Tag: data protection

Posted on

QuickBooks Desktop Enterprise 2024 Security Improvements: Now with 256-bit encryption

Intuit’s release of QuickBooks Enterprise and other desktop editions for 2024 have a variety of new features, and among them is an improved level of security for your business data. Upgrading from 128-bit encryption, QuickBooks Desktop 2024 now has AES 256-bit encryption.

256-bit encryption is the strongest and most robust encryption standard commercially available. It’s widely used because it’s virtually impenetrable to brute-force attacks. 256-bit encryption is an encryption technique that uses a 256-bit key to encrypt and decrypt data. Plain text is converted to a cipher, and the encryption key is required to decrypt the data and return it to readable plain text.

256-bit encryption is used in most modern encryption algorithms, protocols, and technologies, including AES in wireless security, processor security, file encryption, and SSL/TLS.

According to Intuit, “You can be confident your data is protected with our enhanced security using industry-leading AES 256-bit encryption. QuickBooks safeguards your reputation by protecting critical customer and vendor data, such as business financials, banking information, and credit card details.

This means we translate your information into a code that only we can read to make sure only you and Intuit have access to your information. The type of encryption we use is called AES-256 (Advanced Encryption Standard with 256-bit keys) and it ensures the highest level of cryptographic security.”

With a series of robust security steps and a complex 256-bit decryption key, AES 256-bit standard is nearly impossible to break using brute-force methods and has been approved for the handling of confidential data by the U.S. Government.

A brute force attack is when a hacker tries different combinations until they arrive at the correct combination – the key. The larger the key size, the more difficult it becomes to break the encryption. We’re talking about 256-bit keys. There are 984,665,640,564,039,457,584,007,913,129,639,936 (that’s 78 digits) possible combinations. Even if you use Tianhe-2 (MilkyWay-2), which was the 4th fastest supercomputer in the world in 2022, it will take millions of years to crack 256-bit AES encryption.

In case you’re interested: The fastest supercomputer in the world, ranked in June 2023, is Frontier, an HPE Cray EX system run by the US Department of Energy, Frontier incorporates 3rd Gen AMD EPYC™ CPUs representing 8,730,112 cores that have been optimized for high-performance computing (HPC) and AI with AMD Instinct™ 250X accelerators and Slingshot-11 interconnects. Its HPL benchmark was 1.194EFLOPS (EXA – 1 quintillion – floating point operations per second). (via networkworld.com). Frontier is faster than Tianhe-2, so breaking the key could take a little less time.

Breaking encryption with no known flaws is kind of like guessing a password. If you make enough guesses, you might eventually get the password right. With strong encryption, this can take a long time. AES-256 is the most secure version of AES and is virtually unbreakable by brute force based on current computing power. It’s also considered quantum-resistant, which means that quantum computers aren’t expected to crack the cipher.

How long would it take to crack 128-bit encryption using a brute force attack? Most security professionals would answer “1 billion years”, but that’s just an estimate. A machine that can crack a DES key in a second would take about 149 trillion years to crack a 128-bit AES key. According to researchers, with the right quantum computer, AES-128 would take about 2.6110^12 years to crack, while AES-256 would take 2.2910^32 years. For reference, the universe is currently about 1.38×10^10 years old, so cracking even an AES-128 encryption with a quantum computer could take hundreds of times longer than the universe is believed to have existed.

While Intuit is improving the security of the information it stores and transmits between its systems, your company should be equally concerned with the security and protection of all your business applications and data. Using strong password policies, multi-factor authentication, and SSL for secure web app access, Noobeh’s QBonAzure services provide layers of protection on top of the $20Bn in security investments made by Microsoft.

We take data security seriously, providing solutions to address access, security, privacy and protection for business applications and data. When your QuickBooks Enterprise deployment needs a solid foundation that offers agility and performance as well as strong platform security, we have that.

Visit MendelsonConsulting.com/cloud to learn more.

jm bunny feetMake Sense?

J

Posted on

Better QuickBooks Hosting: Noobeh Cloud Solutions on Azure Help Businesses Avoid Data Loss, Improve Application Performance and Implement QuickBooks Integrations

They said back in 1999 that the desktop was dead, but desktop software is far from gone. In fact, application hosting services for products like QuickBooks desktop editions just keeps growing in popularity because it delivers the access, mobility and managed services businesses need.

