The value of Proactive Monitoring

Focused System Monitoring

We monitor the performance of each server, including memory, CPU utilization and storage.  If there is an outage or decrease in performance (such as a full hard drive or spike in CPU use) we notify you immediately and make our support team aware of the issue.  We also track the performance and provide historical graphs and logs, plus weekly reports.  This affordable service offering gives an organization a good general picture of their server health and historical records can be crucial in budgetary planning and expenditure justification.  System monitoring has optional Comprehensive Incident Response which frees up your IT staff from daily firefighting.

We also provide this service for your mission critical desktop systems at a reduced price.

 

Proactive Application Monitoring

Servers provide critical applications to your end users such as email, databases or directory services.  Application performance is not always directly tied to system hardware performance.  For example, Exchange servers will always have high memory utilization without incurring a performance penalty.  Conversely, they can grind to a halt under a heavy spam load without spiking CPU utilization.  in another example, Active Directory can experience replication errors due to network issues which are outside the server but that directly impact your users ability to logon.  Our intelligent agents monitor the internal performance of the application independent of the server's general performance.  In all three cases, you can see a potential issue before it gets out of control.  Combined with User Experience Modeling, this allows us to provide a constant health check for your critical applications and historical data for planning and incident response.

Proactive Application Monitoring includes Focused System Monitoring. In addition to weekly reports and trending data, Proactive Monitoring gives you access to real-time data in our customer portal and the option of Comprehensive Incident Response.

Comparing the MyISAM and InnoDB database engines for mySQL

Databases are almost always used when building applications, whether they are web applications or native applications. Choosing an appropriate database engine is a critical step in the design and planning stage and should not be overlooked. A database engine (sometimes called a storage engine) is the underlying software in a database management system that takes care of creating, reading, updating, and deleting data. This article will be comparing two engines that are commonly used with MySQL, MyISAM and InnoDB. For those unfamiliar with MySQL, it is an open source relational database management system (RDBMS) developed by Oracle. As of June 2013 it is the most widely used open source RDBMS.

Let’s look at MyISAM first and contrast it to InnoDB since it is the default engine for MySQL 5.0 and offers several benefits. When setup correctly and conditions are ideal MyISAM is extremely fast. It also offers full-text indexes which are great for applications that need quick, accurate search functionality. MyISAM tables are also very simple thus being easily learned and understood. You may be thinking to yourself “Why would I want to use anything other than MyISAM? This sounds like the perfect engine!” However, its speed and simplicity comes with a few major drawbacks...



How do you ensure information security in an uncontrollable environment?

How do you ensure information security in an uncontrollable environment? Years ago, information security was equated with information control and control of access was the principal goal of most IT organizations.  From my perspective, while there was a heavy emphasis on Access control and Auditing, Authentication was thought of as usernames and passwords only.  Today, most institutions don’t have control of their user hardware environments and with cloud services and outsourcing, are losing control of their server environments. But is control really security?  If it is, do you have security if you lose control? While every institution must follow any legal or professional information security mandates and best practices (patching\AV\physical restrictions etc), rearranging your security posture can change the equation and make security more manageable.  Consider the following suggestions to reduce the noise and change your IT attack profile.

Make passwords long, unique and complex but stop making people change them constantly.

People hate being forced to change passwords.  Passwords are a fact of life and they will be a cornerstone of everyday IT management for decades to come. Long and complex passwords reduce the chance that users will have the same one for work that they do for their personal life.  In reality, most people use the same password for everything no matter what security people tell them.  A long, hard to crack password that people actually know is arguably more secure than PASSWORD123.  A good solution to this conundrum is a Passphrase instead of a password.  The best is 2 factor authentication.

Monitor your systems

Utilize and external monitoring system to keeps tabs on system performance and status.  This allows you to respond more quickly if you do have an incident and critically, gives you an offsite set of data\logs that can be used in the aftermath or for auditing purposes.  A systems monitor solution shifts the burden of watching systems off of IT staff so they can focus on other projects (like the ones in this post) and allows you to be proactive instead of reactive to system health.

Configure a guest network for Wireless Access

Visitors, guests and temporary workers should not have access to your network.  Period. Allowing guests on your wireless bypasses all your authentication and access planning.  Setup a guest network that has only internet access, ensure it has a password, is encrypted and kick users off after some predetermined amount of time.  If they need more access than that, they should go through some sort of onboarding and institutional vetting.  Solutions like Sharepoint file sharing and One Drive can allow collaboration without direct file server access.

Segregate your high priority data

This is a difficult step but is very helpful.  Would you leave all your valuables scattered around your house during a large gathering or would you segregate them, putting them in a safe or special place?  Treat information the same way.  All the files that a temp is using for a marketing mailing are probably not as important as the bank account numbers stored by the CFO.  Consider physically keeping critical data on a dedicated infrastructure (servers\network) that can be more carefully monitored and maintained.

