Compliance and the Cloud

I’ve talked a LOT about cloud computing, mostly pointing out the issues that are not yet resolved. Sometimes I feel like a contrarian, but the fact is, the mainstream media is focused on presenting the ‘next big thing’ and little things like facts and concerns are not going to get in the way.

To be sure, cloud computing is here to stay, and is destined to be large part of the future for IT, but it is certainly not the whole picture.  And, as I have stated, there are still issues to resolve (read prior posts). What I want to talk about today, however, is one key topic that there may be confusion (or just lacking information) about: Data Compliance.

There seems to be some belief that cloud computing will solve compliance isssues. Just move your data to the cloud, and those pesky, expensive compliance issues are someone else’s problem, right? Well, no, they  are not. And worse yet, they are not yet managable problems. There are two key points with regards to data compliance that you should consider if you are thinking of a cloud computing initiative:

1. You really won’t know where your data is, and in many cases with large providers, they won’t either. Data laws may differ regionally, and the fact is, where the data itself resides may have legal consequences. Most laws are written with the assumption that the data ‘owner’ has control over the location of, and decisions around, their data. This is a fundamental flaw in thinking when it comes to cloud computing, where even the provider may not be able to tell you where your data is, or even what region it is hosted in.

2. Cloud providers are not able to provide for your compliance because the simple fact is, they don’t know what data they are hosting, or how it is used. They are only looking at providing a medium to store and retrieve at this point. They can’t possibly know (and deal with) and legal compliance issues surround that data.

I believe that these can be real deal breakers. In time, providers are going to have to start understanding this need, and dealing with it. Providers will start ‘productizing’ their offerings to include specific compliance packages for specific uses. Costs will go up, and some of the ROI of cloud computing will be watered down relative to the costs of hosting internally. In fact, depending on the complexity and importance of various data compliance issues (take HIPAA as an example) I believe it will prove more cost effective to retain control and ensure compliance, and a quick risk/reward analysis will show the cost of a major compliance breach.

The problem with new technology advances is that the capability of technology to solve issues surpasses our ability to really think through the unintended consequences. A small medical office goes to hosted exchange only, knowing that hosting their medical records may not be the right answer for them. They attach documents through emails and… oops, now they have a HIPPA compliance issue as they can no longer assure that those records are secure, in fact, they don’t even know who can access those files, and where they are stored.

Many things to think about, and many things to talk to an IT pro about!

Happy Computing!

Richard Brunke

Posted on September 14, 2010 at 10:49 am by Richard Brunke · Permalink · Leave a comment
In: Uncategorized

Partially Cloudy With a Chance of Frustration

This week, the Microsoft BPOS Cloud Suite (their cloud based offering for Exchange, SharePoint, Office Communications Online, and Office Live Meeting) experienced intermittent access to the data center (thus intermittent access to their apps) over a two hour period between 8:30 a.m. and 10:45 a.m. Eastern Time.

In other words, for those that have moved to these cloud based applications, for about two hours they could not be productive, assuming that email or Share Point, for example, were critical to their productivity (I know email is critical to my productivity, and that of my company).

This service comes with a 99.9% uptime guarentee. Well, that gives them about 2 hours a year of downtime, and that’s all been used up. The problem is, of course, that 2 hours does not seem so bad until it happens in the middle of a busy day, or during peak order times, etc. The other problem, of course, is that it is completely outside of your control.

Does this mean that cloud computing is doomed to failure? No, of course not. It is just a reminder that cloud computing, like any other IT choice, has its advantages, and its risks, and these should be thought through carefully and realistically. It continues to be my belief that cloud computing has a number of hurdles to overcome, most of which it will, given time, however, IT departments and business users need to continue to understand what all the issues and options are before making a choice to go to the cloud.

That way, every surprise can be a pleasant one.

Happy Computing,

Richard Brunke

Posted on August 24, 2010 at 7:27 am by Richard Brunke · Permalink · Leave a comment
In: Business

Employees Asking For iPad’s?

Since it’s inception, the iPad has garnered no shortage of attention. It most certainly is a fantastic device with broad appeal and a wide variety of useful functions.

The question is, is this a business device worthy of investment? Will it increase productivity for your employees?

I’m going to start off with my answer right off the top instead of keeping you waiting. No, the iPad is not a natural laptop replacement, and it is not likely a smart investment for most businesses at this time.

