Category: risk management

Posted on

Better QuickBooks Hosting: Noobeh Cloud Solutions on Azure Help Businesses Avoid Data Loss, Improve Application Performance and Implement QuickBooks Integrations

They said back in 1999 that the desktop was dead, but desktop software is far from gone. In fact, application hosting services for products like QuickBooks desktop editions just keeps growing in popularity because it delivers the access, mobility and managed services businesses need.

Service providers have been hosting QuickBooks for years, and I’ve been right there all the way, ever since the model was originally developed. In fact, the company I worked with is still selling that original service model today while many other providers have come along to follow it and take advantage of the opportunity.

Using the cloud to support accounting and other business processes makes a lot of sense, and the best part is that it doesn’t require businesses adopt the online versions of the software that just doesn’t work as well. I have a background in accounting so I understand the issues of working remotely with clients, when the business is done in one place but the accounting is done in another. And I love the technology and finding ways to make it easier and more efficient to get small business accounting done.

The benefits of using hosted QuickBooks services are many.

Anytime/anywhere access and fully-managed service are among the most obvious benefits for QuickBooks desktop users, but the advantages of centralized information and applications, secure support for mobile and remote workers, and real-time integrations and analytics capabilities can be transformational for the entire business.  Having the means to affordably extend applications to the entire workforce and keep everyone working with the same data in real time can become the foundation for improved processes, greater efficiency and better business performance.

Among the key benefits of the application hosting model is the fact that businesses are not forced to adopt software subscription services or invest their data in web applications that do not provide the functionality or features required. Even more, the business can elect to move their hosted system back to in-house computers, because the hosting is simply an alternative platform for running the software the business owns. You can take your ball and go home if you don’t want to stay.

With all the benefits of hosting QuickBooks, there are also risks involved, especially when working with shared hosting platforms.

Shared hosting platforms are architectures where the service provider spreads the cost of their infrastructure across many customers to help keep the costs down. Using conventional technologies to create divisions between customers on servers, networks and so on, services providers can deliver at a lower cost when they are able to generate revenue from lots of customers for the same pieces of equipment. As more customers are added, more servers are joined into the network. After a while, there are many servers handling the customer load.

Unfortunately, the greater the number of servers, the more complicated and costly it becomes to update the platform. This is among the reasons why many service providers have aged platforms, with server operating systems that are going out of support and offering only legacy desktop views. In addition to compatibility and modernization, a big problem with allowing the platform to age is that it becomes less secure and more difficult to keep protected.

Protecting against disaster is not the same as doing backups.

Many hosted QuickBooks customers have been faced with the ugly reality that their service provider backups are not enough to recover from disaster. This is largely the fault of the providers and is somewhat by design.  Businesses hosting their financial and other business applications and data want to know that their information is safe and secure. Performing data backups is part of the promise of protecting customer data, so most customers believe that their service provider is backing up in a way that ensures the data can be recovered.

What most hosting customers don’t understand is that the provider backups are there to help the provider recover from disaster and not necessarily to get the customer back where they were.

Hosting companies know that they need to do backups so they can support customers when files get deleted or become corrupted. Hosting companies typically do regular backups of customer data, but they do not necessarily retain individual backup data sets and they often backup all customer data together. This means that the backup data is constantly being updated, and that fully restoring the data of just one customer may be problematic. Service provider backups are there to support the continued operations of the service provider and may not provide the level of archive or retention needed by the customer. Just to make sure their data is safe and recoverable, I strongly recommend that clients keep any hosted data archived in at least one other location off the host’s platform.

In just the past year, outages caused by malware have been experienced by service providers Cetrom, Skyline, Cloud9 and Insynq, demonstrating just how devastating an outage can be when the service provider doesn’t have adequate protections in place.

In many cases customers lost data because the service provider wasn’t able to recover it from compromised or nonexistent backups. Suggesting that customers should have their data backed up locally is never part of the marketing or onboarding with the QuickBooks host, but it is often the fallback position in times of trouble.

Perhaps the most troubling aspects of these provider failures are that many of the problems stem from the shared nature of the platform.

When we first started building QuickBooks hosting services the hardware and software to make it work was terribly expensive. To approach some level of affordability, a shared platform approach was developed. This allowed the service to scale while offering a lower cost of service to customers. When the services were initially developed, there was concern about protecting from viruses and Trojans, but the nature of malware in the wild was not nearly as troublesome as it has become. Things were manageable.

But technology has evolved and so have the threats and bad actors.

The smarter bad guys should be forcing platform providers to reconsider their shared management and delivery models.

Affordable computing resources are available from platforms like Microsoft Azure and Amazon AWS, offering small businesses the opportunity to have not only powerful and scalable platforms for their business IT, but also offering a means of operating privately. Not being forced to operate in the same network or on the same VMs as other companies means not having to worry about the behavior of other people or applications in your business network. It also means that the focus is on recovering your system if disaster strikes, not on recovering the systems of hundreds or thousands of other businesses at the same time.

