Category: information security

Posted on

Considerations for Disaster Recovery Planning | Accounting and Business Technologies

Disaster Recovery Planning is currently a leading topic of discussion for business IT administrators and owners, just as issues relating to business and technology operation and continuity have become a central point of discussion for many organizations. After the disaster occurs is the wrong time to determine whether or not your company is adequately protected. Unfortunately, when you need your plan most is when you find that you either do or do not have things well in hand.

Hurricanes, floods and tornadoes have taught many companies some hard lessons ranging from the inability to locate or communicate with employees to the entire loss of the business and surrounding community infrastructure. Certainly, the current situation is a reflection of the worst-case scenario, but it also points out some fundamentally important considerations that a company must incorporate when creating a technology plan for disaster recovery and business continuity.

EMPLOYEES ARE PEOPLE

One of the first things to remember in any disaster is that your employees are people. They have families, homes, lives outside the office, and responsibilities. They have fears and concerns. In short, they are human beings. This is a reality that is frequently overlooked in a disaster plan.

Much consideration may be taken with respect to handling business issues such as customer or vendor communications, technology and systems continuity, etc. But in the event of a disaster where lives are at stake, can the company expect personnel to overlook those personal impacts that present themselves, all in the name of keeping the company going? Probably not, unless perhaps they are in health care, law enforcement, or the military. Even in those cases, caring for family and loved ones may take precedence over job responsibilities. Businesses need to make certain that there are SYSTEMS in place to assist with continuity and recovery, as personnel may be hard to come by.

YOUR BUILDING IS NOT AN ISLAND

Businesses rely on facilities.

Facilities are created from infrastructure.

Infrastructure, more often than not, is not in your control.

Telephone service, connectivity, electrical power, street access to the building, access to the surrounding areas – these are infrastructure elements that you have little control over, if any at all. The loss of infrastructure, however, impacts you significantly. It does not matter how much backup power you have if you have no physical access to the building. And telephone service becomes valueless (frequently) if the power is out.

Redundancy can come in many forms, but creating fully redundant facilities means being redundant with the infrastructure. Opening offices in multiple locations, distributing personnel and resources to various locations – these all come with potentially tremendous cost impacts to the business. There are, however, affordable technologies and services available today which can help mitigate the impact of the loss of a location or facility, and whenever possible these services should be incorporated into your daily processes to ensure portability and a smooth transitioning of systems should the worst occur.

DEGREES OF PROTECTION

Developing an IT recovery and continuity plan is similar in nature to purchasing various types of insurance. The level and cost of protection must be evaluated based on the benefit to be derived, and weighted by the risk. For example, low-cost flood insurance is probably not worth the investment where there is no water. Obviously, there is cost associated with different levels and types of protection, and different situations warrant different types and levels of coverage.

In terms of IT continuity and recovery, the most frequently implemented form of “insurance” is redundancy or the duplication of a resource. Every business, however, has requirements that extend beyond a reasonable ability to fully duplicate. A small flower shop, for example, cannot reasonably afford to implement “alternative business locations” or a remote office in the event of the loss of the primary facility. With this reality in mind, the business must focus on addressing those conditions that are within its reasonable ability to control, as well as those that it can mitigate to some degree.

via Accounting and Business Technologies | Joanie Mann: Considerations for Disaster Recovery Planning.

Posted on

Licensing the Cloud: Software Distribution and Use in a Remote Access World

Licensing the Cloud: Software Distribution and Use in a Remote Access World

Whether we like it or not, and whether we agree or not – software developers have a right to decide how and where their licensed products are run.  There have always been arguments in this area, where software license purchasers take the position that they should be able to do what they want with their licenses, and where commercial software developers believe they have the rights to dictate authorized usage.  Truly, when it comes down to the legalities of it all, the software companies will win because they have the legal footing to fall back on  – the EULA containing use rights and terms which licensed users have agreed to.