Service providers have been hosting QuickBooks for years, and I’ve been right there all the way, ever since the model was originally developed. In fact, the company I worked with is still selling that original service model today while many other providers have come along to follow it and take advantage of the opportunity.

Using the cloud to support accounting and other business processes makes a lot of sense, and the best part is that it doesn’t require businesses adopt the online versions of the software that just doesn’t work as well. I have a background in accounting so I understand the issues of working remotely with clients, when the business is done in one place but the accounting is done in another. And I love the technology and finding ways to make it easier and more efficient to get small business accounting done.

The benefits of using hosted QuickBooks services are many.

Anytime/anywhere access and fully-managed service are among the most obvious benefits for QuickBooks desktop users, but the advantages of centralized information and applications, secure support for mobile and remote workers, and real-time integrations and analytics capabilities can be transformational for the entire business.  Having the means to affordably extend applications to the entire workforce and keep everyone working with the same data in real time can become the foundation for improved processes, greater efficiency and better business performance.

Among the key benefits of the application hosting model is the fact that businesses are not forced to adopt software subscription services or invest their data in web applications that do not provide the functionality or features required. Even more, the business can elect to move their hosted system back to in-house computers, because the hosting is simply an alternative platform for running the software the business owns. You can take your ball and go home if you don’t want to stay.

With all the benefits of hosting QuickBooks, there are also risks involved, especially when working with shared hosting platforms.

Shared hosting platforms are architectures where the service provider spreads the cost of their infrastructure across many customers to help keep the costs down. Using conventional technologies to create divisions between customers on servers, networks and so on, services providers can deliver at a lower cost when they are able to generate revenue from lots of customers for the same pieces of equipment. As more customers are added, more servers are joined into the network. After a while, there are many servers handling the customer load.

Unfortunately, the greater the number of servers, the more complicated and costly it becomes to update the platform. This is among the reasons why many service providers have aged platforms, with server operating systems that are going out of support and offering only legacy desktop views. In addition to compatibility and modernization, a big problem with allowing the platform to age is that it becomes less secure and more difficult to keep protected.

Protecting against disaster is not the same as doing backups.

Many hosted QuickBooks customers have been faced with the ugly reality that their service provider backups are not enough to recover from disaster. This is largely the fault of the providers and is somewhat by design.  Businesses hosting their financial and other business applications and data want to know that their information is safe and secure. Performing data backups is part of the promise of protecting customer data, so most customers believe that their service provider is backing up in a way that ensures the data can be recovered.

What most hosting customers don’t understand is that the provider backups are there to help the provider recover from disaster and not necessarily to get the customer back where they were.

Hosting companies know that they need to do backups so they can support customers when files get deleted or become corrupted. Hosting companies typically do regular backups of customer data, but they do not necessarily retain individual backup data sets and they often backup all customer data together. This means that the backup data is constantly being updated, and that fully restoring the data of just one customer may be problematic. Service provider backups are there to support the continued operations of the service provider and may not provide the level of archive or retention needed by the customer. Just to make sure their data is safe and recoverable, I strongly recommend that clients keep any hosted data archived in at least one other location off the host’s platform.

In just the past year, outages caused by malware have been experienced by service providers Cetrom, Skyline, Cloud9 and Insynq, demonstrating just how devastating an outage can be when the service provider doesn’t have adequate protections in place.

In many cases customers lost data because the service provider wasn’t able to recover it from compromised or nonexistent backups. Suggesting that customers should have their data backed up locally is never part of the marketing or onboarding with the QuickBooks host, but it is often the fallback position in times of trouble.

Perhaps the most troubling aspects of these provider failures are that many of the problems stem from the shared nature of the platform.

When we first started building QuickBooks hosting services the hardware and software to make it work was terribly expensive. To approach some level of affordability, a shared platform approach was developed. This allowed the service to scale while offering a lower cost of service to customers. When the services were initially developed, there was concern about protecting from viruses and Trojans, but the nature of malware in the wild was not nearly as troublesome as it has become. Things were manageable.