Not to say it is not a great device, but it is a device pointed at the consumer market for mobile entertainment, and social networking. The following is a list of the issues I see in using this as core business device:

  1. No built in printing capability. You need to buy an app to print. Granted, that is a reasonable workaround, but integrated printing would be a primary feature of any device that is intended for business.
  2. Availability and compatibility of business applications. The vast majority of applications for the iPad are for personal use, not business. Key line of business applications are most likely not compatible.
  3. Device is not designed for heavy typing. Business use would require adding an external keyboard, which then becomes awkward for moving about and storing. Multiple unattached devices are not convenient. Better to use a small notebook computer at that point.
  4. No flash support. Many websites and other presentation type materials use flash.
  5. Wireless only, no wired office support. Not a huge deal, but if your office is not wireless, it will be.
  6. Not file centric, but document centric. The way we think about computing in the office is at the document level. PC’s are setup around documents that then launch the application. This allows us to focus on the content, not the application. Mobile devices are application centric, which means you open the application to get at the files. While subtle, this becomes an issue when dealing with multitudes of files and file types during the course of a day.

Is this to say that an iPad is not worthy of purchase for business use? No, of course not. It can be a great addition to the tool set of any employee, as long as you understand it is not going to replace other workplace tools such as the laptop, but will be in addition to them. One of my employees purchased on for personal use and says that it is very handy for showing diagrams and brief presentations with clients. Could also be done on a laptop screen, but the flat device is easy to sit around and look at for quick presentations with small groups. He also admits that it is not a great business tool for him beyond that.

So, the final call for me is to hold off on iPad purchases for business as an investment, unless it is an investment in employee satisfaction, as surely your employees would enjoy having such a device. Just don’t expect productivity to increase, or other equipment costs to decrease. Considering that the tablet is just coming into its own, it is a certainty that most, or all of the above issues will be resolved by one product or another in the years to come, and that tablet devices will become a routine and required part of business in the future… but not yet.

Until that time,

Happy Computing!

Richard Brunke

Posted on August 17, 2010 at 8:41 am by Richard Brunke · Permalink · Leave a comment
In: Uncategorized

Mobile Device Security

I recently wrote an article for the WSCPA (Washington Society of of CPA’s) about Mobile Device Security. The article was not focused on the newest device flaw, or any particular fan-boy approach to the best or the worst device, but included a general approach to treating mobile devices with the same care you give towards managing laptop users.

Perhaps in the future I will re-post the entire article, but for now, here are the key points to developing a policy for mobile devices:

  1. Require that passwords be used. Password protection is a standard feature of mobile devices, yet few users utilize it as they find it inconvenient. This simple step is the most effective way to ensure the data on a device stays secure until it can be remote wiped.
  2. Turn on encryption!  All the common devices have the ability to transmit data in an encrypted fashion, so make sure this is turned on with any device being used for email!
  3. Enable remote wipe! Ensure that your IT department gives itself access to every device so that they can remote wipe any lost or stolen device.
  4. Be clear on intellectual property policies! Business email and data transmitted to mobile devices is indeed intellectual property, and mobile device users must have clear policies outlining this fact, so that they understand the rights of the company to secure that data.
  5. Turn Bluetooth to hidden mode. Limit exposure to hackers who may discover your device if it is in default always on and discoverable mode.
  6. Have an acceptable use policy for applications. Applications are a big part of what owning a mobile device is becoming about… but they also can create a lot of issues, and they may present specific security risks. These applications can enable data theft, password theft, or other issues.  If someone wants corporate data on their personal device, they may have to submit to some controls over what types of applications they run. If you are concerned about security, it may be important to limit the ability to load applications, or to require that applications loaded be vetted by IT first, as you can’t trust that the various places these come from (iPhone store, etc) can properly police all the applications presented to ensure that they don’t harbor malicious code or spyware.

Happy (mobile) computing!

Richard Brunke

Posted on July 27, 2010 at 7:01 am by Richard Brunke · Permalink · Leave a comment
In: Security

The Catch Up Game

Normally I post about tech trends, but today I want to talk about what appears to be the beginnings of a business trend in the Puget Sound area. The fact is, the gloom seems to be lifting, and IT spend is coming back into the market at levels not seen for a while. Granted, much of this is driven by projects held off for, in some cases, several years too long, but the fact is, the economy no longer feels as much like the great black hole that may swallow businesses whole, and pragmatism is taking hold.

It is very difficult to know in real time where the bottom of an economy is, and when we are heading up or down, but at the end of the day, there are things we have to do to keep the doors open such as pay our employees, pay rent, and keep our computing infrastructure running. And more importantly, there comes a time when we realize that we don’t just want to keep the doors open, but we want to grow and thrive.

