http://www.cs.amherst.edu/ccm/cf14-mcgeoch.pdf">solved more quickly</a> with this device. The types of problems that are solved may help to indicate whether or not <a href="https://en.wikipedia.org/wiki/Quantum_entanglement">"entanglement"</a> is being used in the way that the manufacturer claims.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-91527726540535238172013-05-22T04:00:00.000-04:002013-05-22T04:00:02.908-04:00Negotiating Service Level AgreementsService Level Agreements (SLAs) are increasing in importance as enterprises rely on vendors for more and more services. Especially with the penetration of <a href="http://fromtechietoboss.blogspot.com/2013/05/cloud-computing-for-enterprise.html">cloud computing in the enterprise</a>, organizations need to <a href="http://www.cioinsight.com/c/a/Expert-Voices/Cloud-SLAs-Does-Your-Deal-Leave-You-Exposed-379610/?kc=CIOMINUTE04222013STR4TOC">protect their reputation by setting clear expectations</a> with the vendors.
<p>
Vendors have to protect their own interests, so good vendors are not going to accept any agreement proposed by a single customer. Reaching a SLA will be a tough negotiating process, but it should be done as part of almost any contract negotiation.
<p>
There will be a lot of exceptions listed in any detailed SLA. This is the time to identify the exceptions that are of the most concern to your organization, and to demand mitigating actions to be taken by the vendor. (Keep in mind that the cost of these mitigations will be transferred to you in your bill from the vendor, but your organization's reputation needs to be protected against major risks.)
<p>
One of the attractive features of cloud computing in particular is that the costs can be spread out over time and across the vendor's customer base. To the extent that you request industry-standard protections, you may be able to spread the costs across your utilization rather than having to pay a lump sum or fixed fee.
<p>
A well-designed SLA will contain allowances for necessary maintenance activities and for force majeure. It is common for penalties to be granted as service credits, and it is also common for penalties to be capped at a fixed percentage of recurring costs.
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0tag:blogger.com,1999:blog-4646249136645423867.post-80515711219412202402013-05-20T04:00:00.000-04:002013-05-21T21:42:41.787-04:00Easing Pain from Office Work<a href="http://soa.li/AeVNLYd">Baseline recently published a slideshow</a> based on an American Osteopathic Association study of pain among office workers. The leading causes of pain for office workers were:<br>
<ul>
<li>Sitting for extended periods: 64%</li>
<li>Posture at the desk: 61%</li>
<li>Uncomfortable seating: 58%</li>
<li>Extended computer screen viewing: 46%</li>
<li>Extended mouse usage: 38%</li>
</ul>
<p>
The study also suggested several tips to help office workers ease some of the causes of physical pain that come from office work:<br>
<ul>
<li>Stand up and move every 30 minutes or so. Set a calendar or cell phone reminder if you aren't remembering. When youneed to talk to people in the office, stand up and walk over.</li>
<li>Excercise 30 or more minutes per day. Find an exercise routine that fits your schedule and life so that you will be able to maintain it over the long term. Even things like using the stairs instead of the elevator, parking a long way away, or taking a lunchtime stroll can make a big difference over the long term.</li>
<li>Make sure you have a comfortable seat. Some companies will provide an improved seat with a doctors' note; others may allow you to bring in your own seat.</li>
<li>Adjust your monitor so that the top of the monitor is at eye level when you are sitting up straight.</li>
<li>Develop good posture. Sit up straight. If you keep your feet flat on the ground, the rest of your body will tend to follow.</li>
<li>When you mouse, keep your elbows close to your body and try not to flex your wrist. You may need to adjust your seating area to make proper mouse usage easier.</li>
</ul>
<p>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1430259329&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>
<iframe src="http://rcm.amazon.com/e/cm?t=solaristroubl-20&o=1&p=8&l=as1&asins=1463512414&ref=tf_til&fc1=000000&IS2=1<1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifr" style="width:120px;height:240px;" scrolling="no" marginwidth="0" marginheight="0" frameborder="0"></iframe>ScottCromarhttp://www.blogger.com/profile/02344384388503793470noreply@blogger.com0