The problem has been ongoing, with software developers constantly and consistently seeking methods to reduce unauthorized software distribution and unsupported use, and users spending amazing amounts of time and resources finding ways to break the rule.  Copy protection, “phone home” license validation models and all sorts of approaches have been developed to prevent software theft and unauthorized distribution.  But it happens anyway – a lot – and the cloud is turning into a great facilitator.  Surprisingly, it’s an “in your face” approach, too, where the previous iteration of web-enabled software theft (unauthorized digital downloads and license cracking) was fairly quiet and tried to be secretive to stay out of the gun sights of the developer.  Today’s “flavor” is right out there, being marketed to any and all who care to view the ads.

With businesses more frequently turning to “cloud” server providers to run business applications, it is no wonder that the IaaS and PaaS companies would want to make their services easier and more valuable to acquire than the next guy’s.  Aside from a groovy control panel and great networking and VM pricing, the added value from these providers is in the applications they are able to service.  More frequently, hosting service providers are marketing their solutions in the context of the applications customers run on the service (which makes sense, because the application’s what really matters).  Leveraging the brand value and recognition of popular commercial software products makes sense, as it improves overall visibility and increases the potential of the “right” kind of prospect engaging and becoming a customer.

The problem arises when these service providers sell hosting services for, or which support, applications they are not authorized or licensed to deliver, and this is where the argument comes full circle.  The hosting provider wants to host applications customers use, customers have licenses for those applications, but not a right to have them hosted.  The host deploys the application anyway, because that’s what the customer wants.  “What’s the risk?” they ask… “the customer has the software license”.

The risk is, unfortunately, greater for the service provider than for the customer.  Even if the customer has a license for the software product, that license may not actually be eligible to run on a hosted server.  “Businesses lease computer equipment all the time, and they can run the software on those systems” is the next argument generally offered by the service provider.  But, in the eyes of the software developer, there may be a big difference between leased equipment run in-house versus subscribed platform services deployed via a commercial hosting provider.  Even Microsoft recognizes the benefit and value of providing “mobility” of application licensing, and has specific licensing models to allow commercial hosts to deploy customer-owned licenses.  While many service providers understand and recognize the requirements to ensure that customer applications are properly licensed for hosted delivery, there are a great many who think the rules simply do not apply to them.  These folks are introducing a great deal of risk into their hosting businesses, even if they are not willing to recognize it.

When a customer runs their software in an unauthorized manner, they risk losing the rights and benefits associated with their software license.  When a commercial hosting company runs software on their servers that they have no right to install and run… they are potentially guilty of unauthorized software distribution and copyright theft.

Actions against facilitators of unauthorized content distribution – you can equate “software” with “content” – have received much press in past months, yet much of the discussion centers on music and video content (as in the Megaupload story).  Actions involving commercial software products tend to be somewhat less visible, probably due to reluctance by commercial developers to have what could be perceived as negative press flowing through social media venues.  It’s popular to protect music and videos, but hosting providers aren’t seeing the wisdom of preserving the integrity of a commercial software product license.  Instead, they’re relying on the customer to indemnify them (the customer has a license, remember?).   But the customer can’t protect the host; the host must protect the host – it’s the prudent business approach.

Infrastructure providers, platform providers and businesses operating as application hosting companies should pay close attention to the content living on their servers.  Taking a position that the customer has the right to do whatever they want with the system is not a viable position; the precedent has been set that the hosting provider is responsible for the content on their systems.  In the case of hosts offering service for small business applications like Microsoft Office and Intuit QuickBooks, for example, it is essential that a service model which conforms to and supports proper license usage be in place, and that any required authorizations are, too.

Software is just another form of content, and the cloud makes distribution of and access to content a lot easier, even when it shouldn’t be.

Make sense?