My experience is that many smaller businesses stretched their dollars by holding back on IT spend by holding off on upgrades and routine maintenance. This generally has little impact in the short term, but has an increasingly growing cost the longer you wait. As it has become increasingly evident that, while the business environment is challenging, it is still driven by the same requirements it always has, and putting off investment will hobble growth, productivity, and competitive advantage.

Due to this, project spend is on the rise, and rather rapidly. It’s the old catch up game as businesses realize that they are overdue for moving off of XP, for moving off of old versions of Microsoft Server or other core applications, and for updating hardware, upgrading networks, etc.

As all of this pent up demand hits the market, it becomes a bit of a feeding frenzy for qualified resources. As you plan for getting the help you need to catch up in IT, ask yourself a few key questions:

  1. Am I ready to increase my fixed costs in IT, or should this be variable project work?
  2. If I am ready to increase long term fixed costs, how do I do so in a way to maximize the quality of support and quantity of support I get for that spend?
  3. Have I kept up on technology offerings to the extent that I can make solid decisions regarding upgrades, changes, and purchases to ensure I don’t waste any money short or long term?

Make sure that you invest in IT the same as you would invest in any other aspect of your business; thoughtfully, carefully, and with foresight and after doing your homework.

This is a great time to slow down a bit and assess where you are in regards to your technology and your business needs. Slow down long enough to develop a plan for your IT spending and make sure you evaluate options. Otherwise, working from old upgrade plans may bring about wasting money on plans which are no longer appropriate from a business and technology standpoint.

It’s been great to see more energy and enthusiasm about IT spend, as it is part of a general increase in confidence in business, and often goes hand in hand with hiring. Just make sure you step back and validate your plans and realize that a small investment in planning now may save you a lot of money over the next few years, and, if in doubt, call us and ask for help!

Happy Computing!

Richard Brunke

Posted on July 12, 2010 at 10:07 am by Richard Brunke · Permalink · Leave a comment
In: Business

Welcome to the new ISOutsource Website

Just a quick note to welcome everyone to the new site. We have been working for many weeks to develop a site that better reflects who we are as a company, and what we wanted to tell you, our prospective customers about us, and how we can help and support you. In many ways, you will see it is really about how you can be a happy, productive and supported computer user.

After all, at the end of the day, isn’t that the only reason you hire an IT provider?

I firmly believe that the more you know about ISOutsource, the more you will understand why we are the regions largest, and best, provider of outsourced IT services to small to medium business. We don’t sell software or hardware, or engage in any partnerships that put our ability to be objective and independant in our recommendations in jeopardy. That alone sets us apart, and that is just the beginning.

Please look around and read about our approach and how we can help you. I am proud of the site, and love the use of so many photo’s of our employees! While our approach is unchanged, and our dedication to providing the best service in the industry is unchanged, our site now reflects this in a way that will, perhaps, make these things more visible to those that don’t know us yet. Clearly, I, and the whole team, are proud of what we do, and pleased with our new site and how it reflects our values and objectives as a company!

And, as always

Happy Computing!

Richard Brunke

Posted on July 1, 2010 at 2:27 pm by Richard Brunke · Permalink · Leave a comment
In: ISOutsource News

Who’s on First?

I was reading an article this morning entitled Rogue SaaS Is Alive and Kicking, IT Leaders and I found a few things very disturbing. The basic tenet of the article is that IT has become a bottle neck to line of business decision makers, who are, therefore, simply striking out on their own and making decisions to implement one-off solutions on their own.

I admit, my inner IT manager cringes at the long term implications of the addition of random computer applications being added across an organization without thought of data integration, security, and application interoperability. But, that isn’t really what I want to talk about.

No, the thing that really struck me was that IT is gaining a reputation for not being responsive, for being overly insular and not understanding the needs of the business. I can see how it happens… IT management often finds it easier to simply say ‘you don’t understand’ or ‘its not that simple’ and then moves on with their well planned approach to managing the technology bed of the company. You see, the day IT becomes ABOUT technology, it stops being about business, and we end up with this disconnect.

It is imperative that IT managers and departmental members keep one simple thing in mind -technology is a tool to enable business, nothing more. When running IT becomes about the tool, not the use of the tool and the satisfaction of the business users, it is time for a shake up. If IT departments don’t understand the business, and the users needs, they can’t design IT systems to serve these users and maximize the success of the business. IT best practices based on technical specs and industry standards may be well off the mark when it comes to what you want for your business, and how those systems support it.