 

BYOD and Universities

Choosing the Right MDM for Your School Bring Your Own Desktop and Mobile Device Management are transforming IT.

BYOD initiatives have changed the landscape of IT in schools and a functional MDM is crucial. However with the ever changing interface of MDM, and because many schools already have limited resources when it comes to IT, keeping up to date with optimal management techniques can be daunting and hard to scale. According to a May 2013 Aberdeen Group survey of 320 IT organizations, 75% had a BYOD program in place, but half of those were taking an "anything goes" approach to managing the mobile ecosystem. With that in mind, choosing the right set of tools to facilitate MDM in schools while software vendors continue to add new features every few months remains one of the primary challenges facing network administrators.  Recent improvements to Systems Center Configuration Manager (SCCM) have made things even easier for Microsoft shops while Apple has improved its management software.

An article written by Computer World, confirmed that when it comes to MDM, 2014 was the battle of the big vendors. “It is the year they will make a run at enterprises that want stability and scale.” The article continues predicting that MDM will morph from peripheral issue to core IT concern as the year goes on. Now that we are into 2015, the latter is certainly true – especially for schools.

 

There is an entire set of policies that have been developed depending on the institution – for example businesses can configure and manage devices in the same way that COPE (corporate owned, personally enabled) phones have been containerized. For schools the process is a little bit different, but the idea is the same. Integration across tools should be a primary factor including a unified management layer. Integrating 5 or 6 products is hardly sustainable and largely a single solution is better for security purposes.

 

When choosing a MDM, it’s best to look for the top suite rather than the best breed. Consider the way features are delivered and be mindful that the level of integration within a suite which can vary. Vendors may have developed most capabilities natively, but many have acquired features through acquisition, or have added them through partnerships.

 

In an effort to make scalability more functional, Apple released improvements to their DEP (Device Enrollment Program) in February 2014. Prior to the update, administrators rolling out large iPad installs reported Windows to have better remote installation and configuration support. The release was said to address that issue, giving both enterprise and education programs would have support for MDM hands-free configuration eliminating the need to cable up every deployed device and install a profile via Apple’s Configurator utility.

 

Regarding schools specifically, Apple also had trouble with students deleting enrollment profiles from their devices in order to access more of the web, including unapproved apps. Along with the updates that should prevent this from happening in the future, Apple has opened up the ability for students under the age of 13 to get an Apple ID. Once a school has enrolled in the DEP, they can request IDs from Apple, who will then send a communication to the parent, who will then be guided through the registration process. The school is then notified that the student has been given consent. These types of changes have the ability to make deployments scale up to massive numbers especially within educational institutions and enterprises.

 

While there has been word that Apple has struggled with the functional scalability of their program, the other option is the Windows SCCM (System Center Configuration Manager) plug-in. Long before Apple’s  DEP, Microsoft had developed the SCCM plug-in which allows end users to search applications via a self-service Software Center. IT administrators are also given the control to define when upgrades and installations take place in addition to installing different applications on different devices.  The services enable secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices spanning across Windows PCs, Macs and Unix/Linux Servers on premises along with cloud-based mobile devices running Windows, Windows Phone, Apple iOS, and Android.

BYOD has put an end to “the user” as the driver – so before deployment of an MDM, a full consideration of which suit best meets the need of your organization is necessary. MDM is finally maturing to a point where many of the kinks are being ironed out – but with the rate at which technology is moving forward, agility should continue to be a primary concern for schools and enterprises alike.


 

Getting started with IaaS on Microsoft Azure

Hosting replica domain controllers in the Azure cloud is one of the most compelling reasons to extend your on-premises Active Directory.  A replica DC is nothing more than another domain controller that is located on the distributed Azure network.  Just like a local environment, it requires a dedicated VM and reliable network connectivity to the other domain controllers in the domain and forest.  All the configuration was done on Windows 2008 R2. The secret sauce that allows your local network to connect to the Azure network is the point to site or site to site VPN. This post will focus on the point to site VPN since it can be used regardless of the type of firewall or VPN device on your local network.  Microsoft is currently pretty limited with their site to site offering.  This link provides a supported list: http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx

Configuring a point to site VPN

A point-to-site VPN connects a single machine in your network, like a domain controller, to the entire virtual network configured in Azure.  It does this by utilize a certificate based VPN that has matching certs installed on the target machine and uploaded to Azure.  This connects your local DC to the cloud DC.  Of course, you still need to do the AD basics of configuring sites, assigning subnets and verifying replication.  The certificate can be self signed but needs a root certificate and its private key.  To make the connection you need to