J

Posted on

Better QuickBooks Access, Management and Security – QuickBooks Licensing and Hosting Models

Whether hosted in-house or offsite, licensing models for hosting QuickBooks can be very confusing.

driving1-ANIMATIONThe demand for solutions to address user mobility, better collaboration and improved information security is increasing as connectivity improves and cloud services and threats evolve. Server-based computing models and application hosting are increasingly popular as businesses seek to embrace teleworking and telecommuting models for their entrenched applications and systems, creating a foundation for improved productivity and work/life balancing (or integration).  On the technical side, the benefits of centralizing applications and data include improved efficiency in managing, maintaining and securing systems. For many small businesses, this means centralizing the installation and maintenance of core business applications like Intuit QuickBooks Pro, Premier or Enterprise.

Whether it be offsite with a commercial hosting provider or on a co-located server somewhere, or an onsite installation on the in-house server, hosting Intuit QuickBooks licenses can be straightforward or complicated depending on what you are trying to do with them. Because QuickBooks was designed as a standalone single-user application, there are a number of challenges when it comes to preparing it for server-based use.  The primary issue is often simply understanding the QuickBooks licensing model, which is not particularly INTUITive (sorry).

Licensing hosted QuickBooks applications comes with two different sets of implementation issues: the technical implementation (the installation and setup) and the logical allocation of licenses to users (the licensing rules).

When it comes to the technical implementation, many an experienced engineer has beaten their head against the wall trying to get QuickBooks to work properly in a workspace or session-based system (e.g., terminal server), all because they expect the product to implement like a “normal” client/server application. While QuickBooks may use the Sybase database manager guts to handle multi-user access to QuickBooks data files (I think it is still Sybase), the architecture required to properly service a networked QuickBooks installation does not necessarily mimic what would be used with, for example, a .NET desktop client application with an MS SQL back-end.   First, the QuickBooks data files cannot be remote to the application, meaning that both the client and the database manager (which is actually working as an adjunct to the client) must exist on the local network; it will not work over a WAN connection, which is why so many folks get frustrated when they put their server “in the cloud” and attempt to connect from a local client using a VPN.  It just won’t work that way with QuickBooks; it all has to be on the local network – client, server, data… all of it.

It is notable that many businesses use Dropbox and other file sync solutions because they want to be able to get to their data from multiple locations, but the data they’re getting must be “local” to the apps that use it.  It doesn’t allow for simultaneous multi-user access, but it can be an effective way to share a file.  The caveat is that the file (at least in the case of a QuickBooks file, or Outlook PST file, etc.) should not actually be used from the sync folder.  Sync folder should contain copies of data files that users wish to sync or share with other devices.  But I digress…

With a server-based implementation of QuickBooks, technicians will install the QuickBooks desktop software on the server, and will determine whether or not that same machine will also handle the company data files.  The QuickBooks DB manager is part of the installation of QuickBooks, and the file system and drive where the QB files are to be managed must be recognized as a local drive on the server running the QBDB manager.  The overhead used by the database manager isn’t huge, but it can impact the performance of users on the server.  For this reason, some techs will decide to implement a separate file server to manage the QB data files, taking that load off the app server.

  • The QuickBooks software uses the database manager to “host” access to company files.  This simply means that a single server with the data on it is providing managed access to remote-desktop-sessionsQuickBooks application users.
  • When QuickBooks application software and data is installed and centrally managed on a server (instead of QuickBooks being installed on individual PCs), that means QuickBooks application is being “hosted” on that server.
  • When a 3rd party provider supplies the server, the QuickBooks installation, data storage, and your way of connecting to it all,  that provider is a “host” providing hosting services for your QuickBooks.

In a dedicated hosting environment, the data is often stored on the same server as the applications, whereas in a shared hosting environment, the data is often stored on central file servers which serve multiple customers. This is why, in some shared hosting situations, one bad data file can take down the database manager services for all the customers using that same file server.

Users open the QuickBooks application on the server instead of having the application installed on individual PCs.  The single server-based installation of the software is able to be used concurrently by all users logging in to that computer. With the database manager running, the file is essentially “hosted” on that machine, and the file may then be opened in multi-user mode.  OK so far.  The problem generally comes about when a second user on the same computer/server wants to open the same QB data file as the first user.