As a business person, I try to never lose sight of what the role of IT is. It is critical that those systems provide the support my employees need to get their job done, and all IT plans should work backwards from business requirements. Any IT plan that does not have a direct tie to the business needs, or any plan that simply does not start with an assessment of the business and an understanding of the needs of the business managers and employees is doomed to long term failure.

Time to let go of the ‘its hard’ or ‘you don’t understand’ and embrace a business centric approach to IT. To have the right tools for the job, you must first know what that job is. Sounds simple, and yet, clearly, IT must continue to adjust and understand its role in the function of business. The days of servers and applications being the central hub around which business best practices are built are over.

So, go and spend some time talking to your IT team/provider today, and start evaluating if you truly have alignment between your business goals and your IT infrastructure. Otherwise, you may find yourself with business managers simply making decisions, and IT chasing around issues and cleaning up messes.

At the end of the day, IT is about ensuring users are happy and supported and that businesses are productive.

Happy Computing -

Richard Brunke

Posted on June 22, 2010 at 9:41 am by Richard Brunke · Permalink · Leave a comment
In: Uncategorized

Your Biggest Security Risk You Never Knew About

Sometimes you come across something and have one of those ‘really?’ moments. One would think that there are few big nasty surprises left in the world of digital security. Bad news and new leaks in the same old places sure, but surprises… no.

Well, here is a big surprise for you.

Your digital copier has a hard drive in it and keeps records of all documents scanned, copied, faxed, and emailed. Most every copier build since 2002 has a hard drive and retains this data. Think about the things you copy:

  • Employee files with SS number, drivers licences etc
  • Medical information
  • Tax documents
  • Personal letters
  • Not to mention whatever body parts were copied at the last company holiday party

And when you are done with that leased copier, or you give away or sell your old owned copier, that content is available to whomever buys it. Apperantly we don’t know much about this, but identity thieves have long  known of this opportunity. A recent story told of used copiers being purchased with hundreds of pages of medical information, pay stubs and payroll information, and even a list of targets for a major police drug raid.

HIPAA and SoX compliance just went out the door.

There are software solutions such as InfoSweep that will completely wipe these hard drives. Alternatively, before sending off that old copier, have your service person remove the hard drive and give it to you. Pound it with a sledge hammer a few times, drill holes in it, or pound a few nails through it. Any of these will render it useless.

Perhaps most importantly, DON’T every copy private or sensitive material on a public facility copier! Any document you copy, fax, or email from one of the copy shop machines will leave behind a copy on that machines hard drive.

I am somewhat shocked that this is not commonly known, and even more shocked at the implications to compliance and data security. It is a gaping hole in the average companies data security plans, and really needs to be addressed. Talk to your copier service person, or IT staff or consultant and make sure that you have options available to destroy data on copier hard drives.

Happy (and safe) Computing!

Richard Brunke

Posted on June 7, 2010 at 7:24 am by Richard Brunke · Permalink · Leave a comment
In: Security

What Do You Need to Know About Software as a Service (Saas)?

Every now and again I get questions about my companies position on SaaS, or for opinions regarding how it relates to our clients needs and how we will deliver services. I have long held that SaaS will not bring about a fundamental shift in services rendered by IT service companies, and won’t be a market dominating concept for some time.

First of all, from a services standpoint, SaaS moves software from on premise to off premise, but, it does not remove the need to administer that software and to support the users of that software. Many SaaS providers will try to capture those services by bundling them with their offering, but to be honest, that model is likely to involve a lot of off shore labor, and it is my belief that few companies will manage to deliver quality support services, and really will end up focusing on running their hosted applications and data centers. So, when folks ask how our business will be impacted by SaaS, the answer is, we will still do much of what we do today.

Beyond this, however, is the deeper question, and the more interesting side of this conversation: Is SaaS right for me?

Well, I have argued for some time, and wrote a white paper on this over two years ago, that SaaS has limited utility at this point. For very small companies with very simplistic computing needs, SaaS may provide a low cost of entry method to deliver basic applications to your employees. Very large enterprises are also seemingly fascinated with the thought of reducing hardware ownership costs and increasing flexibility by using SaaS for certain applications. However, at the end of the day, there are challenges with SaaS that limit adoption, and they are real, and significant.

And they are the same issues people were talking about when SaaS was just coming to gain visibility a few years back.