  1. create the root cert
  2. create the client certificate
  3. install the client cert on the target machine
  4. Upload the root certificate to Azure
  5. Download the precompiled VPN client

To create the certificate you need the utility makecert.exe from the Visual Studio SDK.  When you have makecert installed, use it to create a root certificate and a client certificate with these commands:

makecert -sky exchange -r -n "CN=<RootCertificateName>" –pe -a sha1 -len 2048 -ss My

makecert.exe -n "CN=<CertificateName>" -pe -sky exchange -m 96 -ss My -in "<RootCertificateName>" -is my -a sha1

If you want to connect multiple point-to-site VPN connections, you can export the client certificate with its private key as a .pfx file.  Otherwise, you can skip it and just export the root certificate as a .cer file.  That .cer file needs to be uploaded to Windows Azure to create the VPN connection binary.

After uploading the certificate, Azure will churn for a while and then produce a ready to install network object that is preconfigured for your virtual network’s gateway and the root certificate you installed.  It actually works extremely well.  The next step is to install the package, go to your network adapters, right click and select connect.  You will be prompted for elevated privileges so that CMROUTE.DLL can update the internal routes on the server.

You can verify the new routes or check these with the old standby command “route print”

Once it connects you are all set!  You can see the data being transferred between the networks in the Azure dashboard and virtual machines running on Azure will be able to communicate with the point server.  Make sure to check those local firewalls if you are troubleshooting!

The Future of BlackBerry Takes a Turn with the Launch of BBM Channels

When BlackBerry first hit the consumer electronics scene in 1999, it was a game-changer. The device allowed people to stay connected, while mobile, to their businesses. BlackBerry’s strongest feature was its messaging and e-mail capabilities. The company continued to focus on these capabilities in its expansion, capitalizing on business oriented communications. While BlackBerry dominated the market for a while, its continued focus on its emailing and messaging prevented device developers from looking at other possibilities. In a sense, BlackBerry neglected the idea that consumers might have a need for alternative applications that phones could not yet provide. As BlackBerry’s market share has continued to fall dramatically there has been a lot of talk about its sale. But before decisions are finalized, both consumers and experts alike are asking the question: is there a compelling reason for a business to use BlackBerry? Would businesses be better off centralizing on a different product and operating system, such as a Windows Phone, or Apple’s iPhone and iOS operating system? Or is bring your own device (BYOD) the way to go?

Centralizing on another product, such as the Windows Phone or the iPhone, allows for companies to set clear expectations of what is acceptable to be done with the device. By centralizing to one device, employees will all be on the same operating system, and in addition, there is less room for security risks. The general consensus is that companies should look into which device is best suited for the business, taking into account privacy, security and specific software applications.

Of course, BYOD would allow employees to choose their own device, which would be ideal for individuals with a preferred product. Letting employees use the devices they are most comfortable with can greatly boost productivity and worker morale. “Mac people” feel most comfortable operating with an iPhone rather than a BlackBerry or another device and visa versa.

However, BYOD has its own share of problems when it comes to business related communications. One of the most critical aspects to a BYOD program is the security of the data on these personal devices. Many have expressed concerns about accessing sensitive corporate information available on personal devices. There is also the risk of malware infected devices connecting to the corporate network. Allowing employees to use their own devices can also be a distraction, as some may be inclined to use devices for non-work activities during work hours.

While BlackBerry has hit hard times, the once top tiered mobile innovators are not done yet. Early last month, BlackBerry announced that they would launch a cross-platform, BBM Channels. The cloud-based enterprise mobility management solution is designed with the tools to secure and manage personal and corporate devices. This new EMM solution will offer business mobile device and application management, as well as security standards and self-service capabilities for end users. The success of this new EMM could help alleviate some of the concerns with BYOD policies, as well as help BlackBerry get back on the path to success.

After the recent launch of the BBM Channels “Messenger App,” BlackBerry has seen more than 10 million users download the free App for both Google Android and Apple iOS. In a recent statement, Andrew Bocking, Executive Vice President of BBM at BlackBerry confirmed, "The mobile messaging market is full of opportunity for BBM. We intend to be the leading private social network for everyone who needs the immediate communication and collaboration of instant messaging combined with the privacy, control and reliability delivered through BBM." But can the success of the App guarantee a future for BlackBerry?

Although BBM Channels is now in beta testing, it’s unclear when the service will be more widely available, and, whether or not the profits will be significant. Of that, Bocking told The Morning Edition, "We continue to plan to evolve the service and keep making it more engaging and have more reasons why people will come back to use the service."  More than just a mobile chat messaging company, it’s possible that BlackBerry will seek long-term profits secure corporate and government communications, even exploring the acquisition of its own.