But technology has evolved and so have the threats and bad actors.

The smarter bad guys should be forcing platform providers to reconsider their shared management and delivery models.

Affordable computing resources are available from platforms like Microsoft Azure and Amazon AWS, offering small businesses the opportunity to have not only powerful and scalable platforms for their business IT, but also offering a means of operating privately. Not being forced to operate in the same network or on the same VMs as other companies means not having to worry about the behavior of other people or applications in your business network. It also means that the focus is on recovering your system if disaster strikes, not on recovering the systems of hundreds or thousands of other businesses at the same time.

Considering the move to a more private cloud hosting solution is an important way to reduce risk and improve IT performance for the business.

When they were in-house, the networks were private and no other businesses were sharing the servers. Moving to the cloud should not radically change that profile, and should offer customers the same privacy from outsiders and the same flexibility to implement whatever applications the business needs.

The Microsoft Azure platform provides this capability and businesses can benefit without compromising the budget. With private accounts on the Microsoft Azure platform, our customers are able to take advantage of the current and emerging technologies while safely and affordably supporting their business requirements, which is something the shared platforms fail to offer.

Make Sense?

J

Posted on

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Posted on

Centralize and Secure Business Applications and Data

laptop drawingThe portable computer is an essential business tool for day’s mobile workforce, having the power and portability to meet the demands of executives and professionals working away from the office.  While executives and mobile professionals get the applications and data they need to keep productivity high, carrying business data on devices outside the network introduces significant business risk.

There are studies which estimate that as much as 80% of the data a small business owns (data like customer files, contracts, product information and financial data) is copied to or stored on portable computers.  When valuable business data is lost or stolen, the business can be exposed to a variety of problems – loss of revenue being just one. Losing track of business data can create legal issues, too. Customer privacy may be compromised, sensitive information could be exposed, or confidential plans might be made public if a business doesn’t take the right steps to secure its data.

It isn’t just the possibility of loss or theft which increases risk when data is copied to portable computers – the increased vulnerability of the information sits with the likelihood that the user will access unsecured networks, launch non-corporate applications, access private email accounts and perform other non-business related tasks with the computer because they have more access than with a fully secured corporate in-office desktop.  User behavior is often what puts corporate data and assets at risk, regardless of the policies that might define correct and acceptable procedures. It is very easy for workers to unknowingly lose and leak data, and when the data is present on the portable computer it gets even easier.

A 2014 study commissioned by Cisco Systems found that employees around the world continue to engage in “risky” behaviors that put business and personal information at risk:

  • The majority (70%) of surveyed IT pros believe that as many as half of their data loss incidents are due to authorized program installations
  • 44% of employees share work devices with others without supervision
  • 39% of IT professionals have dealt with employees trying to access unauthorized parts of the company’s network
  • Almost half of the employees admitted to copying data between work and personal computers when working from home
  • 18% (up to 25% in some regions) of employees shared passwords with their co-workers

Companies must not only protect their data for their financial well-being, but must recognize their legal obligation to protect much of the information, as well.  The risk extends beyond the walls of the enterprise, to vendors and customers and consumers whose information may be stored in the company data. Additionally, portable computers exposed to malware and virus attacks are likely to pass the bad code to other systems they come in contact with, introducing not just risk for the recipient but liability for the infected laptop owner.

Where mobile computing brings huge advantages to today’s business, owners would do well to consider the benefits of enabling mobility through the use of server-based and hosted computing models. Rather than installing software and copying data to PCs and mobile devices, workers should be able to access a central system where the applications actually run. IT management is more efficient and security is easier to enforce when applications and resources are contained exclusively within the corporate boundary, even if they are accessible from without.

Virtual desktop and remote application solutions offer features that address a variety of potential risk factors as well as enabling improved management and security of IT assets.  Centralizing and securing applications and data resources at the server allows businesses to deliver the mobility and functionality users need while enabling the information security and management the business demands. This is a foundation upon which remote desktop and remote application technologies were built, allowing users to have the real-time access to applications and data with full functionality and desktop modality, but without the requirement to install, manage and secure applications and data on the individual devices.

Make Sense?