  1. Security
  2. Application Integration
  3. Data Migration

From a security standpoint (and more broadly a compliance standpoint), there are unresolved issues around everything from physical security of data centers to a lack of industry standards that companies can develop internal controls and security plans around. Data security is a hot button for most companies, and of course for the clients of those companies. As applications and the data they use is moved off premise and the control of physical security is lost, as is the ability to control the methods by which data is protected from a logical security standpoint, risks increase and business owners are faced with uncertainty regarding their ability to protect their intellectual property, as well as their client data.

Integration is perhaps one of the most troubling issues in my opinion. Many applications provide the most value when they integrate to other applications. When you log into your CRM, you expect it to be integrated with your Outlook Calendar. Microsoft Office software is integrated into many other applications, and many companies even have customizations that integrate with key applications to provide competitive advantage. All of these integrations become highly complex when dealing with SaaS, and expensive. When we consider that the entire purpose of our applications and data are so that we can execute our jobs effectively and efficiently, the thought of reducing our ability to integrate key applications and reduce efficiency and productivity seems pointless, and the savings associated with moving to a SaaS model may not be as robust as originally thought.

Finally comes data migration issues. This is a similar issue to application integration. If you are attempting to move to SaaS solutions for your financial applications and back office functionality (ERP) or your client and sales management software (CRM) you may find that cost and complexity of a SaaS implementation goes way up due to the complexity of migrating data. Additionally, data may be coming from data wharehouses served by multiple applications, and this adds another integration and data migration issue that is far more complex in a SaaS environment.

The pitch sounds so simple: don’t buy hardware, just pay a simple low monthly fee per user to get the applications you need delivered. It is a great idea, and it may indeed become part of the normal operating fabric of businesses in the next decade. However, there is much to be resolved before this comes true. Keep in mind also that hardware and storage manufacturers are always working to drive down costs and as those costs come down, the argument for savings by ‘renting computing space’ will be reduced.

At the end of the day, it is a balance between cost, control, and required functionality. Today, with relatively cheap storage and computing costs, coupled with unresolved issues regarding some pretty common issues around security, integration, and data migration, I’m of the mind that SaaS is not yet a viable solution for the majority of SMB’s. Perhaps if you simply recieve email and want your folks to be able to do simple spreadsheeting and simple use of word processing, then it makes sense, but even then, if these applications are delivered through the cloud, what happens when you can’t access the internet? Can any of us say we have 100% uptime with our local internet provider, or that we are confident that if there were downtime, we would be able to function and be fully productive without our key applications available? Just another thing to ponder.

Observe and educate would be my two key thoughts in regards to SaaS. There is value there, but today, there are also a lot of unanswered questions, and when it comes to our businesses and ensuring that we can run them, unanswered questions are not good.

I am optomistic that SaaS will bring value to the market as these issues are resolved, but not convinced that it will  replace on premise computing in the majority of businesses any time soon.

Happy Computing!

Richard Brunke

Posted on June 4, 2010 at 7:41 am by Richard Brunke · Permalink · Leave a comment
In: Uncategorized

Is Your iPhone Hackable?

Sometimes we find that new technology adoption rates can greatly exceed new technology maturation rates. In the case of the iPhone, while product is flying off the shelf, there may be some scary flaws needing resolution, and while I doubt any such issues will drive away the legions of fans, it is important to know what the risks are so you can protect your data.

The most recent security flap is, uncharacteristicly, not with the new version of Windows, but with the iPhone. Well the ’staggering’ truth may not be quite so scary as all of that, but it is an interesting and worthy story nonetheless. Basically, if you leave your iPhone lying around and someone who happens to have a laptop handy running Ubuntu “Lucid Lynx” 10.04 picks it up, they can bypass all security and see everything on your iPhone. Now, while that is sort of scary, it is a bit of a stretch to imagine hordes of potential hackers arming themselves with Linux laptops and hunting around for loose iPhones so they can see your vacation pictures.

Still, Apple needs to plug this flaw in its product. If you own one, don’t panic. If you see any questionable characters with well used laptops eyeing your iPhone while you sit at the Starbucks, don’t panic, don’t call the police, just think of it a bit like your wallet – if you leave it lying on the table, you are asking to lose the stuff in it. This is just another reminder that our mobile devices store things of value, just like our wallets, and deserve at least the same amount of care! Don’t leave them lying around, think about what you are storing on them, and for gods sake, don’t loan them to Linux OS weilding laptop owners!

Happy (mobile) computing!

Richard Brunke

Posted on May 28, 2010 at 7:45 am by Richard Brunke · Permalink · Leave a comment
In: Security