Because the QB database manager is looking at the license of the client application accessing the data file, it will recognize when two different users/sessions with the same license key attempt to open the company data file.  If that license key is a single-user key, then the database manager knows it should allow only 1 concurrent user in the file.  QuickBooks doesn’t get installed for each user on a computer or server; it is installed one time on the machine and each user on that machine runs from that single shared installation. Any particular version of the QuickBooks application may be installed only once on a single computer, but it is possible to install multiple editions, year versions, and “flavors” of QuickBooks on a single machine (cannot be more than one installation of each unique product). There will be more than a few annoyances when running a variety of QBs on the same computer, but it is technically possible.

In order to allow multiple users to simultaneously access the same data file from a central installation of QuickBooks, the license key installed on the computer must be a multi-user key.  QuickBooks Pro, for example, can be keyed to 3 concurrent users, meaning that the license will allow up to 3 users with that same license key to simultaneously access the same company file.  Technically (but not lawfully) this installation of QuickBooks on the machine could allow a virtually unlimited number of users to launch the QuickBooks application simultaneously, limited only by machine resources.  This is where the logical allocation of licensing comes in.. the rule of licensing QuickBooks.

The logical allocation of unique licenses for each QuickBooks user is a little easier to understand than the technical implementation.  The rule is simply that each user of QuickBooks is required to have a valid registered/activated license. That valid license is a license purchased and activated for that business.

total-businessMaking QuickBooks desktop editions more useful by adding secure remote access and centralized management makes a lot of sense.  For companies who rely on the functionality and features of the desktop products (QuickBooks Pro, Premier and Enterprise), a hosted approach is the only way to really address mobility and multi-location requirements.  Remember that hosting doesn’t necessarily mean offsite, although that could make sense for the business, too.

Centrally-managing QuickBooks applications and data creates greater efficiency and improves overall IT management capability for the business.  At the same time, a centralized model introduces a better strategy for mobilizing the workforce and connecting remote users and offices. The struggles of understanding and implementing proper QuickBooks licensing begin to seem very small when compared to the benefits of deploying a centralized system that’s easier to access, manage and secure.

Make sense?

J

Posted on

Hosted QuickBooks and Office 365 a Complicated Technical and Licensing Model (until now)

When Intuit acknowledged the ability for companies to host QuickBooks desktop editions, service providers were presented with the opportunity to offer hosting for the QuickBooks desktop editions from their host servers and infrastructure.  The benefits of using QuickBooks desktop products in a hosted environment are many, including the introduction of mobility, disaster recovery, remote access and other things now associated with cloud computing models.  But the evolution of application delivery technologies and software as subscription service models is challenging the “traditional” approaches used to deliver hosted QuickBooks services.  One of the greatest challenges facing these QuickBooks hosts is the changing landscape of Microsoft Office licensing, because QuickBooks is just no fun without Microsoft Office.

While the QuickBooks application handles a variety of essential business functions, it relies upon other software to accomplish certain important tasks, such as reporting.  Most of the QuickBooks reports can be exported to Excel worksheets, allowing users to refine and manipulate the document outside of QB;   QuickBooks Enterprise Edition uses Excel to handle consolidated reporting.  QuickBooks uses Word for writing customer letters, and Outlook as a tool to email invoices.  There is a lot of functionality in QuickBooks that relies on the MS Office products, so it is pretty typical for a QuickBooks user to also be an Office apps user.  In order for the applications to work together properly, they need to be installed on the same computer.  If QuickBooks is hosted “in the cloud” with a hosting provider, and Office 365 applications are installed on the local PC, the two applications don’t “talk”, and the integration isn’t seamless or even functional.

image credit: Microsoft Corp | Microsoft.com

When a small business subscribes to Office 365 (or Microsoft 365 now), they are provided with rights to install their Office applications on their devices (depending on the subscription level).  While this enables users to have Office apps on multiple computers they use at different times, it does not provide authorization for the application to be installed on a hosted server where it is accessed by those users.