Considering the move to a more private cloud hosting solution is an important way to reduce risk and improve IT performance for the business.

When they were in-house, the networks were private and no other businesses were sharing the servers. Moving to the cloud should not radically change that profile, and should offer customers the same privacy from outsiders and the same flexibility to implement whatever applications the business needs.

The Microsoft Azure platform provides this capability and businesses can benefit without compromising the budget. With private accounts on the Microsoft Azure platform, our customers are able to take advantage of the current and emerging technologies while safely and affordably supporting their business requirements, which is something the shared platforms fail to offer.

Make Sense?

J

Posted on

Are You Prepared for SQL Server 2008 End of Support?

 

Everything gets old eventually, and now it is official for SQL Server 2008.

03-2012sean-phone-328-e1377042261105On July 9, 2019, support for SQL Server 2008 and 2008 R2 will end. That means the end of regular security updates and general support for the product. Are you ready?

It took more than 10 years for Microsoft to end support for our beloved SQL 2005 and version 2008 has enjoyed a similarly long reign. But it’s over and you need to get used to the idea. Even more, you need to get upgraded to a new version of SQL so your systems can still be patched, updated and supported. With all the nasty exploits out there, letting your software get out of date is more of a business risk than ever.

With cyberattacks becoming more sophisticated and frequent, running apps and data on unsupported versions can create significant security and compliance risks. The 2008 family of products was great for its time, but we highly recommend upgrading to the most current versions for better performance, efficiency, and regular security updates.

Now is a Good Time to Consider Azure

Microsoft is giving a present to businesses that want to migrate their workloads to Azure. For those customers that elect to take this as an opportunity to move to the Azure cloud, extended security updates will be available for free in Azure for 2008 and 2008 R2 versions of SQL Server and Windows Server to help secure workloads for three more years after the end of support deadline. Moving existing systems to the Azure cloud is a natural step in modernizing the business infrastructure and makes the next step of upgrading to managed database services and/or migrating to new Azure servers a lot easier.

Upgrading isn’t simply a matter of maintaining status quo, either.

Moving to new versions can be a foundation for new strategic capability and increasing overall business potential, powering new decision-making processes fueled by analytics and business intelligence.

The Microsoft Lifecycle Policy offers 10 years of support (5 years of regular support and another 5 years of extended support) for the 2008 and 2008 R2 versions of SQL Server and Windows Server. When the extended support period ends, there will be no patches or security updates, which always creates security risk.

If your business is going to remain competitive, you can’t rely on outdated systems.

Your business is tough enough to manage without having your systems work against you.  Software that prevents you from keeping up with demand, creates risk in compliance and security, and reduces operational performance is not what you need. Collecting, storing and rationalizing data takes power and speed, and securing your growing information warehouse requires vigilance in security and update management.

Use this opportunity to review your platforms and applications, and consider moving your on-premises or co-located systems to the cloud. The upcoming milestone is a great opportunity to transform applications and infrastructure to take advantage of cloud computing and the latest versions of SQL Server and Windows Server.

jmbunnyfeetMake Sense?

J

Posted on

Countdown to End of Life for QuickBooks 2016

Every year Intuit releases a new version of QuickBooks desktop software, enhancing functionality and adding features to keep the product useful in the modern world. As the program continues to move forward, keeping pace with newer operating systems and software conventions, the older technology and application models eventually expire. Without support and updates, key service features or service integrations, the end-of-life versions of QuickBooks become not only less functional, they become less secure and have a much greater potential for problems.

QuickBooks-Hosting-WordCloud

The QuickBooks Desktop Discontinuation: May 31st is the sunset date for 2016 Versions

While Intuit frequently communicates with license holders via various mailings and in-product notifications, including notices about the discontinuation of the version, the message is often lost amid the annoying messages customers receive via email or as disrupting popups in the program. It is very important that users not miss this notification because it really means more than just a need to update the software. Most businesses have more invested than than just a software purchase, they also have their data and operation to consider.

The real investments a business makes when it adopts QuickBooks desktop are the business processes the software supports, the transaction, customer, vendor, job and product information kept in the system, and the financial and performance data that comes from all of that. People, processes and information are the building blocks of the business and losing any of it can be far costlier to the business than the cost of an annual software upgrade.

When do services for QuickBooks 2016 stop?

May 31, 2019 marks the end of access to all services for QuickBooks 2016 Desktop editions. This includes QuickBooks Desktop 2016 Pro, Premier, Enterprise Solutions and Accountant editions for Windows, and the 2016 Mac edition. The software will continue to function at an basic level after that date, but technical support will end and all integrated services will stop working with the software.

