SOX Spared, Oversight Improved…

June 30, 2010 · Filed under Compliance, Governance and Risk Management · Tagged , ,

The advent of regulations that impact IT (SOX, PCI, FDCC, etc.) are considered by many as a costly nuisance. However, one could argue that the impact of these regulations that require stringent controls and accountability have resulted in higher levels of measurable security.

Earlier this week, one of the most well known regulations (SOX) came under scrutiny by the Supreme Court…specific to concerns around oversight. There was an excellent article published that illustrates the courts ruling:

http://online.wsj.com/article/SB10001424052748703964104575334771098178714.html?mod=WSJ_hpp_LEADNewsCollection

The following is my summary of the results of the ruling:

1) The Supreme Court has ruled that the SEC now has the ability to remove Public Company Accounting Oversight Board (PCAOB) members “at will”, which represents a very significant change.  Prior to this decision, the only way the SEC could remove a member of the board would be with “due cause”. The importance of this ruling centers around ensuring that the accounting rules and controls that have been established (as it pertains to SOX) are maintained, and enforced – and that oversight is not conducted by the PCAOB…but rather by the SEC.  Thus, the change has created more accountability.

2) In terms of the impact on the SOX regulation, for those that have to comply, it’s business as usual.

Now, had the court ruled on a broader basis, they could have actually forced Congress to revisit the act altogether.  Which for most public companies, if SOX went away they would jump for joy. Although…the practices that have been established to ensure compliance have been a worthy and valuable investment as it’s helped make companies better practitioners, resulting in the prevention of any additional Enron’s or WorldCom’s in today’s business environment.

Dave Eike

Shavlik Technologies

Leave a comment »

The Continuing Conundrum – Patching Non-Microsoft Applications

April 27, 2010 · Filed under Microsoft WSUS, patch management

Clearly, one of the most important functions performed any IT organization centers around addressing the risks associated to poorly patched systems. This challenge is further complicated by the sheer number of new vulnerabilities that continue to appear. For years, the process of patching or repairing systems that are determined as vulnerable has continued to improve, but many organizations still wrestle with addressing the challenge of patching the ever increasing number of non-Microsoft applications found in their environment.

The vast majority of solutions on the market today that claim to do “patch management”, fall short of dealing with this continuing conundrum relative to address the non-Microsoft application patching challenge. By relying solely on a patching solution that doesn’t fully address the breath of non-Microsoft applications found in most environments (i.e.; Adobe, Real Player, Firefox, etc.) – it creates a condition of unnecessary risk!

In terms of a solution to this continuing challenge, I’d like to recommend the following:

1)      First, look for a solution that can give you an accurate assessment of your environments current patch status – one that is capable of discovering the complete set of Microsoft applications and operating systems, as well as all the most prevalent non-Microsoft products.

2)      Look for a solution that can address any patching requirements you may have relative to any “in-house” developed applications.

3)      Another key element that you should look for in any type of patch management solution centers around the level of automation. The great the level of automation, the faster the return on investment.

So, if you continue to wrestle with the challenges of patching all those non-Microsoft applications in your environment – there is hope!

Dave Eike

Shavlik Technologies

Comments (1) »

All Roads Lead To SaaS (Software As A Service)

April 8, 2010 · Filed under Cloud Computing, IT Management, SaaS, Software As A Service · Tagged , , ,

Software as a Service (SaaS) is becoming much more mainstream these days – and is having a dramatic effect on the software industry. Why SaaS based applications are now making such an impact (especially at the small and medium sized business level) is due in large part to the current economic climate. IT managers continue to face considerable pressure to reduce expenses, while at the same time having to maintain the same levels of service. With this in mind, it’s forcing IT Managers to investigate, more cost effective solutions.

This very situation has created an entre’ for cloud based technology, and provided a platform for technology companies to deliver comprehensive, highly scalable software solutions to the masses. Some of the clear benefits associated with the adoption of SaaS based solutions are as follows:

  • Applications & Information Available On-Demand – Anytime, Anywhere
  • Reduced Adoption Risk (Easy To Test and Implement – Without A Great Deal Of Expense)
  • Generally Simple To Setup and Use
  • Cost Effective – Less Expensive To Acquire and Operate / Self Service Acquisition
  • More Frequent Product Enhancements (A Big Plus…!)
  • Application Reliability & Performance (Much Like Utility; i.e. Electricity)
  • The Way Customers Want To Consume Technology
  • It’s The Way Of The Future…

Cloud computing holds tremendous promise in terms of helping to advance the rate at which applications and services are acquired and deployed. It provides a platform to help increase innovation, and lower the cost of operation – which is of immense value in these challenging times.