What this means is that customers who purchase Office 365/Microsoft 365 subscriptions to get their MS Office productivity applications can’t generally use those licenses in a hosted environment.

But there is an answer for small businesses who want remote and mobile access to their QuickBooks desktop editions and who also have Office 365 application licenses. The answer is to deploy QuickBooks desktop on a Microsoft Azure cloud server. This solution allows users to run their QuickBooks software as well as their qualifying Microsoft Office (M365 Apps for Enterprise) licenses on the Azure cloud server. The cloud platform enables the anytime/anywhere access desired and keeps all the applications and data secure and available for those who need access.

There is almost never just one way to solve a problem, and the cloud is introducing new options – and challenges – at all levels.  As application licensing and delivery models continue to change, solution providers will come to recognize the value they provide in bringing the right selection of services and technology models together to benefit not just their customers, but their own revenue streams and profit potential.

Joanie Mann Bunny FeetMake Sense?

J

Posted on

IT Security and Engaging Users to Reduce Vulnerability

IT Security and Engaging Users to Reduce Vulnerability

There is a lot of discussion going on about security in the cloud.  With numerous advancements in technologies of various sorts intended to secure our information and identities on the Web, how is it that security continues to be a growing problem?  The answer is in the Big Data the Web collects (read about the Internet of Things – IoT), the large silos of data now handily available in the cloud, and users who continue to provide access for all sorts of bad guys and malicious attackers simply due to not understanding that they – the users – remain as the biggest vulnerability of all.  It is educating this user and finding a way to get them to recognize their potential as a critical element in enhancing system security and reducing vulnerability that has become the larger challenge.

People are nothing more than another operating system, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute.  “Computers store, process and transfer information, and people store, process and transfer information,”  How Hackers Fool Your Employees

Social engineering and finding ways to earn user trust has become a widely recognized means for gaining access to systems and information.  Any experienced computer security consultant recognizes that Microsoft Outlook is among the best applications to place in front of users to test system security, as emails with malicious attachments (spearphishing) represent a majority of targeted attacks.  And hackers aren’t resting on their laurels while users figure out that opening email from unfamiliar sources isn’t a good idea.  Nope, not for a minute.  Today’s flavor is “conversational” phishing, where it is made to appear as though a real person is at the other end of the conversation.  Hackers are patient, and they are willing to take the time to find a way in.  Users, on the other hand, still tend to be somewhat complacent when it comes to security, and often operate under the belief that the IT security products and the IT department have it all under control.   And no matter how many times they’re told to not click on strange email attachments, to change passwords frequently, not to reuse passwords, and to make passwords hard to guess… getting users to comply continues to challenge system administrators.

most-valuable-security-practices

Communicating with users about the importance of adhering to password management and other security standards often falls on deaf ears for two reasons:  users believe that system security is the job of the IT department, and users are made to feel stupid by being chastised and punished by the IT department that’s supposed to be helping them.   Rather than helping to educate users and find innovative ways to get users to participate in helping to improve system security, IT administrators and security teams generally view users as part of the problem rather than part of the system of solving it.

It’s a heated debate that can upset people on opposing sides.  For instance, one RSA conference presenter conducted a class on “how to patch stupidity,” Spitzner says.  “He explained why people are stupid, how they’re stupid and how to fix stupid.  It was a very emotional talk for me, because how can you sit there and insult the very people who can end up helping us?…  How Hackers Fool Your Employees

In order to build strong security which is better-suited to protect businesses from today’s variety of threats, IT security professionals and system administrators should engage in positive internal marketing for better system security, deliver improved education to build awareness with users, and actually engage users in the process of threat identification and detection.  These users don’t have to be geeks or IT people; they can be average users who simply keep their eyes open to things that just don’t seem right.  “People can become a detection system to improve organizational resilience.”

jmbunnyfeetMake Sense?