What does it means when Intuit says services for QuickBooks 2016 will stop?

Software updates, online support and certain other added functionality within QuickBooks is provided as service integrated with the desktop software. When support and integrated services are discontinued, it means that subscription or added service functionality is no longer available. Payroll services, online banking, online backup and live support are some of the integrated services that will stop working on May 31, 2019.

Businesses that don’t need payroll, online banking or other services with QuickBooks should still upgrade the software.

While the basic functionality of QuickBooks 2016 will continue to work beyond the discontinuation date, the security and compatibility of the system should remain as top considerations. A major aspect of product discontinuation is the loss of software updates and security updates in particular. When users of 2016 QuickBooks versions stop receiving critical security updates, it could leave the installation vulnerable in a variety of ways. Weaknesses in security protocols or password storage, or failure to update software to remain compatible with new versions of Office or Windows (or Mac OS) could not just render the software unworkable but can also lead to potential data corruption or leave private information visible to hackers.

Upgrade to a newer version of QuickBooks Desktop to continue use of payroll, online banking, online backup, support and updates. For Windows users, 2017, 2018 and 2019 versions continue to be supported, but 2019 becomes the only supported version for Mac. Intuit previously indicated that there wouldn’t be a new Mac version, so having a 2019 edition represents a big win for Mac users who wish to keep their QuickBooks compatible with newer Mac OS versions.

People, processes and data are reliant on the software that supports the activities that keep the business running. Central to retaining the value of your business information and operational processes is keeping the software supporting them up to date with the most current feature set, service integrations, and application and update support. After all, the incremental investments made to maintain important assets of the business tend to be less costly than recovering from lost data and reduced productivity due to failure of an unsupported system.

Joanie Mann Bunny FeetMake Sense?

J

 

Posted on

Contrary to What You Learned in Grade School… Sharing is Bad, Okay?

There is a place and time for sharing. Share your color crayons, share your toys… share your feelings with those you love. But when it comes to business technology and infrastructure, sharing isn’t always the best approach. Some things you should just keep for yourself… like the servers you use for hosting business desktops, desktop applications and business data.

When we first began the journey of bringing small business desktops and applications like QuickBooks to the Internet, the “cloud” was not yet a thing. Hosting providers put up servers in racks in data centers, installed software and stored data on behalf of customers, and did their best to find ways of making the service affordable. Elastic resources, massive scalability and built-in redundancy (which are benefits of a real cloud fabric) were not generally available nor were they even remotely affordable. Because the hardware, networking and other resources that make up the hosting infrastructure is costly, it is important for the hosting service provider to be able to spread those costs across the entire customer base.

In most cases, this meant creating shared servers where many customers run their applications and store their data. Even when a provider suggests that a customer has a “private” server, there is still a good chance the server is using shared storage and/or networking resources made accessible in the environment.

Sharing can be a good thing or a bad thing, and it often depends on the behavior of those involved. In shared application hosting environments, particularly desktop hosting environments, there is a lot of potential for intentionally and unintentionally causing problems that can and will impact other users and customers on the platform.

A simple provisioning error might allow a user to see data belonging to another company or have access to applications or services they should not.

With shared resources, bad actors and intruders can often escape permission boundaries, attaching to network shares and other computers on the platform.

Malware accidentally introduced by an innocent user from one company could easily penetrate the entire system, following paths to data storage locations and other servers, spreading the problem to many customers and systems and even data centers.

If you are operating on the compromised system you are at risk, even if the compromise wasn’t initiated by one of  your users or from within one of your applications.

In the realm of QuickBooks hosting providers, the issues around sharing infrastructure and resources have created some very difficult situations for hosts and for their customers alike – especially when it comes to dealing with computer viruses, malware and ransomware. A few high-profile events, as well as numerous incidents which have flown under the radar, have revealed just how damaging the shared approach can be.

With the IRS, AICPA and other agencies issuing increasingly strong guidance for tax and accounting professionals to protect client information, finance professionals should strongly consider the risk introduced through shared hosting service arrangements and evaluate if it is greater than the costs of having a more private system.

Cloud platforms available today are fully matured, delivering scalability and agility at price levels that are affordable even for very small businesses.  No longer solely for enterprise enjoyment, real cloud solutions and delivery models can be used by small businesses for desktop and application hosting without compromise. Every business deserves their own cloud, and we know how to make that affordable.

Cooper Mann works with teams deploying on the Microsoft Azure platform, offering an agility in design not previously available with legacy computing approaches. Because every delivery is absolutely private to each customer, the solution can be scaled up (or down!) on demand to suit the specific needs of the individual business. More important is the fact that each customer operates separately, so any bad behavior the system may suffer from is their own.

jmbunnyfeetMake Sense?

J

Posted on

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J