An excellent example of this is a new SaaS based offering provided by Shavlik Technologies called IT.Shavlik.com (https://it.shavlik.com/). Considering the ever growing demands on IT to do more with less…the need for new, alternative methods and technologies is critical.

Shavlik developed IT.Shavlik to be a technology platform that offers a very comprehensive set of IT Management capabilities designed to help support the needs of IT, with the ability to rapidly deliver new capabilities that align with the needs of the customer. The approach Shavlik is taking clearly illustrates why SaaS based solutions are the way of the future.

Check out the FREE version of IT.Shavlik.com…I think you’ll find it of interest.

Dave Eike

Shavlik Technologies

Leave a comment »

Power Management – Immediate Impact!

March 22, 2010 · Filed under Power Management · Tagged , ,

Today there is a great deal of concern relating to the amount of power consumed by computers large and small. The ability to control power consumption via good power management techniques will not only save energy and reduce CO2 emissions, it will also dramatically reduce the cost to power and cool each system. This can amount to some significant savings!

Example: If you took 500 computers, that were generally left on 24×7, and reduced the time they were left on at night during the week (evenings) to just 3 days instead of 5, and powered these systems off over the weekend…the annual savings would be significant. At $.095 per kWh, the total savings would be $28,321 – with an energy savings of 298,116 kWh. This is significant!

The Value Of An Enforceable Power Management Policy

  • Measurable Cost Reduction – Power and Cooling Costs
  • Save Energy & Reduce CO2 Emissions
  • Enforceable Policy – Customize To The Needs Of The Business

Here at Shavlik we’re going to be introducing new technology that will help IT departments measure their current power consumption…and then create and manage power management policies that should have an immediate impact on the business. This new technology will enable the user to shutdown (power off) or put machines into hibernate or sleep mode on an immediate or scheduled basis – thus helping control power consumption. This new technology will also help simplify IT Operations by allowing system administrators to “Wake‐up” machines on the network either on-demand or on a scheduled basis, to assist with schedule maintenance.

In summary, the development and enforcement of a good Power Management policy can provide immediate and measurable savings – while contributing to Greener IT.

Dave Eike

Shavlik Technologies

Leave a comment »

Evolving IT…

March 10, 2010 · Filed under Automation, Cloud Computing · Tagged ,

With the advent of cloud computing, the way information technology professionals go about their everyday tasks is dramatically changing. With the emergence of SaaS – most IT organizations are finding themselves in a role that is quickly evolving. IT services are becoming more of a utility – with the expectation that the services will always available – anytime, and from anywhere – like electricity. IT is truly becoming more transparent. That said – the functions of IT are the most critical component to any business, because without it – the business cannot function.

As we look into the future – the functions of IT will become more and more automated. The ability to leverage cloud based tools and services – that provide more advanced levels of automation, at a lower price to serve will be the norm. Today…the average IT administrator can manage 50 users effectively – in the not too distant future…that same individual will be able to manage 1,000 users – due in large part to impact of cloud based technology. This new paradigm will truly be an enabler for business – allowing the IT professionals of today to shift their focus from the tedious day-to-day task – to more strategically important activities.

Dave Eike

Shavlik Technologies

Leave a comment »

The Changing Fabric Of IT…

February 26, 2010 · Filed under Asset & Inventory Management, Automation, Cloud Computing, Virtualization, patch management · Tagged , , ,

The advent of virtualization has changed the very fabric of IT, and has ignited a new era in computing. Virtualization has been a significant catalyst for change – promoting every IT organization to rethink the methods by which they provide computing services to their customers. Today…virtualization and cloud based technologies are becoming much more mainstream, transforming the way IT functions – providing a means of both reducing costs, and driving up efficiency and productivity.