J

Posted on

The Holistic Approach to Cloud-Enabling Your Firm

The Holistic Approach to Cloud-Enabling Your Firm

Today’s professional accounting or law practice has a number of issues to contend with, not the least of which is technology.  While IT has been serving the firm for years, shifting paradigms in computing are leading professionals to wonder exactly which direction they should turn for advice.  It’s easy, at a high level, to see the value and benefit of outsourced IT services and being able to focus on your core offerings, but it’s a little harder to find exactly which path your firm should follow.  One thing has proven true over the past few years: taking a holistic approach to cloud-enabling your firm is far better than any uncoordinated exchange of applications and services.

There are four areas the firm should explore when looking to more fully leverage technology to its benefit, which is what “cloud-enabling” the practice really means:

  1. Transitioning to a paperless (or less paper) office
  2. Exploring alternative billing methods (value versus time?)
  3. Outsourcing non-core and non-strategic tasks and processes
  4. Streamlining procedures to create consistency in service levels

The challenge is that firms have numerous options and approaches being thrown about, none of which represent obvious solutions to the entire problem.  In pieces, cloud services and online applications can deliver new capability and functionality, but a professional practice has the requirement for systems to work together to be effective.  Re-entry or redundant storage of data is inefficient, so it is difficult to streamline procedures when the systems run on different platforms or don’t integrate well.

One approach is the “hybrid” approach, where you take the best of the tried and true, and deploy it in new ways to create new capabilities.  Also introducing cloud-based and SaaS solutions where they can truly help the firm innovate makes sense, as long as those solutions can connect back to the core systems. The key is to not lose what efficiency and business intelligence the firm already has while attempting to transform and improve upon those models (digital transformation).

The new thinking by some firms is to adopt web-based practice management solutions that make it easier to collaborate with team  members and clients.  Many of these solutions get great reviews and indeed do make it easier for users to access information from anywhere and on mobile devices.  Lots of neat features for the forward-thinking practice are available, yet the problem is that these solutions usually don’t have general accounting functionality required by the business, nor do they address some of the fundamental capabilities that apps on the desktop can.

For the online applications serving line-of-business functionality, the easy answer to finance department questions is to connect to an online accounting solution, like QuickBooks Online.  While this may serve the needs of the developer, the needs of the business finance department often outpace the functionality available in the smb online accounting products.  To address this reality, many developers have created the means to export data to the QuickBooks software running on the local desktop.

The desktop editions of QuickBooks remain extremely popular with professional service firms and the businesses they serve. In a cloud and mobile world, the firm and their client doesn’t have to be tied to the local desktop in order to keep their desktop software or collaboratively work in the data.  When the QuickBooks desktop software is setup within a secure remote access environment (whether on-premises or with a hosting provider), users benefit from the same mobility and realtime collaboration advantages as with a SaaS solution, like anytime/anywhere access.

Virtual desktops and remote application models allow users to access what seems like a workstation in the cloud, with business applications such as QuickBooks and Microsoft Office and whatever else the firm uses. The desktop is a true Windows platform, so the features and functionality are just as they are when working directly on a local PC.

Most remote or virtual desktop setups also let the user access the Internet and use a browser on the remote desktop, allowing users to run the SaaS solutions they’ve subscribed to alongside their desktop applications yet still remain in a totally virtual and mobile working environment. This approach allows the firm to centralize management and administration of internal servers and networking resources, or eliminate much of the maintenance and management by outsourcing to a hosting provider. Outsourcing the hosting and management of systems further establishes predictability in cost and increases IT agility.

The thing to remember is that one size does not fit all, and every firm will need to work within their own requirements and motivations to come up with the proper approach.  What works for a solo practitioner or small firm won’t necessarily work for a larger firm… or maybe it will, depending on the company culture and structure. There are a lot of options with the cloud when it comes to outsourced information technology models, online practice management and other business solutions, and mobile services which reduce the impacts of time and distance.  It’s time to start implementing on-demand access and mobile-friendly service options before the competition leaves you behind.  Interestingly enough… the competition that looks like a huge and successful firm could be just one person using some really smart IT.

 

Make sense?

J