J

Posted on

Confusing Value Propositions: Cloud Platforms and Hosted Applications

it-balancing-actConfusing Value Propositions: Cloud Platforms and  Hosted Applications

When a service provider is in the business of selling computing resources – like bandwidth, processors and memory, and disk storage – it makes a lot of sense to also leverage the value of software products and systems which drive consumption of computing resources.  In short, they market and sell software that runs on the platform in order to get folks to buy the platform, no different from selling desktop and server software in order to sell the hardware to run it.  It’s just that these days the hardware and networking components are often referred to as the “platform” or maybe “the cloud”.

Let’s face it… cloud computing platforms are just no fun if there’s nothing to run on them, and a hard drive has little value when there isn’t anything stored on it.  Once there is something there – an application, data… something – then the part has actual value in terms of driving revenue.  This is the difficulty and the basis for confusing value propositions when it comes to offering and delivering services in the form of a hosting platform.  Once again: platforms are just no fun if there’s nothing to run on them.  Is the value is really about the applications, not the platform? Or is the value in the platform, because it’s necessary for running the applications?

The truth is that both are essential parts of the entire “solution”, and the value of how the solution is packaged and offered is purely up to the purchaser to determine in terms of applicability to the business.  When it comes to hosted application offerings for businesses, there isn’t a single one-size-fits-all approach that will work.  Sometimes people want to purchase from different vendors and put their own solutions together, and sometimes folks want turnkey delivery of whatever they need.  Even channel partners and value-added resellers are finding that, with diminishing margins and aggressive competition prevalent in the market, removing the time-consuming aspects of solution delivery becomes paramount to achieving some level of profitability on the work.

What this means is that providers are looking for ways to increase the overall value and usability of their solutions, and when it comes to platform services there are only two directions to look: automation to support self-service, and application software delivery to drive consumption and usage on the hosting platform.

So now we’re back to the applications again.  There’s no way to avoid them, but there’s no great way for platform companies to engage with them, either.  Working with business application software is sometimes complicated, often annoying, and can be exceptionally time-consuming and resource intensive. And there are few licensing models which make it really easy for hosts and ISVs (Independent Software Vendors) to work together.  Then, of course, there is the desire for exclusivity on one side or the other.

Software companies don’t generally want to select a single platform provider for their software for a very simple reason: they don’t want to limit their potential user base.  Now that Windows platform is available just about anywhere – on local computers, on mobile devices, from platform and infrastructure hosting providers – how does the ISV make a decision on a single delivery channel or model or provider?

Some lean towards working with hosting providers to create branded, point-deliveries of the application.  Too often, however, this approach removes the ability for customers to benefit from other applications or integrations, eliminating some of the value of the solution and certainly curtailing benefits for integrating partners of the ISV.

Host it themselves?  The last thing most software developers want is to be responsible for hosting and maintaining some other guys’ software products; they have enough to worry about with their own offerings.  If the solution is standalone, maybe this approach works.  But there are few solutions made for the desktop which don’t have some strange integration point with MS Office apps, Adobe reader, Internet browsers or other things prevalent on the user desktop.

There isn’t any proven or easy path for software developers, IT suppliers or small business customers looking to create mobility and managed subscription service around desktop and server applications, and there is likely never going to be a single story line that all will follow.  This is among the reasons for the popularity of the “hybrid” cloud approach and growing importance of managed application hosting and ISV-authorized delivery models.  Yet even key providers in those areas have a tough time really communicating what they do in a way that is meaningful to the buyer.  Are they selling a platform, applications, or both? Folks in the industry know the jargon and how to use it, and are often skilled at adjusting their language in order to obfuscate or confuse certain sticky issues regarding software licensing in the cloud and other similar aspects of hosting.  It’s no wonder that many customers remain confused as to what, exactly, they’re being asked to buy, and where the lines of flexibility and responsibility are drawn.

The applications justify the platform, and there are possibly multiple platform approaches to delivering the app. It is a confusing situation for business buyers of IT as well as for their resellers and suppliers, and the increasing number of options for how businesses approach purchasing and using information technology makes it unlikely that the process will become as simple as some suggest.

jmbunnyfeetMake Sense?

J