That said…there are corresponding challenges as well. As VM’s continue to sprout up in just about every organization…the dilemma is the ability to manage what’s there. Let me elaborate:

1) Do you know the extent of your virtual infrastructure? VM images that get spun up – that aren’t visible for any reason to IT presents a risk.

2) Are you able to discover VM’s that are offline. An VM image that is maintained in an offline state, and then brought online after an extended period may be improperly secured.

3) Once discovered, can you quickly assess the current state of the VM’s you’ve now discovered – are they patched and configured properly? The ability to manage and secure these images is critical!

4) Additionally, do you know what software assets have been deployed to these systems…that may impact any current software license agreements?

So…to ensure the proper level of security, and facilitate the management of your virtual infrastructure – you’re going to need the right set of tools. That said, the tool should be both easy to use, as well as comprehensive in what it will discover (virtual and non-virtual machines). It should be able to clearly illustrate;

1) The extent of your virtual infrastructure – including systems that are both online and offline.

2) It should also be able to provide a perspective on the complexion of the risk you might be facing…missing security patches, systems configuration issues, unnecessary services that may be running, etc.

3) It should provide a detailed list of your current software assets – to ensure that you’re not over or under spending.

4) Last but not least…if there are risks that are discovered, the ability to remediate or remove the risks (or vulnerabilities) is critical!

As reference to the above, I wanted to comment on an excellent article I just read that really does a good job of illustrating the challenge I’ve just described – which is the gap between the complex new requirements of virtual machine management and the ability of systems tools vendors to meet them. Enjoy

http://www.information-age.com/channels/data-centre-and-it-infrastructure/perspectives-and-trends/1109528/wanted-management-tools-for-the-virtual–cloud-era.thtml

So…to summarize, the proper tools exist to ensure you can keep your virtual environment in check…and you don’t have to look to far ;-)

Thanks for reading!!

Dave Eike

Shavlik Technologies

Comments (1) »

Transforming IT…

February 17, 2010 · Filed under Automation, Cloud Computing · Tagged

Over the past 20 years, information technology has made some radical transformations. The Internet has changed the way we work, and continues to provide an excellent foundation for innovation. That said, IT executives continue to look for ways to improve operational efficiencies, reduce risk and save money. Unfortunately, with the day-to-day demands on IT ever increasing, the opportunity to innovate is an ongoing challenge. With competitive market pressures, and the pressures to lower the cost of doing business, IT organizations need to look for ways to transform themselves.

Now what do I mean by transform? Well, most IT organizations today are forced (because of resource limitations) into having to focus on the “blocking and tackling” aspects of IT (Uptime, Help Desk, Operations, Security, etc.).  While a requirement, the day to day activities consumes both time and energy…not leaving much time to dwell on the strategic.

IT is the most important strategic asset (staff, information, systems, etc.) in any organization. Without IT, business can’t operate. That said, IT needs to continue to elevate it’s level of importance in the organization…and can do so by making time to innovate. This is why I believe IT has to transform itself from the position of service delivery, to critically strategic. This happens when:

1)      The business leaders recognize the strategic importance of IT, and make it a priority vs. purely an necessary expense.

2)      IT is enable to look inside itself…and look for ways to innovate, and employ that innovation / automation to help re-purpose the “people” assets involved in IT towards more important tasks – tasks that will help advance position of the business (i.e., Market Share, Revenue, Profitabilty, etc.)

Allowing IT the opportunity to explore and leverage the concept of innovation will have a marked impact on the capabilities of IT, but more importantly the people involved.

Dave Eike

Shavlik Technologies

Leave a comment »

Automation – The Impact Point For IT Operations

January 27, 2010 · Filed under Asset & Inventory Management, patch management, vulnerability management · Tagged

With ever tightening budgets, and the constant requirement to continue to improve operational efficiency – the impact that automation can have on IT operations is quite dramatic! Considering all the operational elements that have to be considered to provide the proper levels of service to the user community…the injection of automated tools into the process is no longer an option.

For many IT organizations, the solution to the problem has centered around the deployment of a series of point solutions to address the core set of requirements from the discovery and management of asset and inventory data (virtual or non-virtual), the assessment of any potential for risk (vulnerability scanning, patch management, AV…), as well as performance management and monitoring…just to name a few.

This approach, while acceptable…does not promote what I would categorize as “aggregated efficiency”. Trying to evaluate the condition or state of your environment by collecting (independently) the results derived for various point solutions is OK, but not the most efficient way to address the day to day challenges of managing an IT environment. In order to truly drive greater efficiencies, save money while at the same time improving service levels…what’s necessary is a single solution (one with as complete a set of functionality as possible) to aid IT operations relative to managing the time-consuming daily tasks that are currently disconnected.

There is a better way! There are solutions on the market today that will help assist IT operations with this quest. Selfishly, here at Shavlik…we’re moving quickly into the IT Management area with a SaaS based platform, that over time could become the Swiss army knife for IT operations. This technology of ours is being designed to address the core set of requirements necessary to effectively manage an IT operation – but in a far more aggregated manner. If you get a chance…check out what we’ve developed so far, you might find it of interest! The URL to access the application is https://it.shavlik.com/. The application will go into a Public Beta phase in mid-February.

Dave Eike

Shavlik Technologies

Leave a comment »

Apple iTunes – Addressing The Necessary Risk

January 12, 2010 · Filed under Microsoft WSUS, patch management, risk management · Tagged , ,

With the advent of the iPod, and more recently the iPhone…the presence of Apple applications in the enterprise is continuing to expand. The challenge…how to address the vulnerability risk that these devices present. At the center of it all is iTunes…one of the most widely used applications in the world. It’s the primary delivery vehicle for the music used by the iPod, but also the connection and update vehicle for the iPhone. However, this application carries with it a good deal of risk if left unchecked!

There are many organizations today that rely solely on Microsoft to perform the critical function of patch management. Who better…? Well…Microsoft does a good job of addressing any risks that may apply to their new applications, but what about their older OS’s and applications, and more importantly…the non-Microsoft applications that you will find in most any environment. This is where the challenge resides! Without technology to accurate assess the presence of iTunes, and more importantly…whether it’s patch appropriately is critical.

So, the questions you have to ask yourself are as follows:

1)      Do you have any users in your environment using iTunes?

2)      If you do, are you aware of their current patch as it relates to iTunes?

3)      Additionally, if you are currently using Microsoft WSUS to patch exclusively, and have discovered the presence of iTunes – how will you address any potential vulnerability related risks.

If you struggled with any of these questions…don’t feel bad, you’re not alone!! To address this issue, and certainly the risks associated with the presence of other non-Microsoft related applications, you’ll need a tool that enables you to scan for and remediate these types of risks.

Dave Eike

Shavlik Technologies

Leave a comment »

Do You Know Where Your VM’s Are…?

December 15, 2009 · Filed under Automation, Configuration Management, Virtualization, information security, patch management · Tagged , , , ,

With the advent of virtualization…the ability companies now have to optimize existing system platform resources is at an all time high. If you told me 15 years ago that you would be able to convert a single physical server to one that contained a series of virtual servers on the same box – and amplify their performance, I would have thought you were crazy!

Fast forward to today…there isn’t a company out there who hasn’t played with or deployed some form of virtual system in their environment. If they haven’t – they’ve been living under a rock! With this rapid deployment of VM’s comes an incredible challenge! Because of the ease of which an VMware ESXi server can be deployed, it’s extremely important to be able to track any new “virtual system” that may be introduced into your environment. You may be asking why…?

Well…much like any physical system, they are exposed to the same vulnerabilities and risks. VM’s can operate in either an online of offline state, and need the same level of attention as their physical counterparts…to prevent what I would characterize as “unplanned or unexpected risk”. The best way to ensure any new VM you may spin up is properly secured – I would recommend the following:

1)      You need some form of technology or tool set to accurately assess your environment for any existing or recently added VM’s – either online or offline. (Note: You can’t protect what you can’t see!)

2)      Once discovered, you need to evaluate their current patch and security configuration status. The two largest areas of potential for risk center around systems that are either poorly patched or poorly configured.

3)      If you in fact discover gaps or deficiencies, then you’ll need some form of automated remediation to rectify matters.

By following these recommendations, you can rest assured that you’ll know where your VM’s really are!

Dave Eike

Shavlik Technologies

Leave a comment »